Re: [DynInst_API:] Static Taint Analysis using Dyninst

[Sazzadur Rahaman <sazzad14@xxxxxx>]

Hi Xiaozhu,

Thank you very much for your prompt reply! I fixed the problem you pointed out (Sorry, for the silly mistake). But now it shows that the type is unknown. Here is the code snippet.
--------------
class ConstVisitor: public ASTVisitor {

public:

 virtual AST::Ptr visit(AST *ast) {
ÂÂ cout << "ast.." << (*ast).format() << endl;
ÂÂ return AST::Ptr();
 };

 virtual AST::Ptr visit(DataflowAPI::VariableAST *ast) {
ÂÂ cout << "yes.." << (*ast).format() << endl;
ÂÂ return AST::Ptr();
 };

 virtual AST::Ptr visit(DataflowAPI::RoseAST *ast) {

ÂÂÂ unsigned totalChildren = ast->numChildren();
ÂÂÂ for (unsigned i = 0; i < totalChildren; ++i) {
ÂÂÂÂÂ ast->child(i)->accept(this);
ÂÂÂ }
ÂÂ
ÂÂÂ cout << "yes.rose." << (*ast).format() << endl;
ÂÂÂ return AST::Ptr();
 };
};

int getInstruction(Block *b, int index, Instruction::Ptr *insn) {

 auto iit = b->start();
 while(index > 0) {

ÂÂÂ const unsigned char * buf =
ÂÂÂÂÂÂÂÂ (const unsigned char*) b->obj()->cs()->getPtrToInstruction(iit);
ÂÂÂ InstructionDecoder dec(buf,
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ InstructionDecoder::maxInstructionLength,
ÂÂÂÂÂÂÂÂ b->obj()->cs()->getArch());
ÂÂÂ *insn = dec.decode();
ÂÂÂ iit += (*insn)->size();
ÂÂÂ index--;ÂÂÂ
 }

 auto toreturn = iit - (*insn)->size();
 return toreturn;
}

// Assume that block b in function f ends with an indirect jump.
void taintAnalysis(Function *f, Block *b) {
ÂÂÂ
ÂÂÂ // get the fifth instruction of the block

ÂÂ Instruction::Ptr insn;
ÂÂ auto insnPointer = getInstruction(b, 5, &insn);

ÂÂÂ // Convert the instruction to assignments
ÂÂÂ AssignmentConverter ac(true, true);
ÂÂÂ vector<Assignment::Ptr> assignments;

ÂÂÂ ac.convert(insn, insnPointer, f, b, assignments);

ÂÂÂ cout << insn->format() << endl;

ÂÂÂ cout << "number of assignments: " << assignments.size() << endl;

ÂÂÂ // Assignments can be multiple and we need to run slicer for all of them
ÂÂÂ for (auto ait = assignments.begin(); ait != assignments.end(); ++ait) {
ÂÂÂÂÂ
ÂÂÂÂÂ const AbsRegion &out = (*ait)->out();
ÂÂÂÂÂ Assignment::Ptr assignment = *ait;
ÂÂÂÂÂ
ÂÂÂÂÂ Slicer s(assignment, b, f);
ÂÂÂÂÂ cout << out.format().c_str() << endl;
ÂÂÂÂÂ cout << (out.type() == Absloc::Unknown) << endl;

ÂÂÂÂÂ Slicer::Predicates mp;
ÂÂÂÂÂ GraphPtr slice = s.forwardSlice(mp);

 cout << slice << endl;
ÂÂÂÂÂ
ÂÂÂÂÂ Result_t symRet;
ÂÂÂÂÂ SymEval::expand(slice, symRet);

ÂÂÂÂÂ AST::Ptr pcExp = symRet[assignment];

ÂÂÂÂÂ cout << "number of children of root AST node in sliced graph: " << pcExp->numChildren() << endl;

ÂÂÂÂÂ //just visits AST nodes and prints the formatted version of a node
ÂÂÂÂÂ ConstVisitor cv;
ÂÂÂÂÂ pcExp->accept(&cv);
ÂÂÂ }
}
--------------

Here is the output:

------
main
ÂÂÂ Block size:51
mov [RBP + fffffffffffffff8], a
number of assignments: 1
[S[main,-24,0]]
1
0x203f7a0
number of children of root AST node in sliced graph: 0
-------------------

I am planning to traverse the graph as suggested in the documentation. You can see that, I am providing a custom implementation of visitor to print the ast node, but you can see its not working as expected. Any suggestion on this will be greatly appreciated. Thank you very much!

Thank you very much for your time!

Best Regards,

Sazzadur Rahaman

On Fri, Mar 10, 2017 at 5:17 PM, Xiaozhu Meng <xmeng@xxxxxxxxxxx> wrote:

HiÂSazzadur,

Let me explain what's happening.

ÂÂÂ ac.convert(insn, b->start(), f, b, assignments);

The above line of code is causing us the problem. The second parameter of convert should be the address of the instruction you want to convert. In your code, you always provide the starting address of the basic block, not the address of the instruction.Â

If you change it to the corresponding address of the instruction, you should see that Dyninst correctly report it as a stack variable.Â

ÂÂÂÂÂ cout << "number of children of root AST node in sliced graph: " << pcExp->numChildren() << endl;

Here you try to print out the number of children in the AST of the given assignment. This is not equal to the number of nodes the given assignment points to in the slice graph. In your case, the instruction moves a constant value to a stack variable. The symbolic _expression_ will only have a single node representing the constant value. So, the number of children of root AST node is always zero.Â

What you want to do is to use the graph interface to traverse the slice graph. It is quite simple to do and please refer to the graph section of the dataflowAPI manual.

Please let me know that if you have further questions!

Thanks,

--Xiaozhu

Â