Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Determine correct propagation behavior for ambiguous cases #188

Closed
8 tasks done
mlevesquedion opened this issue Nov 12, 2020 · 1 comment
Closed
8 tasks done

Determine correct propagation behavior for ambiguous cases #188

mlevesquedion opened this issue Nov 12, 2020 · 1 comment
Assignees
@mlevesquedion

Comments

@mlevesquedion
Copy link
Contributor

mlevesquedion commented Nov 12, 2020
edited
Loading

PR #178 added explicit handling for each node type.

For most node types, it is obvious what the correct behavior is, e.g. when doing a MapUpdate, we shouldn't be traversing to the Key or the Value, only the Map.

For other node types, the correct behavior is not obvious.

Here are the cases that need further investigation, and likely, more tests:
This was referenced Nov 12, 2020
Merged
Merged
@mlevesquedion mlevesquedion mentioned this issue Nov 23, 2020
Merged
1 task
@mlevesquedion mlevesquedion self-assigned this Nov 23, 2020
This was referenced Dec 16, 2020
Merged
Merged
Merged
@mlevesquedion
Copy link
Contributor Author

mlevesquedion commented Dec 18, 2020
edited
Loading

I have investigated ssa.UnOp instructions and I believe the best we can do for now is to keep visiting the Operands. Under the current approach I don't see a straightforward way to handle the following cases without visiting the Operands. I think this would be easy to handle with an interpretation-based approach, however.

First, consider this case:

func TestArrOfPointersIsTainted(s core.Source, arr [1]*string) {
	colocateArrOfPointers(s, arr)
	core.Sink(arr) // want "a source has reached a sink"
}

The relevant portion of the SSA graph is:

image

We need to traverse to the Operand (in this case, t1) when coming from the Call, because otherwise we can't get to the sink.

Also consider this case:

func TestSanitizedSourceDoesNotTriggerFindingWhenTypeAsserted(s *core.Source) {
	sanitized := core.Sanitize(s)[0].(*core.Source)
	core.Sinkf("Sanitized %v", sanitized)
}

The relevant portion of the SSA graph is:

image

We need to traverse to the Operand in order to find the Sanitizer. Otherwise, the Source produced by the TypeAssert is considered unsanitized. This could be seen as a failure of the isProducedBySanitizer function. I have opened an issue here: #237.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mlevesquedion mlevesquedion

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mlevesquedion