confSysTaint
is the core of S3M
, confSysTaint
is based on LLVM IR, it analyzes the control and data dependency between configuration variable and specific syscalls. An example shows how it works:
In section 4.1 Test Input Generation
, we mention that S3M
focuses on four series of syscalls, theay are obtained by our manual investigation on every Linux syscall (335 found in kernel version 5.4.0) by reading the official manual, followed by cross-checking. The filtered out 21 syscalls that may affect I/O size, parallelism, and sequentiality:
read series | write series | sync series | thread series |
---|---|---|---|
read pread64 readv preadv preadv2 io_submit io_getevents madvise open mmap |
write pwrite64 writev pwritev pwritev2 io_submit io_getevents madvise open mmap |
fsync fdatasync syncfs sync_file_range fcntl |
clone(pthread_create) fork |
- basic LLVM "Use" support
- Field sensitive analysis
- Inter-procedure (with pointer)
- Our extended data-flow (
phi-node
)
Formaly define how the control flow:
- Control Dependency: A block Y is control dependent on block X if and only if: Y post-dominates at least one but not all successors of X.
- Transitivity:if A control dependent on B, B control dependent on C, then A control dependent on C.
An example, where the yellow square indicats the complicated code structures that motivate the use of the formal definition.
- llvm-10.0.0
- gllvm
cd tainter
cmake -DCMAKE_CXX_COMPILER=/usr/bin/clang++-10 -DCMAKE_C_COMPILER=/usr/bin/clang-10 -DLLVM_DIR=/usr/lib/llvm-10/cmake .
make
cd test/demo
../../tainter test.bc test-var.txt
For real DBMS, use gllvm
to obtain the .bc
file (e.g., mysqld.bc).
cat test-records.dat
Tainted Functions (group by Caller-Functions):
Clone_Handle::open_file <------------ func-1 of "srv_unix_file_flush_method"
Clone_Task_Manager::set_error ----- Tainted Function.
Clone_Snapshot::update_block_size <-- func-2 of "srv_unix_file_flush_method"
os_event_set -------------------\
pfs_unlock_mutex_v1 |_ Tainted Function.
sync_array_object_signalled |
ut_dbg_assertion_failed --------/
Double_write::sync_page_flush <------ func-3 of "srv_unix_file_flush_method"
__clang_call_terminate ---------\
buf_page_io_complete |-- Tainted Function.
fil_flush ----------------------/
...