pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

support tainting of annotated fields

Browse Source 
Reviewed By: jeremydubreil

Differential Revision: D3215005

fb-gh-sync-id: 111b839
fbshipit-source-id: 111b839
master
Sam Blackshear 9 years ago committed by Facebook Github Bot 0
parent 5e4e1b5482
commit 843bcc1576
7 changed files with 91 additions and 2 deletions
Show Stats Download Patch File Download Diff File

27
infer/src/backend/symExec.ml
Unescape View File

@ -843,6 +843,27 @@ let add_constraints_on_retval pdesc prop ret_exp typ callee_pname callee_loc =
else prop''
else add_ret_non_null ret_exp typ prop
let add_taint prop lhs_id rhs_exp pname tenv =
let add_attribute_if_field_tainted prop fieldname struct_typ =
if Taint.has_taint_annotation fieldname struct_typ
then
let taint_info = { Sil.taint_source = pname; taint_kind = Unknown; } in
Prop.add_or_replace_exp_attribute prop (Sil.Var lhs_id) (Sil.Ataint taint_info)
else
prop in
match rhs_exp with
| Sil.Lfield (_, fieldname, Tptr (Tstruct struct_typ, _))
| Sil.Lfield (_, fieldname, Tstruct struct_typ) ->
add_attribute_if_field_tainted prop fieldname struct_typ
| Sil.Lfield (_, fieldname, Tptr (Tvar typname, _))
| Sil.Lfield (_, fieldname, Tvar typname) ->
begin
match Tenv.lookup tenv typname with
| Some struct_typ -> add_attribute_if_field_tainted prop fieldname struct_typ
| None -> prop
end
| _ -> prop
let execute_letderef ?(report_deref_errors=true) pname pdesc tenv id rhs_exp typ loc prop_ =
let execute_letderef_ pdesc tenv id loc acc_in iter =
let iter_ren = Prop.prop_iter_make_id_primed id iter in
@ -860,7 +881,11 @@ let execute_letderef ?(report_deref_errors=true) pname pdesc tenv id rhs_exp typ
if lookup_uninitialized then
Prop.add_or_replace_exp_attribute prop' (Sil.Var id) (Sil.Adangling Sil.DAuninit)
else prop' in
prop'' :: acc in
let prop''' =
if !Config.taint_analysis
then add_taint prop'' id rhs_exp pname tenv
else prop'' in
prop''' :: acc in
begin
match pred_insts_op with
| None -> update acc_in ([],[])

7
infer/src/backend/taint.ml
Unescape View File

@ -252,3 +252,10 @@ let accepts_sensitive_params callee_pname callee_attrs_opt =
considered tainted during symbolic execution *)
let tainted_params callee_pname =
find_callee func_with_tainted_params callee_pname
let has_taint_annotation fieldname struct_typ =
let fld_has_taint_annot (fname, _, annot) =
Ident.fieldname_equal fieldname fname &&
Annotations.ia_is_privacy_source annot in
IList.exists fld_has_taint_annot struct_typ.Sil.instance_fields ||
IList.exists fld_has_taint_annot struct_typ.Sil.static_fields

3
infer/src/backend/taint.mli
Unescape View File

@ -18,3 +18,6 @@ val accepts_sensitive_params : Procname.t -> ProcAttributes.t option -> int list
(** returns list of zero-indexed parameter numbers of [callee_pname] that should be
considered tainted during symbolic execution *)
val tainted_params : Procname.t -> int list
(** returns true if [fieldname] has a taint source annotation *)
val has_taint_annotation : Ident.fieldname -> Sil.struct_typ -> bool

15
infer/tests/build_systems/expected_outputs/ant_report.json
Unescape View File

@ -124,6 +124,21 @@
"file": "codetoanalyze/java/infer/TaintExample.java",
"procedure": "void TaintExample.testPrivacySourceAnnot()"
},
{
"bug_type": "TAINTED_VALUE_REACHING_SENSITIVE_FUNCTION",
"file": "codetoanalyze/java/infer/TaintExample.java",
"procedure": "void TaintExample.testPrivacySourceFieldAnnotPropagation()"
},
{
"bug_type": "TAINTED_VALUE_REACHING_SENSITIVE_FUNCTION",
"file": "codetoanalyze/java/infer/TaintExample.java",
"procedure": "void TaintExample.testPrivacySourceInstanceFieldAnnot()"
},
{
"bug_type": "TAINTED_VALUE_REACHING_SENSITIVE_FUNCTION",
"file": "codetoanalyze/java/infer/TaintExample.java",
"procedure": "void TaintExample.testPrivacySourceStaticFieldAnnot()"
},
{
"bug_type": "NULL_DEREFERENCE",
"file": "codetoanalyze/java/infer/NullPointerExceptions.java",

15
infer/tests/build_systems/expected_outputs/buck_report.json
Unescape View File

@ -124,6 +124,21 @@
"file": "infer/tests/codetoanalyze/java/infer/TaintExample.java",
"procedure": "void TaintExample.testPrivacySourceAnnot()"
},
{
"bug_type": "TAINTED_VALUE_REACHING_SENSITIVE_FUNCTION",
"file": "infer/tests/codetoanalyze/java/infer/TaintExample.java",
"procedure": "void TaintExample.testPrivacySourceFieldAnnotPropagation()"
},
{
"bug_type": "TAINTED_VALUE_REACHING_SENSITIVE_FUNCTION",
"file": "infer/tests/codetoanalyze/java/infer/TaintExample.java",
"procedure": "void TaintExample.testPrivacySourceInstanceFieldAnnot()"
},
{
"bug_type": "TAINTED_VALUE_REACHING_SENSITIVE_FUNCTION",
"file": "infer/tests/codetoanalyze/java/infer/TaintExample.java",
"procedure": "void TaintExample.testPrivacySourceStaticFieldAnnot()"
},
{
"bug_type": "NULL_DEREFERENCE",
"file": "infer/tests/codetoanalyze/java/infer/NullPointerExceptions.java",

21
infer/tests/codetoanalyze/java/infer/TaintExample.java
Unescape View File

@ -207,4 +207,25 @@ public class TaintExample {
staticPrivacySink("", source); // should not report
}
@PrivacySource("") String mPrivacySource;
@PrivacySource("") String sPrivacySource;
public void testPrivacySourceInstanceFieldAnnot() {
String source = mPrivacySource;
InferTaint.inferSensitiveSinkUndefined(source); // should report
}
public void testPrivacySourceStaticFieldAnnot() {
String source = sPrivacySource;
InferTaint.inferSensitiveSinkUndefined(source); // should report
}
String aFieldWithoutAnnotations;
public void testPrivacySourceFieldAnnotPropagation() {
aFieldWithoutAnnotations = mPrivacySource;
InferTaint.inferSensitiveSinkUndefined(aFieldWithoutAnnotations); // should report
}
}

5
infer/tests/endtoend/java/infer/TaintTest.java
Unescape View File

@ -57,7 +57,10 @@ public class TaintTest {
"contentValuesPutWithTaintedString",
"testPrivacySourceAnnot",
"testPrivacySinkAnnot1",
"testPrivacySinkAnnot3"
"testPrivacySinkAnnot3",
"testPrivacySourceInstanceFieldAnnot",
"testPrivacySourceStaticFieldAnnot",
"testPrivacySourceFieldAnnotPropagation",
};
assertThat(

Write Preview
Loading…
Cancel
Save