Small Enhancements for IFDS Taint Analysis (#815)

* Handle sink variables in IFDSTaintAnalysis

* Use auto-seeds in IFDS taint analysis

Author: fabianbs96

include/phasar/PhasarLLVM/TaintConfig/LLVMTaintConfig.h

@@ -87,7 +87,7 @@ class LLVMTaintConfig : public TaintConfigBase<LLVMTaintConfig> {
 
   [[nodiscard]] std::map<const llvm::Instruction *,
                          std::set<const llvm::Value *>>
-  makeInitialSeedsImpl() const;
+  makeInitialSeedsImpl(SeedConfig Conf) const;
 
   void printImpl(llvm::raw_ostream &OS) const;
 

include/phasar/PhasarLLVM/TaintConfig/TaintConfigBase.h

@@ -41,6 +41,13 @@ template <typename Derived> class TaintConfigBase {
   using TaintDescriptionCallBackTy =
       llvm::unique_function<std::set<v_t>(n_t) const>;
 
+  enum class [[clang::flag_enum]] SeedConfig {
+    Arguments = 1,
+    Instructions = 2,
+
+    All = Arguments | Instructions,
+  };
+
   void registerSourceCallBack(TaintDescriptionCallBackTy CB) noexcept {
     SourceCallBack = std::move(CB);
   }
@@ -124,8 +131,9 @@ template <typename Derived> class TaintConfigBase {
     return self().getCategoryImpl(std::move(Val));
   }
 
-  [[nodiscard]] std::map<n_t, std::set<v_t>> makeInitialSeeds() const {
-    return self().makeInitialSeedsImpl();
+  [[nodiscard]] std::map<n_t, std::set<v_t>>
+  makeInitialSeeds(SeedConfig Conf = SeedConfig::All) const {
+    return self().makeInitialSeedsImpl(Conf);
   }
 
   void print(llvm::raw_ostream &OS = llvm::outs()) const {

lib/PhasarLLVM/DataFlow/IfdsIde/LibCSummary.cpp

@@ -8,6 +8,8 @@ using namespace psr::library_summary;
 static library_summary::FunctionDataFlowFacts createLibCSummary() {
   FunctionDataFlowFacts Sum;
 
+  Sum.addElement("atoi", 0, ReturnValue{});
+
   // abs
   Sum.addElement("abs", 0, ReturnValue{});
 

lib/PhasarLLVM/DataFlow/IfdsIde/Problems/IDEExtendedTaintAnalysis.cpp

@@ -30,6 +30,7 @@
 #include "llvm/IR/GlobalValue.h"
 #include "llvm/IR/IntrinsicInst.h"
 #include "llvm/Support/Casting.h"
+#include "llvm/Support/WithColor.h"
 
 #include <algorithm>
 #include <type_traits>
@@ -54,9 +55,10 @@ IDEExtendedTaintAnalysis::initialSeeds() {
                             this->base_t::getZeroValue(), bottomElement());
 
   if (Seeds.empty()) {
-    llvm::errs() << "WARNING: No initial seeds specified, skip the analysis. "
-                    "Please specify an entrypoint function or in the "
-                    "TaintConfig a source llvm::Instruction*\n";
+    llvm::WithColor::warning()
+        << "No initial seeds specified, skip the analysis. "
+           "Please specify an entrypoint function or in the "
+           "TaintConfig a source llvm::Instruction*\n";
   }
 
   return Seeds;

lib/PhasarLLVM/DataFlow/IfdsIde/Problems/IFDSTaintAnalysis.cpp

@@ -33,6 +33,7 @@
 #include "llvm/IR/LLVMContext.h"
 #include "llvm/IR/Value.h"
 #include "llvm/Support/Casting.h"
+#include "llvm/Support/WithColor.h"
 #include "llvm/Support/raw_ostream.h"
 
 #include <utility>
@@ -280,8 +281,8 @@ auto IFDSTaintAnalysis::getNormalFlowFunction(n_t Curr,
       Gen.insert(Store->getValueOperand());
     }
 
-    return lambdaFlow(
-        [Store, Gen{std::move(Gen)}](d_t Source) -> container_type {
+    auto Ret =
+        lambdaFlow([Store, Gen{std::move(Gen)}](d_t Source) -> container_type {
           if (Store->getPointerOperand() == Source) {
             return {};
           }
@@ -291,6 +292,21 @@ auto IFDSTaintAnalysis::getNormalFlowFunction(n_t Curr,
 
           return {Source};
         });
+    if (Config->isSink(Store->getPointerOperand())) {
+      // Handle sink variables:
+
+      return lambdaFlow([this, Store, Ret = std::move(Ret)](d_t Source) {
+        if (Store->getValueOperand() == Source) {
+          if (Leaks[Store].insert(Source).second) {
+            Printer->onResult(Store, Source,
+                              DataFlowAnalysisType::IFDSTaintAnalysis);
+          }
+        }
+
+        return Ret->computeTargets(Source);
+      });
+    }
+    return Ret;
   }
   // If a tainted value is loaded, the loaded value is of course tainted
   if (const auto *Load = llvm::dyn_cast<llvm::LoadInst>(Curr)) {
@@ -316,6 +332,16 @@ auto IFDSTaintAnalysis::getNormalFlowFunction(n_t Curr,
     return transferFlow(Cast, Cast->getOperand(0));
   }
 
+  if (llvm::isa<llvm::BinaryOperator>(Curr)) {
+    return lambdaFlow([Curr](d_t Source) -> container_type {
+      if (llvm::is_contained(Curr->operand_values(), Source)) {
+        return {Source, Curr};
+      }
+
+      return {Source};
+    });
+  }
+
   // Otherwise we do not care and leave everything as it is
   return identityFlow();
 }
@@ -489,7 +515,10 @@ auto IFDSTaintAnalysis::getSummaryFlowFunction([[maybe_unused]] n_t CallSite,
 auto IFDSTaintAnalysis::initialSeeds() -> InitialSeeds<n_t, d_t, l_t> {
   PHASAR_LOG_LEVEL(DEBUG, "IFDSTaintAnalysis::initialSeeds()");
 
-  InitialSeeds<n_t, d_t, l_t> Seeds;
+  // Instructions are generated from zero on-the-fly, but args must be generated
+  // explicitly as seeds
+  InitialSeeds<n_t, d_t, l_t> Seeds =
+      Config->makeInitialSeeds(LLVMTaintConfig::SeedConfig::Arguments);
 
   LLVMBasedCFG C;
   addSeedsForStartingPoints(EntryPoints, IRDB, C, Seeds, getZeroValue(),
@@ -507,6 +536,13 @@ auto IFDSTaintAnalysis::initialSeeds() -> InitialSeeds<n_t, d_t, l_t> {
     }
   }
 
+  if (Seeds.empty()) {
+    llvm::WithColor::warning()
+        << "No initial seeds specified, skip the analysis. "
+           "Please specify an entrypoint function or in the "
+           "TaintConfig a source llvm::Instruction*\n";
+  }
+
   return Seeds;
 }
 

lib/PhasarLLVM/TaintConfig/LLVMTaintConfig.cpp

@@ -14,6 +14,7 @@
 #include "phasar/PhasarLLVM/TaintConfig/TaintConfigBase.h"
 #include "phasar/PhasarLLVM/Utils/Annotation.h"
 #include "phasar/PhasarLLVM/Utils/LLVMShorthands.h"
+#include "phasar/Utils/EnumFlags.h"
 #include "phasar/Utils/Logger.h"
 
 #include "llvm/ADT/SmallVector.h"
@@ -457,17 +458,21 @@ TaintCategory LLVMTaintConfig::getCategoryImpl(const llvm::Value *V) const {
 }
 
 std::map<const llvm::Instruction *, std::set<const llvm::Value *>>
-LLVMTaintConfig::makeInitialSeedsImpl() const {
+LLVMTaintConfig::makeInitialSeedsImpl(SeedConfig Conf) const {
   std::map<const llvm::Instruction *, std::set<const llvm::Value *>>
       InitialSeeds;
   for (const auto *SourceValue : SourceValues) {
     if (const auto *Inst = llvm::dyn_cast<llvm::Instruction>(SourceValue)) {
-      InitialSeeds[Inst].insert(Inst);
+      if (hasFlag(Conf, SeedConfig::Instructions)) {
+        InitialSeeds[Inst].insert(Inst);
+      }
     } else if (const auto *Arg = llvm::dyn_cast<llvm::Argument>(SourceValue);
                Arg && !Arg->getParent()->isDeclaration()) {
-      LLVMBasedCFG C;
-      for (const auto *SP : C.getStartPointsOf(Arg->getParent())) {
-        InitialSeeds[SP].insert(Arg);
+      if (hasFlag(Conf, SeedConfig::Arguments)) {
+        LLVMBasedCFG C;
+        for (const auto *SP : C.getStartPointsOf(Arg->getParent())) {
+          InitialSeeds[SP].insert(Arg);
+        }
       }
     }
   }

tools/phasar-cli/Controller/AnalysisControllerXIFDSTaint.cpp

@@ -15,5 +15,8 @@ using namespace psr;
 
 void controller::executeIFDSTaint(AnalysisController &Data) {
   auto Config = makeTaintConfig(Data);
-  executeIFDSAnalysis<IFDSTaintAnalysis>(Data, &Config, Data.EntryPoints);
+  // Note: Don't blindly generate argc and argv. Use a proper taint config
+  // instead
+  executeIFDSAnalysis<IFDSTaintAnalysis>(Data, &Config, Data.EntryPoints,
+                                         false);
 }