1 #ifndef ROSE_BinaryAnalysis_TaintedFlow_H
2 #define ROSE_BinaryAnalysis_TaintedFlow_H
3 #include <featureTests.h>
4 #ifdef ROSE_ENABLE_BINARY_ANALYSIS
6 #include <Rose/BinaryAnalysis/DataFlow.h>
7 #include <Rose/Diagnostics.h>
9 #include <boost/shared_ptr.hpp>
13 namespace BinaryAnalysis {
50 typedef std::list<VariableTaint> VarTaintList;
55 typedef boost::shared_ptr<State>
Ptr;
61 taints_.push_back(std::make_pair(
variable, taint));
103 const VarTaintList&
variables()
const {
return taints_; }
108 void print(std::ostream&)
const;
128 : index_(index), approximation_(approx), smtSolver_(solver), mlog(mlog) {}
131 StatePtr operator()(
const CFG&,
size_t cfgVertex,
const StatePtr &in) {
132 return (*
this)(cfgVertex, in);
135 StatePtr operator()(
size_t cfgVertex,
const StatePtr &in);
137 std::string toString(
const StatePtr &in);
146 bool operator()(StatePtr &dst ,
const StatePtr &src)
const {
147 ASSERT_not_null(src);
152 return dst->merge(src);
165 bool vlistInitialized_;
166 std::vector<StatePtr> results_;
177 : approximation_(UNDER_APPROXIMATE), dataFlow_(userDispatcher), vlistInitialized_(false) {}
213 using namespace Diagnostics;
215 ASSERT_require(cfgStartVertex < cfg.nVertices());
216 Stream mesg(mlog[WHERE] <<
"computeFlowGraphs starting at CFG vertex " <<cfgStartVertex);
220 vlistInitialized_ =
true;
224 mlog[DEBUG] <<
" found variable: " <<
variable <<
"\n";
237 return vertexFlowGraphs_;
240 using namespace Diagnostics;
242 vertexFlowGraphs_ = graphMap;
244 vlistInitialized_ =
true;
246 mlog[WHERE] <<
"vertexFlowGraphs set by user with " <<
StringUtility::plural(variableList_.size(),
"variables") <<
"\n";
256 ASSERT_require2(vlistInitialized_,
"TaintedFlow::computeFlowGraphs must be called before TaintedFlow::variables");
257 return variableList_;
266 ASSERT_require2(vlistInitialized_,
"TaintedFlow::computeFlowGraphs must be called before TaintedFlow::stateInstance");
274 void runToFixedPoint(
const CFG &cfg,
size_t cfgStartVertex,
const StatePtr &initialState) {
275 using namespace Diagnostics;
277 ASSERT_require(cfgStartVertex < cfg.nVertices());
278 ASSERT_not_null(initialState);
279 Stream mesg(mlog[WHERE] <<
"runToFixedPoint starting at CFG vertex " <<cfgStartVertex);
284 dfEngine.
name(
"tainted-flow");
296 ASSERT_require(cfgVertexId < results_.size());
297 return results_[cfgVertexId];
301 std::ostream& operator<<(std::ostream &out,
const TaintedFlow::State &state);
const VertexStates & getFinalStates() const
All outgoing states.
StatePtr getFinalState(size_t cfgVertexId) const
Query results.
static State::Ptr instance(const DataFlow::VariableList &variables, Taintedness taint=BOTTOM)
Allocating constructor.
Approximation
Mode of operation.
std::string plural(T n, const std::string &plural_phrase, const std::string &singular_phrase="")
Helpful way to print singular or plural words.
const VarTaintList & variables() const
List of all variables and their taintedness.
Various tools for performing tainted flow analysis.
void runToFixedPoint(const CFG &cfg, size_t cfgStartVertex, const StatePtr &initialState)
Run data flow.
void runToFixedPoint()
Run data-flow until it reaches a fixed point.
std::list< Variable > VariableList
List of variables.
void print(std::ostream &) const
Print this state.
boost::shared_ptr< State > Ptr
Shared-ownership pointer to taint states.
Main namespace for the ROSE library.
bool merge(const State::Ptr &)
Merge other state into this state.
bool setIfExists(const DataFlow::Variable &, Taintedness)
Set taintedness if the variable exists.
boost::shared_ptr< Dispatcher > DispatcherPtr
Shared-ownership pointer to a semantics instruction dispatcher.
VariableList getUniqueVariables(const VertexFlowGraphs &)
Get list of unique variables.
State::Ptr StatePtr
Reference counting pointer to State.
VarTaintList & variables()
List of all variables and their taintedness.
void vertexFlowGraphs(const DataFlow::VertexFlowGraphs &graphMap)
Property: data flow graphs.
std::pair< DataFlow::Variable, Taintedness > VariableTaint
Variable-Taintedness pair.
static Taintedness merge(Taintedness, Taintedness)
Merges two taint values.
const std::string & name() const
Property: Name for debugging.
const DataFlow::VertexFlowGraphs & vertexFlowGraphs() const
Property: data flow graphs.
TaintedFlow(const InstructionSemantics::BaseSemantics::DispatcherPtr &userDispatcher)
Constructs a tainted flow analysis.
const DataFlow::VariableList & variables() const
List of variables.
void smtSolver(const SmtSolverPtr &solver)
Property: SMT solver.
static void initDiagnostics()
Initialize diagnostics.
Various tools for data-flow analysis.
SmtSolverPtr smtSolver() const
Property: SMT solver.
std::shared_ptr< SmtSolver > SmtSolverPtr
Reference counting pointer.
void approximation(Approximation a)
Property: approximation.
Taintedness & lookup(const DataFlow::Variable &)
Find the taintedness for some variable.
Approximation approximation() const
Property: approximation.
VertexFlowGraphs buildGraphPerVertex(const CFG &cfg, size_t startVertex, VertexUnpacker vertexUnpacker)
Compute data-flow per CFG vertex.
virtual State::Ptr copy() const
Virtual copy constructor.
StatePtr stateInstance(Taintedness taint) const
Creates a new state.
void computeFlowGraphs(const CFG &cfg, size_t cfgStartVertex)
Compute data flow graphs.
