Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

control flow taint propagation #9

Open
helloworldlong opened this issue Feb 26, 2018 · 3 comments
Open

control flow taint propagation #9

helloworldlong opened this issue Feb 26, 2018 · 3 comments

Comments

@helloworldlong
Copy link

in gentrace.cpp:

if (!isBranch)
            tracker->taintPropagation(ti->delta);

so bap-pintraces does not log the control flow taint propagation.
then the code in strcmp function:

Dump of assembler code for function strcmp:
   0xb7ff5ea0 <+0>:	mov    ecx,DWORD PTR [esp+0x4]
   0xb7ff5ea4 <+4>:	mov    edx,DWORD PTR [esp+0x8]
   0xb7ff5ea8 <+8>:	mov    al,BYTE PTR [ecx]
   0xb7ff5eaa <+10>:	cmp    al,BYTE PTR [edx]
   0xb7ff5eac <+12>:	jne    0xb7ff5eb7 <strcmp+23>
   0xb7ff5eae <+14>:	inc    ecx
   0xb7ff5eaf <+15>:	inc    edx
   0xb7ff5eb0 <+16>:	test   al,al
   0xb7ff5eb2 <+18>:	jne    0xb7ff5ea8 <strcmp+8>
   0xb7ff5eb4 <+20>:	xor    eax,eax
   0xb7ff5eb6 <+22>:	ret    
   0xb7ff5eb7 <+23>:	mov    eax,0x1  //control
   0xb7ff5ebc <+28>:	mov    ecx,0xffffffff
   0xb7ff5ec1 <+33>:	cmovb  eax,ecx //“below” are used for unsigned integers
   0xb7ff5ec4 <+36>:	ret  

we can not log the taint instruction in the trace file, so we can not get the contrain.

@ivg
Copy link
Member

ivg commented Feb 26, 2018

Sorry, I can't really understand, what are you asking for?

@helloworldlong
Copy link
Author

Sorry, my English is poor. I have seen your paper "All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution". There are some sentences about my question in this paper:
1) Informally, a statement s2 is control-dependent on statement s1 if s1 controls whether or not s2 will execute.
2) If you do not compute control dependencies, you cannot determine control-flow based taint, and the overall analysis may undertaint.
3) Unfortunately, pure dynamic taint analysis cannot compute control dependencies, thus cannot accurately determine control-flow-based taint. The reason is simple: reasoning about control
dependencies requires reasoning about multiple paths, and dynamic analysis executes on a
single path at a time.
So my question is whether bap can handle the control dependcies.

@helloworldlong
Copy link
Author

helloworldlong commented Feb 28, 2018

There is a control dependency in "0xb7ff5eb7 <+23>: mov eax,0x1 //control" in the strcmp instruction, because it depends on "0xb7ff5eac <+12>: jne 0xb7ff5eb7 <strcmp+23>" instruction. If the ZF flag is tainted in the "0xb7ff5eac <+12>: jne 0xb7ff5eb7 <strcmp+23>" instruction, the eax register should be tainted in "0xb7ff5eb7 <+23>: mov eax,0x1 //control" instruction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants