Date: | Thu, 09 Mar 2017 18:53:43 -0500 |
---|---|
From: | Sazzadur Rahaman <sazzad14@xxxxxx> |
Subject: | [DynInst_API:] Static Taint Analysis using Dyninst |
Hi All, I am trying to implement taint analysis using dyninst's forward slicing mechanism. I was following the DataflowAPI guide where slicing was illustrated in terms of backward slicing. The code snippet is shown bellow:------------ void taintAnalysis(Function *f, Block *b) {   // get the fifth instruction of the block  Instruction::Ptr insn = getInstruction(b, 5);  // Convert the instruction to assignments  AssignmentConverter ac(true, true);  vector<Assignment::Ptr> assignments;  ac.convert(insn, b->start(), f, b, assignments);  cout << insn->format() << endl;  cout << "number of assignments: " << assignments.size() << endl;  // Assignments can be multiple and we need to run slicer for all of them  for (auto ait = assignments.begin(); ait != assignments.end(); ++ait) {   const AbsRegion &out = (*ait)->out();  Assignment::Ptr assignment = *ait;   Slicer s(assignment, b, f);  cout << out.format().c_str() << endl;  cout << (out.type() == Absloc::Heap) << endl;  Slicer::Predicates mp;  GraphPtr slice = s.forwardSlice(mp);  cout << slice << endl;   Result_t symRet;  SymEval::expand(slice, symRet);  AST::Ptr pcExp = symRet[assignment];  cout << "number of children of root AST node in sliced graph: " << pcExp->numChildren() << endl;  //just visits AST nodes and prints the formatted version of a node  ConstVisitor cv;  pcExp->accept(&cv);  } } --------- I used the following code to analyze: ------- #include<stdio.h> static void B() { printf("b"); } static void G() { printf("g"); } static void A(int x) {  if (x > 0) {  B();  } else {  G();  } } int main() {  int x = 10;  int y = 5;  int z = x + y;  if (x > 10) {  y = y + 20;  } else {  y = y - 20;  }  A(y);  return 0; } ----- Here is the first block of the main function: [4004e0,400513) 4004e0 : push RBP, RSP 4004e1 : mov RBP, RSP 4004e4 : sub RSP, 10 4004e8 : mov [RBP + fffffffffffffffc], 0 4004ef : mov [RBP + fffffffffffffff8], a 4004f6 : mov [RBP + fffffffffffffff4], 5 4004fd : mov EAX, [RBP + fffffffffffffff8] 400500 : add EAX, [RBP + fffffffffffffff4] 400503 : mov [RBP + fffffffffffffff0], EAX 400506 : cmp [RBP + fffffffffffffff8], a 40050d : jle 10 + RIP + 6 Now when I run the program I see the output for the first block of the main function as below: mov [RBP + fffffffffffffff8], a number of assignments: 1 H[] 1 0x1bc59f0 number of children of root AST node in sliced graph: 0 This shows that the forward sliced graph is empty (but it should not in real, because the value of z is affected by the assignment in x). Can anybody, tell me what is the thing I am doing wrong, here? Or if there is any helpful links or resources that can help? Thanks in advance! Best Regards, Sazzadur Rahaman |
[← Prev in Thread] | Current Thread | [Next in Thread→] |
---|---|---|
|
Previous by Date: | [DynInst_API:] [dyninst/dyninst] 3e726e: Refactor BPatch_type so it always has a reference ..., Bill Williams |
---|---|
Next by Date: | Re: [DynInst_API:] Static Taint Analysis using Dyninst, Xiaozhu Meng |
Previous by Thread: | Re: [DynInst_API:] --SERIOUS-- #109: Module does not exist writeFile failed, Xiaozhu Meng |
Next by Thread: | Re: [DynInst_API:] Static Taint Analysis using Dyninst, Xiaozhu Meng |
Indexes: | [Date] [Thread] |