infer_clone/infer/src/quandary/ClangTaintAnalysis.ml

(*
 * Copyright (c) 2016 - present Facebook, Inc.
 * All rights reserved.
 *
 * This source code is licensed under the BSD style license found in the
 * LICENSE file in the root directory of this source tree. An additional grant
 * of patent rights can be found in the PATENTS file in the same directory.
 *)

open! IStd

module F = Format
module L = Logging

include
  TaintAnalysis.Make(struct
    module Trace = ClangTrace
    module AccessTree = AccessTree.Make(Trace)

    let to_summary_access_tree tree = QuandarySummary.AccessTree.Clang tree

    let of_summary_access_tree = function
      | QuandarySummary.AccessTree.Clang tree -> tree
      | _ -> assert false

    let handle_unknown_call pname ret_typ_opt actuals _ =
      let handle_generic_unknown ret_typ_opt actuals =
        match ret_typ_opt, List.rev actuals with
        | Some _, _ ->
            (* propagate taint from actuals to return value *)
            [TaintSpec.Propagate_to_return]
        | None, [] ->
            []
        | None, _ when Typ.Procname.is_constructor pname ->
            (* "this" is always the first arg of a constructor; propagate taint there *)
            [TaintSpec.Propagate_to_receiver]
        | None,
          HilExp.AccessPath ((Var.ProgramVar pvar, { desc=Typ.Tptr (_, Typ.Pk_pointer) }), []) :: _
          when Pvar.is_frontend_tmp pvar ->
            (* no return value, but the frontend has introduced a dummy return variable and will
               assign the return value to this variable. So propagate taint to the dummy return
               variable *)
            let actual_index = List.length actuals - 1 in
            [TaintSpec.Propagate_to_actual actual_index]
        | None, _ ->
            (* no return value; propagate taint from actuals to receiver *)
            [TaintSpec.Propagate_to_receiver] in

      (* if we have a specific model for a procedure, use that. otherwise, use the generic
         heuristics for dealing with unknown code *)
      match Typ.Procname.get_method pname with
      | "operator+="
      | "operator-="
      | "operator*="
      | "operator/="
      | "operator%="
      | "operator<<="
      | "operator>>="
      | "operator&="
      | "operator^="
      | "operator|=" ->
          [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]
      | "memcpy" | "memmove" | "strcpy" | "strncpy" ->
          [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]
      | "sprintf" ->
          [TaintSpec.Propagate_to_receiver]
      | other ->
          L.d_strln ("generic unknown " ^ other);
          handle_generic_unknown ret_typ_opt actuals

    let is_taintable_type _ = true
  end)
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago			`(*`
			`* Copyright (c) 2016 - present Facebook, Inc.`
			`* All rights reserved.`
			`*`
			`* This source code is licensed under the BSD style license found in the`
			`* LICENSE file in the root directory of this source tree. An additional grant`
			`* of patent rights can be found in the PATENTS file in the same directory.`
			`*)`

Divide Utils into Utils, Pp, and IStd Summary: Utils contains definitions intended to be in the global namespace for all of the infer code-base, as well as pretty-printing functions, and assorted utility functions mostly for dealing with files and processes. This diff changes the module opened into the global namespace to IStd (Std conflict with extlib), and moves the pretty-printing definitions from Utils to Pp. Reviewed By: jvillard Differential Revision: D4232457 fbshipit-source-id: 1e070e0 8 years ago			`open! IStd`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago
			`module F = Format`
			`module L = Logging`

			`include`
			`TaintAnalysis.Make(struct`
[quandary] skeleton for ObjC traces Summary: Generalized the CppTrace into a Clang trace because we don't currently have separate checkers for Obj-C and Cpp. Happy to separate them later if there is a good reason Reviewed By: akotulski Differential Revision: D4394952 fbshipit-source-id: e288761 8 years ago			`module Trace = ClangTrace`
[quandary] summaries are access trees too Summary: Previously, summaries worked by flattening the access tree representing the post of the procedure into (in essence) a list of functions from caller input traces to callee output traces. This is inefficient in many ways, and is also much more complex than just using the original access tree as the summary. One big inefficiency of the old way is this: calling `Trace.append` is slow, and we want to do it as few times as possible. Under the old summary system, we would do it at most once for each "function" in the summary list. Now, we'll do it at most once for each node in the access tree summary. This will be a smaller number of calls, since each node can summarize many input/output relationships. Reviewed By: jeremydubreil Differential Revision: D4271579 fbshipit-source-id: 34e407a 8 years ago			`module AccessTree = AccessTree.Make(Trace)`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago
[quandary] skeleton for ObjC traces Summary: Generalized the CppTrace into a Clang trace because we don't currently have separate checkers for Obj-C and Cpp. Happy to separate them later if there is a good reason Reviewed By: akotulski Differential Revision: D4394952 fbshipit-source-id: e288761 8 years ago			`let to_summary_access_tree tree = QuandarySummary.AccessTree.Clang tree`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago
[quandary] summaries are access trees too Summary: Previously, summaries worked by flattening the access tree representing the post of the procedure into (in essence) a list of functions from caller input traces to callee output traces. This is inefficient in many ways, and is also much more complex than just using the original access tree as the summary. One big inefficiency of the old way is this: calling `Trace.append` is slow, and we want to do it as few times as possible. Under the old summary system, we would do it at most once for each "function" in the summary list. Now, we'll do it at most once for each node in the access tree summary. This will be a smaller number of calls, since each node can summarize many input/output relationships. Reviewed By: jeremydubreil Differential Revision: D4271579 fbshipit-source-id: 34e407a 8 years ago			`let of_summary_access_tree = function`
[quandary] skeleton for ObjC traces Summary: Generalized the CppTrace into a Clang trace because we don't currently have separate checkers for Obj-C and Cpp. Happy to separate them later if there is a good reason Reviewed By: akotulski Differential Revision: D4394952 fbshipit-source-id: e288761 8 years ago			`\| QuandarySummary.AccessTree.Clang tree -> tree`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago			`\| _ -> assert false`

[quandary] tests for string functionality Summary: String are very important for taint analysis, have to make sure that we have the right models/the right behaviors for unknown code. Reviewed By: jvillard Differential Revision: D5054832 fbshipit-source-id: 7e7ee07 8 years ago			`let handle_unknown_call pname ret_typ_opt actuals _ =`
			`let handle_generic_unknown ret_typ_opt actuals =`
			`match ret_typ_opt, List.rev actuals with`
			`\| Some _, _ ->`
			`(* propagate taint from actuals to return value *)`
			`[TaintSpec.Propagate_to_return]`
			`\| None, [] ->`
			`[]`
			`\| None, _ when Typ.Procname.is_constructor pname ->`
			`(* "this" is always the first arg of a constructor; propagate taint there *)`
			`[TaintSpec.Propagate_to_receiver]`
			`\| None,`
			`HilExp.AccessPath ((Var.ProgramVar pvar, { desc=Typ.Tptr (_, Typ.Pk_pointer) }), []) :: _`
			`when Pvar.is_frontend_tmp pvar ->`
			`(* no return value, but the frontend has introduced a dummy return variable and will`
			`assign the return value to this variable. So propagate taint to the dummy return`
			`variable *)`
			`let actual_index = List.length actuals - 1 in`
			`[TaintSpec.Propagate_to_actual actual_index]`
			`\| None, _ ->`
			`(* no return value; propagate taint from actuals to receiver *)`
			`[TaintSpec.Propagate_to_receiver] in`

			`(* if we have a specific model for a procedure, use that. otherwise, use the generic`
			`heuristics for dealing with unknown code *)`
			`match Typ.Procname.get_method pname with`
			`\| "operator+="`
			`\| "operator-="`
			`\| "operator*="`
			`\| "operator/="`
			`\| "operator%="`
			`\| "operator<<="`
			`\| "operator>>="`
			`\| "operator&="`
			`\| "operator^="`
			`\| "operator\|=" ->`
			`[TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]`
			`\| "memcpy" \| "memmove" \| "strcpy" \| "strncpy" ->`
			`[TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]`
			`\| "sprintf" ->`
[quandary] handle return value passed by reference in sources Summary: Needed because this is how the Clang frontend translates returns of non-POD, non pointer values (I think)? Will handle the more general case of pass by reference soon. Reviewed By: jvillard Differential Revision: D5017653 fbshipit-source-id: 1fbcea5 8 years ago			`[TaintSpec.Propagate_to_receiver]`
[quandary] tests for string functionality Summary: String are very important for taint analysis, have to make sure that we have the right models/the right behaviors for unknown code. Reviewed By: jvillard Differential Revision: D5054832 fbshipit-source-id: 7e7ee07 8 years ago			`\| other ->`
			`L.d_strln ("generic unknown " ^ other);`
			`handle_generic_unknown ret_typ_opt actuals`
[quandary] optimize handling of unknown code by adding notion of 'taintable types' Reviewed By: jeremydubreil Differential Revision: D4846886 fbshipit-source-id: d8364cc 8 years ago
			`let is_taintable_type _ = true`
[quandary] skeleton for C++ analysis Differential Revision: D3998518 fbshipit-source-id: e90c46d 9 years ago			`end)`