ROSE 0.11.145.147
TaintedFlow.h
1#ifndef ROSE_BinaryAnalysis_TaintedFlow_H
2#define ROSE_BinaryAnalysis_TaintedFlow_H
3#include <featureTests.h>
4#ifdef ROSE_ENABLE_BINARY_ANALYSIS
5
6#include <Rose/BinaryAnalysis/DataFlow.h>
7#include <Rose/Diagnostics.h>
8
9#include <boost/shared_ptr.hpp>
10#include <stdexcept>
11
12namespace Rose {
13namespace BinaryAnalysis {
14
18class TaintedFlow {
19public:
24 enum Taintedness { BOTTOM, NOT_TAINTED, TAINTED, TOP };
25
31 enum Approximation { UNDER_APPROXIMATE, OVER_APPROXIMATE };
32
36 static Taintedness merge(Taintedness, Taintedness);
37
39 typedef std::pair<DataFlow::Variable, Taintedness> VariableTaint;
40
42 // State
44public:
49 class State {
50 typedef std::list<VariableTaint> VarTaintList;
51 VarTaintList taints_;
52
53 public:
55 typedef boost::shared_ptr<State> Ptr;
56
57 protected:
58 // Initialize taintedness for all variables; this is protected because this is a reference-counted object
59 State(const DataFlow::VariableList &variables, Taintedness taint) {
60 for (const DataFlow::Variable &variable: variables)
61 taints_.push_back(std::make_pair(variable, taint));
62 }
63
64 public:
69 static State::Ptr instance(const DataFlow::VariableList &variables, Taintedness taint = BOTTOM) {
70 return State::Ptr(new State(variables, taint));
71 }
72
76 virtual State::Ptr copy() const {
77 return State::Ptr(new State(*this));
78 }
79
80 virtual ~State() {}
81
86 Taintedness& lookup(const DataFlow::Variable&);
87
91 bool setIfExists(const DataFlow::Variable&, Taintedness);
92
96 bool merge(const State::Ptr&);
97
103 const VarTaintList& variables() const { return taints_; }
104 VarTaintList& variables() { return taints_; }
108 void print(std::ostream&) const;
109 };
110
114 typedef State::Ptr StatePtr;
115
117 // Transfer function
119protected:
120 class TransferFunction {
121 const DataFlow::VertexFlowGraphs &index_; // maps CFG vertex to data flow graph
122 Approximation approximation_;
123 SmtSolverPtr smtSolver_;
124 Sawyer::Message::Facility &mlog;
125 public:
126 TransferFunction(const DataFlow::VertexFlowGraphs &index, Approximation approx, const SmtSolverPtr &solver,
127 Sawyer::Message::Facility &mlog)
128 : index_(index), approximation_(approx), smtSolver_(solver), mlog(mlog) {}
129
130 template<class CFG>
131 StatePtr operator()(const CFG&, size_t cfgVertex, const StatePtr &in) {
132 return (*this)(cfgVertex, in);
133 }
134
135 StatePtr operator()(size_t cfgVertex, const StatePtr &in);
136
137 std::string toString(const StatePtr &in);
138 };
139
141 // Merge function
143protected:
144 class MergeFunction {
145 public:
146 bool operator()(StatePtr &dst /*in,out*/, const StatePtr &src) const {
147 ASSERT_not_null(src);
148 if (!dst) {
149 dst = src->copy();
150 return true; // destination changed
151 }
152 return dst->merge(src);
153 }
154 };
155
157 // Data members
159private:
160 static Sawyer::Message::Facility mlog;
161 Approximation approximation_;
162 DataFlow dataFlow_;
163 DataFlow::VertexFlowGraphs vertexFlowGraphs_;
164 DataFlow::VariableList variableList_;
165 bool vlistInitialized_;
166 std::vector<StatePtr> results_;
167 SmtSolverPtr smtSolver_;
168
169public:
176 explicit TaintedFlow(const InstructionSemantics::BaseSemantics::DispatcherPtr &userDispatcher)
177 : approximation_(UNDER_APPROXIMATE), dataFlow_(userDispatcher), vlistInitialized_(false) {}
178
182 static void initDiagnostics();
183
192 Approximation approximation() const { return approximation_; }
193 void approximation(Approximation a) { approximation_ = a; }
202 SmtSolverPtr smtSolver() const { return smtSolver_; }
203 void smtSolver(const SmtSolverPtr &solver) { smtSolver_ = solver; }
211 template<class CFG>
212 void computeFlowGraphs(const CFG &cfg, size_t cfgStartVertex) {
213 using namespace Diagnostics;
214 ASSERT_this();
215 ASSERT_require(cfgStartVertex < cfg.nVertices());
216 Stream mesg(mlog[WHERE] <<"computeFlowGraphs starting at CFG vertex " <<cfgStartVertex);
217 vertexFlowGraphs_ = dataFlow_.buildGraphPerVertex(cfg, cfgStartVertex);
218 variableList_ = dataFlow_.getUniqueVariables(vertexFlowGraphs_);
219 results_.clear();
220 vlistInitialized_ = true;
221 mesg <<"; found " <<StringUtility::plural(variableList_.size(), "variables") <<"\n";
222 if (mlog[DEBUG]) {
223 for (const DataFlow::Variable &variable: variableList_)
224 mlog[DEBUG] <<" found variable: " <<variable <<"\n";
225 }
226 }
227
235 const DataFlow::VertexFlowGraphs& vertexFlowGraphs() const {
236 ASSERT_this();
237 return vertexFlowGraphs_;
238 }
239 void vertexFlowGraphs(const DataFlow::VertexFlowGraphs &graphMap) {
240 using namespace Diagnostics;
241 ASSERT_this();
242 vertexFlowGraphs_ = graphMap;
243 variableList_ = dataFlow_.getUniqueVariables(vertexFlowGraphs_);
244 vlistInitialized_ = true;
245 results_.clear();
246 mlog[WHERE] <<"vertexFlowGraphs set by user with " <<StringUtility::plural(variableList_.size(), "variables") <<"\n";
247 }
254 const DataFlow::VariableList& variables() const {
255 ASSERT_this();
256 ASSERT_require2(vlistInitialized_, "TaintedFlow::computeFlowGraphs must be called before TaintedFlow::variables");
257 return variableList_;
258 }
259
264 StatePtr stateInstance(Taintedness taint) const {
265 ASSERT_this();
266 ASSERT_require2(vlistInitialized_, "TaintedFlow::computeFlowGraphs must be called before TaintedFlow::stateInstance");
267 return State::instance(variableList_, taint);
268 }
269
273 template<class CFG>
274 void runToFixedPoint(const CFG &cfg, size_t cfgStartVertex, const StatePtr &initialState) {
275 using namespace Diagnostics;
276 ASSERT_this();
277 ASSERT_require(cfgStartVertex < cfg.nVertices());
278 ASSERT_not_null(initialState);
279 Stream mesg(mlog[WHERE] <<"runToFixedPoint starting at CFG vertex " <<cfgStartVertex);
280 results_.clear();
281 TransferFunction xfer(vertexFlowGraphs_, approximation_, smtSolver_, mlog);
282 MergeFunction merge;
283 DataFlow::Engine<CFG, StatePtr, TransferFunction, MergeFunction> dfEngine(cfg, xfer, merge);
284 dfEngine.name("tainted-flow");
285 dfEngine.runToFixedPoint(cfgStartVertex, initialState);
286 results_ = dfEngine.getFinalStates();
287 mesg <<"; results for " <<StringUtility::plural(results_.size(), "vertices", "vertex") <<"\n";
288 }
289
294 StatePtr getFinalState(size_t cfgVertexId) const {
295 ASSERT_this();
296 ASSERT_require(cfgVertexId < results_.size());
297 return results_[cfgVertexId];
298 }
299};
300
301std::ostream& operator<<(std::ostream &out, const TaintedFlow::State &state);
302
303} // namespace
304} // namespace
305
306#endif
307#endif
Rose::BinaryAnalysis::DataFlow::Engine::runToFixedPoint
void runToFixedPoint()
Run data-flow until it reaches a fixed point.
Definition DataFlow.h:474
Rose::BinaryAnalysis::DataFlow::Engine::getFinalStates
const VertexStates & getFinalStates() const
All outgoing states.
Definition DataFlow.h:520
Rose::BinaryAnalysis::DataFlow::Engine::name
const std::string & name() const
Property: Name for debugging.
Definition DataFlow.h:375
Rose::BinaryAnalysis::DataFlow
Various tools for data-flow analysis.
Definition DataFlow.h:72
Rose::BinaryAnalysis::DataFlow::VariableList
std::list< Variable > VariableList
List of variables.
Definition DataFlow.h:89
Rose::BinaryAnalysis::DataFlow::getUniqueVariables
VariableList getUniqueVariables(const VertexFlowGraphs &)
Get list of unique variables.
Rose::BinaryAnalysis::DataFlow::buildGraphPerVertex
VertexFlowGraphs buildGraphPerVertex(const CFG &cfg, size_t startVertex, VertexUnpacker vertexUnpacker)
Compute data-flow per CFG vertex.
Definition DataFlow.h:174
Rose::BinaryAnalysis::TaintedFlow::State::lookup
Taintedness & lookup(const DataFlow::Variable &)
Find the taintedness for some variable.
Rose::BinaryAnalysis::TaintedFlow::State::instance
static State::Ptr instance(const DataFlow::VariableList &variables, Taintedness taint=BOTTOM)
Allocating constructor.
Definition TaintedFlow.h:69
Rose::BinaryAnalysis::TaintedFlow::State::merge
bool merge(const State::Ptr &)
Merge other state into this state.
Rose::BinaryAnalysis::TaintedFlow::State::print
void print(std::ostream &) const
Print this state.
Rose::BinaryAnalysis::TaintedFlow::State::copy
virtual State::Ptr copy() const
Virtual copy constructor.
Definition TaintedFlow.h:76
Rose::BinaryAnalysis::TaintedFlow::State::variables
VarTaintList & variables()
List of all variables and their taintedness.
Definition TaintedFlow.h:104
Rose::BinaryAnalysis::TaintedFlow::State::setIfExists
bool setIfExists(const DataFlow::Variable &, Taintedness)
Set taintedness if the variable exists.
Rose::BinaryAnalysis::TaintedFlow::State::Ptr
boost::shared_ptr< State > Ptr
Shared-ownership pointer to taint states.
Definition TaintedFlow.h:55
Rose::BinaryAnalysis::TaintedFlow::State::variables
const VarTaintList & variables() const
List of all variables and their taintedness.
Definition TaintedFlow.h:103
Rose::BinaryAnalysis::TaintedFlow
Various tools for performing tainted flow analysis.
Definition TaintedFlow.h:18
Rose::BinaryAnalysis::TaintedFlow::initDiagnostics
static void initDiagnostics()
Initialize diagnostics.
Rose::BinaryAnalysis::TaintedFlow::vertexFlowGraphs
void vertexFlowGraphs(const DataFlow::VertexFlowGraphs &graphMap)
Property: data flow graphs.
Definition TaintedFlow.h:239
Rose::BinaryAnalysis::TaintedFlow::smtSolver
SmtSolverPtr smtSolver() const
Property: SMT solver.
Definition TaintedFlow.h:202
Rose::BinaryAnalysis::TaintedFlow::TaintedFlow
TaintedFlow(const InstructionSemantics::BaseSemantics::DispatcherPtr &userDispatcher)
Constructs a tainted flow analysis.
Definition TaintedFlow.h:176
Rose::BinaryAnalysis::TaintedFlow::runToFixedPoint
void runToFixedPoint(const CFG &cfg, size_t cfgStartVertex, const StatePtr &initialState)
Run data flow.
Definition TaintedFlow.h:274
Rose::BinaryAnalysis::TaintedFlow::vertexFlowGraphs
const DataFlow::VertexFlowGraphs & vertexFlowGraphs() const
Property: data flow graphs.
Definition TaintedFlow.h:235
Rose::BinaryAnalysis::TaintedFlow::approximation
Approximation approximation() const
Property: approximation.
Definition TaintedFlow.h:192
Rose::BinaryAnalysis::TaintedFlow::merge
static Taintedness merge(Taintedness, Taintedness)
Merges two taint values.
Rose::BinaryAnalysis::TaintedFlow::VariableTaint
std::pair< DataFlow::Variable, Taintedness > VariableTaint
Variable-Taintedness pair.
Definition TaintedFlow.h:39
Rose::BinaryAnalysis::TaintedFlow::getFinalState
StatePtr getFinalState(size_t cfgVertexId) const
Query results.
Definition TaintedFlow.h:294
Rose::BinaryAnalysis::TaintedFlow::smtSolver
void smtSolver(const SmtSolverPtr &solver)
Property: SMT solver.
Definition TaintedFlow.h:203
Rose::BinaryAnalysis::TaintedFlow::variables
const DataFlow::VariableList & variables() const
List of variables.
Definition TaintedFlow.h:254
Rose::BinaryAnalysis::TaintedFlow::StatePtr
State::Ptr StatePtr
Reference counting pointer to State.
Definition TaintedFlow.h:114
Rose::BinaryAnalysis::TaintedFlow::approximation
void approximation(Approximation a)
Property: approximation.
Definition TaintedFlow.h:193
Rose::BinaryAnalysis::TaintedFlow::stateInstance
StatePtr stateInstance(Taintedness taint) const
Creates a new state.
Definition TaintedFlow.h:264
Rose::BinaryAnalysis::TaintedFlow::computeFlowGraphs
void computeFlowGraphs(const CFG &cfg, size_t cfgStartVertex)
Compute data flow graphs.
Definition TaintedFlow.h:212
Sawyer::Message::Facility
Collection of streams.
Definition Message.h:1606
Rose::BinaryAnalysis::InstructionSemantics::BaseSemantics::DispatcherPtr
boost::shared_ptr< Dispatcher > DispatcherPtr
Shared-ownership pointer to a semantics instruction dispatcher.
Definition Rose/BinaryAnalysis/InstructionSemantics/BaseSemantics/BasicTypes.h:69
Rose::BinaryAnalysis::SmtSolverPtr
std::shared_ptr< SmtSolver > SmtSolverPtr
Reference counting pointer.
Definition Rose/BinaryAnalysis/BasicTypes.h:57
Rose::StringUtility::plural
std::string plural(T n, const std::string &plural_phrase, const std::string &singular_phrase="")
Helpful way to print singular or plural words.
Definition StringUtility/Diagnostics.h:88
Rose
The ROSE library.
Definition BinaryTutorial.dox:3
Generated on Mon Sep 30 2024 03:25:29 for ROSE by doxygen 1.9.8