confSysTaint
is based on LLVM IR, it analyzes the control and data dependency starting from the specified configuration variable(s)
- basic LLVM "Use" support
- Field sensitive analysis
- Inter-procedure (with pointer)
- Our extended data-flow (
phi-node
)
Formaly define how the control flow:
- Control Dependency: A block Y is control dependent on block X if and only if: Y post-dominates at least one but not all successors of X.
- Transitivity:if A control dependent on B, B control dependent on C, then A control dependent on C.
An example, where the yellow square indicats the complicated code structures that motivate the use of the formal definition.
- llvm-10.0.0
- gllvm
cd tainter
cmake -DCMAKE_CXX_COMPILER=/usr/bin/clang++-10 -DCMAKE_C_COMPILER=/usr/bin/clang-10 -DLLVM_DIR=/usr/lib/llvm-10/cmake .
make
cd test/demo
../../tainter test.bc test-var.txt
For real DBMS, use gllvm
to obtain the .bc
file (e.g., mysqld.bc).
cat test-records.dat
Tainted Functions (group by Caller-Functions):
Clone_Handle::open_file <------------ func-1 of "srv_unix_file_flush_method"
Clone_Task_Manager::set_error ----- Tainted Function.
Clone_Snapshot::update_block_size <-- func-2 of "srv_unix_file_flush_method"
os_event_set -------------------\
pfs_unlock_mutex_v1 |_ Tainted Function.
sync_array_object_signalled |
ut_dbg_assertion_failed --------/
Double_write::sync_page_flush <------ func-3 of "srv_unix_file_flush_method"
__clang_call_terminate ---------\
buf_page_io_complete |-- Tainted Function.
fil_flush ----------------------/
...
SINGLE CONF_VAR_NAME
global variable with basic type (int
,bool
, etc.)STRUCT CONF_VAR_STRUCT.FIELD_NAME
global struct with fieldCLASS CONF_VAR_CLASS.FIELD_NAME
global class with fieldFIELD CONF_VAR_TPYE.FIELD_COUNT
any field of specified type, for example, useFIELD some_type.2
to makesome_type.field_C
as the entry point.STRUCT some_type{ int field_A; bool field_B; float field_C; }
- Make sure you have use the right compilation options:
-O0
、-fno-discard-value-names
、-g
; if you want thePhiNode
analysis, also use these two options. - Make sure the specified configuration variable name is right.
- Check if it exists in source code via simple search
grep CONF_NAME /dir/of/src
. - Check if it has been compiled into the target
.bc
filegrep CONF_VAR_NAME /dir/to/target.ll
.
- Check if it exists in source code via simple search
- If the entry you specified in
*-parameter.txt
does not produce any results, try to find if the configuration variable is rightly in*.bc
######## ## Example empty result: content of "*-record.dat" ######## GlobalVariable Name: System_variables.45 Offset: 45 Caller Functions: Tainted Functions (group by Caller-Functions): Called Functions: Called Chain: Related GlobalVariables:
- For example, if you use
FIELD System_variables.45
to specify configurationSystem_variables.preload_buff_size
, then you need to make sure commandproduces the right results likegrep "getelementptr inbounds %struct.System_variables" mysqld.ll
%xx = getelementptr inbounds %struct.System_variables, %struct.System_variables* %xx, i64 0, i32 45, !dbg !xxx
wherei64 0, i32 45
must appear. - If you use
SINGLE srv_unix_file_flush_method
to specify configurationinnodb_flush_method
, things will be easier: useto see if something likegrep "srv_unix_file_flush_method" mysqld.ll
%xx = load i32, i32* @srv_unix_file_flush_method, align 4, !dbg xxxx
appears. - If all the
stdout
log shows that all theDIRECT use
ofSTRUCT xxx.yyy
is[OK, PASS]
, it may be becausexxx
is not global, or some other reasons. Try to useFIELD xxx.0
(sayyyy
is the very first field ofxxx
)
- For example, if you use