Re: [DynInst_API:] Static Taint Analysis using Dyninst

[Xiaozhu Meng <xmeng@xxxxxxxxxxx>]

Hi Sazzadur,

It is suspicious that the absloc in your case was reported as a heap variable. It is clearly a stack variable. When the absloc is classified as a heap variable, slicing will have difficult time to match it with other heap variables statically because we do no necessarily know the exact address.Â

I currently do not know why this simple stack access is reported as a heap access. I believe once we figure this issue out, the forward slicing issue should be resolved. I will get to you later when I have some more information.

Thanks,

--Xiaozhu

On Thu, Mar 9, 2017 at 5:53 PM, Sazzadur Rahaman <sazzad14@xxxxxx> wrote:

Hi All,

I am trying to implement taint analysis using dyninst's forward slicing mechanism. I was following the DataflowAPI guide where slicing was illustrated in terms of backward slicing. The code snippet is shown bellow:

------------

void taintAnalysis(Function *f, Block *b) {
ÂÂÂ
ÂÂÂ // get the fifth instruction of the block
ÂÂ Instruction::Ptr insn = getInstruction(b, 5);

ÂÂÂ // Convert the instruction to assignments
ÂÂÂ AssignmentConverter ac(true, true);
ÂÂÂ vector<Assignment::Ptr> assignments;
ÂÂÂ ac.convert(insn, b->start(), f, b, assignments);

ÂÂÂ cout << insn->format() << endl;

ÂÂÂ cout << "number of assignments: " << assignments.size() << endl;

ÂÂÂ // Assignments can be multiple and we need to run slicer for all of them
ÂÂÂ for (auto ait = assignments.begin(); ait != assignments.end(); ++ait) {
ÂÂÂÂÂ
ÂÂÂÂÂ const AbsRegion &out = (*ait)->out();
ÂÂÂÂÂ Assignment::Ptr assignment = *ait;
ÂÂÂÂÂ
ÂÂÂÂÂ Slicer s(assignment, b, f);
ÂÂÂÂÂ cout << out.format().c_str() << endl;
ÂÂÂÂÂ cout << (out.type() == Absloc::Heap) << endl;

ÂÂÂÂÂ Slicer::Predicates mp;
ÂÂÂÂÂ GraphPtr slice = s.forwardSlice(mp);

 cout << slice << endl;
ÂÂÂÂÂ
ÂÂÂÂÂ Result_t symRet;
ÂÂÂÂÂ SymEval::expand(slice, symRet);

ÂÂÂÂÂ AST::Ptr pcExp = symRet[assignment];

ÂÂÂÂÂ cout << "number of children of root AST node in sliced graph: " << pcExp->numChildren() << endl;

ÂÂÂÂÂ //just visits AST nodes and prints the formatted version of a node
ÂÂÂÂÂ ConstVisitor cv;
ÂÂÂÂÂ pcExp->accept(&cv);
ÂÂÂ }
}

---------

I used the following code to analyze:

-------
#include<stdio.h>
static void B() { printf("b"); }
static void G() { printf("g"); }
static void A(int x) {
 if (x > 0) {
ÂÂÂÂ B();
 } else {
ÂÂÂÂ G();
 }
}

int main() {

 int x = 10;
 int y = 5;
 int z = x + y;
 if (x > 10) {
ÂÂÂ y = y + 20;
 } else {
ÂÂÂ y = y - 20;
 }

 A(y);

 return 0;
}

-----

Here is the first block of the main function:

[4004e0,400513)
4004e0 : push RBP, RSP
4004e1 : mov RBP, RSP
4004e4 : sub RSP, 10
4004e8 : mov [RBP + fffffffffffffffc], 0
4004ef : mov [RBP + fffffffffffffff8], a
4004f6 : mov [RBP + fffffffffffffff4], 5
4004fd : mov EAX, [RBP + fffffffffffffff8]
400500 : add EAX, [RBP + fffffffffffffff4]
400503 : mov [RBP + fffffffffffffff0], EAX
400506 : cmp [RBP + fffffffffffffff8], a
40050d : jle 10 + RIP + 6

Now when I run the program I see the output for the first block of the main function as below:

mov [RBP + fffffffffffffff8], a
number of assignments: 1
H[]
1
0x1bc59f0
number of children of root AST node in sliced graph: 0

This shows that the forward sliced graph is empty (but it should not in real, because the value of z is affected by the assignment in x).

Can anybody, tell me what is the thing I am doing wrong, here? Or if there is any helpful links or resources that can help?

Thanks in advance!

Best Regards,

Sazzadur Rahaman

_______________________________________________
Dyninst-api mailing list
Dyninst-api@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/dyninst-api