taint

package
v0.0.33 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 22, 2022 License: MIT Imports: 24 Imported by: 0

README

Taint

OPTIONS

I write a runner to help you use taint analysis
You can set options directly on a Runner like

runner := taint.NewRunner("relative/path/to/package")
runner.ModuleName = "module-name"
runner.PassThroughDstPath = "passthrough.json"
runner.CallGraphDstPath = "callgraph.json"

All options are:

  • ModuleName(necessary): the target module's name, often in go.mod
  • PkgPath(necessary): the target packages' relative path, it is important that you should write analysis file in same project. e.g. cmd/myanalysis/main.go, in case go can't find target packages
  • Debug(optional): when set true, output debug information, default false
  • InitOnly(optional): when set true, only analysis init functions, default false
  • PassThroughOnly(optional): when set true only do passthrough analysis, default false
  • PassThroughSrcPath(optional): path to passthrough sources, you can use it to accelerate analysis or add additional passthrough, default []string{}
  • PassThroughDstPath(optional): path to save passthrough output, default ""
  • TaintGraphDstPath(optional): path to save taint edge output, default ""
  • Ruler (optional): ruler is interface that defines how to decide whether a node is sink, source or intra. You can implements it, default DummyRuler
  • PersistToNeo4j(optional): when set true, save nodes and edges to neo4j, default false
  • Neo4jUsername(optiosnal): neo4j usename, default ""
  • Neo4jPassword(optional): neo4j password, default ""
  • Neo4jURI(optional): neo4j uri, default ""
  • TargetFunc(optional): when set, only analysis target function and output its SSA, default ""
  • UsePointerAnalysis(optional): when set, use pointer analysis to help selecting callee, default false. ⚠️ note that if you set this true, the PkgPath option can only contain main packages

Documentation

Index

Constants

This section is empty.

Variables

View Source
var Gostd = []string{"archive...", "bufio...", "builtin...", "bytes...",
	"compress...", "container...", "context...", "crypto...",
	"database...", "debug...", "embed...", "encoding...", "errors...", "expvar...",
	"flag...", "fmt...", "go...", "hash...", "html...",
	"image...", "index...", "io...", "log...", "math...", "mime...",
	"net...", "os...", "path...", "plugin...", "relect...", "regexp...", "runtime...",
	"sort...", "strconv...", "strings...", "sync...", "syscall...",
	"text...", "time...", "unicode...", "unsafe..."}

Gostd reprents all go standard library's PkgPath

Functions

func FetchPassThrough added in v0.0.13

func FetchPassThrough(passThroughContainer *map[string]*PassThroughCache, src []string) error

FetchPassThrough loads passthrougth data from target source

func GetTaint added in v0.0.18

func GetTaint(flow *map[any]any, name string) *map[string]bool

GetTaint returns innerTaint

func MergeTaintWrapper added in v0.0.18

func MergeTaintWrapper(inout *map[any]any, in *map[any]any, name string)

MergeTaintWrapper merges wrapper with same key from in flow to inout flow

func PassTaint added in v0.0.18

func PassTaint(flow *map[any]any, dst string, src ...string)

PassTaint passes taint from a wrapper with key to another with key

func PersistPassThrough added in v0.0.13

func PersistPassThrough(passThroughContainer *map[string]*PassThroughCache, dst string) error

PersistPassThrough stores passthrough data to target destination

func PersistTaintGraph added in v0.0.27

func PersistTaintGraph(edges *map[string]*Edge, dst string) error

PersistTaintGraph stores taint edges to target destination

func PersistToNeo4j added in v0.0.14

func PersistToNeo4j(nodes *map[string]*Node, edges *map[string]*Edge, uri string, username string, password string)

PersistToNeo4j stores taint edges to neo4j database

func Run added in v0.0.13

func Run(f *ssa.Function, c *TaintConfig)

Run kicks off a taint analysis on a function

func SetTaint added in v0.0.18

func SetTaint(flow *map[any]any, name string, taints ...string)

SetTaint set innerTaint for a wrapper with a key

Types

type DummyRuler added in v0.0.13

type DummyRuler struct {
	rule.BaseRuler
	// contains filtered or unexported fields
}

DummyRuler is a dummy rule.Ruler used for test

func NewDummyRuler added in v0.0.22

func NewDummyRuler(moduleName ...string) *DummyRuler

NewDummyRuler returns a DummyRuler

func (*DummyRuler) IsIntra added in v0.0.28

func (r *DummyRuler) IsIntra(_f any) bool

IsIntra returns whether a node is from target module

func (*DummyRuler) IsSink added in v0.0.28

func (r *DummyRuler) IsSink(_f any) bool

IsSink returns whether a node is a sink

func (*DummyRuler) IsSource added in v0.0.22

func (r *DummyRuler) IsSource(_f any) bool

IsSource returns whether a node is a source

type Edge added in v0.0.13

type Edge struct {
	From          string
	FromIndex     int
	To            string
	ToIndex       int
	ToIsMethod    bool
	ToIsSink      bool
	ToIsSignature bool
	ToIsStatic    bool
}

Edge represents a taint edge

type Imethod added in v0.0.13

type Imethod struct {
	I *types.Interface
	// contains filtered or unexported fields
}

Imethod represents an interface method I.m. (There's no go/types object for it; a *types.Func may be shared by many interfaces due to interface embedding.)

type InterfaceHierarchy added in v0.0.13

type InterfaceHierarchy struct {
	// contains filtered or unexported fields
}

InterfaceHierarchy represents implemetation relations

func NewInterfaceHierarchy added in v0.0.13

func NewInterfaceHierarchy(allFuncs *map[*ssa.Function]bool) *InterfaceHierarchy

NewInterfaceHierarchy returns an InterfaceHierarchy

func (*InterfaceHierarchy) LookupFuncs added in v0.0.13

func (i *InterfaceHierarchy) LookupFuncs(signature *types.Signature) []*ssa.Function

LookupFuncs returns *ssa.Function that have same signature

func (*InterfaceHierarchy) LookupMethods added in v0.0.13

func (i *InterfaceHierarchy) LookupMethods(I *types.Interface, m *types.Func) []*ssa.Function

LookupMethods returns an interface method's implemetations

type NoMainPkgError added in v0.0.25

type NoMainPkgError struct {
}

NoMainPkgError represents a no main package error

func (*NoMainPkgError) Error added in v0.0.25

func (e *NoMainPkgError) Error() string

type Node added in v0.0.13

type Node struct {
	Function    *ssa.Function
	IsSignature bool
	IsMethod    bool
	IsStatic    bool
	IsSource    bool
	IsSink      bool
	IsIntra     bool
	Canonical   string
	Index       int
	Out         []*Edge
	In          []*Edge
}

Node represents a taint node

type PassThrough added in v0.0.27

type PassThrough struct {
	Names   []string
	Recv    *TaintWrapper
	Results []*TaintWrapper
	Params  []*TaintWrapper
}

PassThrough represents a passthrough

func NewPassThrough added in v0.0.27

func NewPassThrough(names []string, recv bool, result int, param int) *PassThrough

NewPassThrough return a PassThrough

func (*PassThrough) HasRecv added in v0.0.27

func (p *PassThrough) HasRecv() bool

HasRecv returns whether the function has a receiver

func (*PassThrough) ParamName added in v0.0.27

func (p *PassThrough) ParamName(i int) string

ParamName returns the i'th param's name

func (*PassThrough) ParamNum added in v0.0.27

func (p *PassThrough) ParamNum() int

ParamNum returns number of params

func (*PassThrough) RecvName added in v0.0.27

func (p *PassThrough) RecvName() string

RecvName returns the receiver's name

func (*PassThrough) ResultNum added in v0.0.27

func (p *PassThrough) ResultNum() int

ResultNum returns number of results

func (*PassThrough) ToCache added in v0.0.27

func (p *PassThrough) ToCache() *PassThroughCache

ToCache tranforms a passthrough to a passthrough cache

type PassThroughCache added in v0.0.27

type PassThroughCache struct {
	Recv    []int
	Results [][]int
	Params  [][]int
}

PassThroughCache represents a passthrough cache

func NewPassThroughCache added in v0.0.27

func NewPassThroughCache(recv bool, result int, param int) *PassThroughCache

NewPassThroughCache returns a PassThroughCache

func (*PassThroughCache) HasRecv added in v0.0.27

func (c *PassThroughCache) HasRecv() bool

HasRecv returns whether the function has a receiver

func (*PassThroughCache) ParamNum added in v0.0.27

func (c *PassThroughCache) ParamNum() int

ParamNum returns number of params

func (*PassThroughCache) ResultNum added in v0.0.27

func (c *PassThroughCache) ResultNum() int

ResultNum returns number of results

type Runner added in v0.0.13

type Runner struct {
	ModuleName         string
	PkgPath            []string
	UsePointerAnalysis bool
	Debug              bool
	InitOnly           bool
	PassThroughOnly    bool
	PassThroughSrcPath []string
	PassThroughDstPath string
	TaintGraphDstPath  string
	Ruler              rule.Ruler
	PersistToNeo4j     bool
	Neo4jUsername      string
	Neo4jPassword      string
	Neo4jURI           string
	TargetFunc         string
	PassBack           bool
}

Runner represents a analysis runner

func NewRunner added in v0.0.13

func NewRunner(PkgPath ...string) *Runner

NewRunner returns a *taint.Runner

func (*Runner) Run added in v0.0.13

func (r *Runner) Run() error

Run kick off an analysis

type TaintAnalysis added in v0.0.13

type TaintAnalysis struct {
	scalar.BaseFlowAnalysis
	// contains filtered or unexported fields
}

TaintAnalysis represents a taint analysis

func New added in v0.0.13

New creates a TaintAnalysis

func (*TaintAnalysis) Computations added in v0.0.13

func (a *TaintAnalysis) Computations() int

Computations limits number of computations on a flow graph

func (*TaintAnalysis) End added in v0.0.13

func (a *TaintAnalysis) End(universe []*entry.Entry)

End handles result of analysis

func (*TaintAnalysis) FlowThrougth added in v0.0.13

func (a *TaintAnalysis) FlowThrougth(inMap *map[any]any, unit ssa.Instruction, outMap *map[any]any)

FlowThrougth calculates outMap based on inMap and unit

func (*TaintAnalysis) MergeInto added in v0.0.13

func (a *TaintAnalysis) MergeInto(unit ssa.Instruction, inout *map[any]any, in *map[any]any)

MergeInto merges from in to inout based on unit

func (*TaintAnalysis) NewInitalFlow added in v0.0.13

func (a *TaintAnalysis) NewInitalFlow() *map[any]any

NewInitalFlow returns a new flow

type TaintConfig added in v0.0.13

type TaintConfig struct {
	PassThroughContainer *map[string]*PassThroughCache
	InitMap              *map[string]*ssa.Function
	History              *map[string]bool
	CallStack            *list.List
	InterfaceHierarchy   *InterfaceHierarchy
	TaintGraph           *TaintGraph
	UsePointerAnalysis   bool
	CallGraph            *callgraph.Graph
	Ruler                rule.Ruler
	PassThroughOnly      bool
	TargetFunc           string
	Debug                bool
	PassBack             bool
}

TaintConfig represents a configuration for taint analysis

type TaintGraph added in v0.0.25

type TaintGraph struct {
	Nodes *map[string]*Node
	Edges *map[string]*Edge
}

TaintGraph represents a graph contain static call nodes and edges

func NewTaintGraph added in v0.0.25

func NewTaintGraph(allFuncs *map[*ssa.Function]bool, ruler rule.Ruler) *TaintGraph

NewTaintGraph returns a TaintGraph

type TaintSwitcher

type TaintSwitcher struct {
	switcher.BaseSwitcher
	// contains filtered or unexported fields
}

TaintSwitcher represents a switcher for taint analysis

func (*TaintSwitcher) CaseAlloc

func (s *TaintSwitcher) CaseAlloc(inst *ssa.Alloc)

CaseAlloc accepts a Alloc instruction

func (*TaintSwitcher) CaseBinOp

func (s *TaintSwitcher) CaseBinOp(inst *ssa.BinOp)

CaseBinOp accepts a BinOp instruction

func (*TaintSwitcher) CaseCall

func (s *TaintSwitcher) CaseCall(inst *ssa.Call)

CaseCall accepts a Call instruction

func (*TaintSwitcher) CaseChangeInterface

func (s *TaintSwitcher) CaseChangeInterface(inst *ssa.ChangeInterface)

CaseChangeInterface accepts a ChangeInterface instruction

func (*TaintSwitcher) CaseChangeType

func (s *TaintSwitcher) CaseChangeType(inst *ssa.ChangeType)

CaseChangeType accepts a ChangeType instruction

func (*TaintSwitcher) CaseConvert

func (s *TaintSwitcher) CaseConvert(inst *ssa.Convert)

CaseConvert accepts a Convert instruction

func (*TaintSwitcher) CaseExtract

func (s *TaintSwitcher) CaseExtract(inst *ssa.Extract)

CaseExtract accepts a Extract instruction

func (*TaintSwitcher) CaseField

func (s *TaintSwitcher) CaseField(inst *ssa.Field)

CaseField accepts a Field instruction

func (*TaintSwitcher) CaseFieldAddr

func (s *TaintSwitcher) CaseFieldAddr(inst *ssa.FieldAddr)

CaseFieldAddr accepts a FieldAddr instruction

func (*TaintSwitcher) CaseIndex

func (s *TaintSwitcher) CaseIndex(inst *ssa.Index)

CaseIndex accepts an Index instruction

func (*TaintSwitcher) CaseIndexAddr

func (s *TaintSwitcher) CaseIndexAddr(inst *ssa.IndexAddr)

CaseIndexAddr accepts an IndexAddr instruction

func (*TaintSwitcher) CaseLookup

func (s *TaintSwitcher) CaseLookup(inst *ssa.Lookup)

CaseLookup accepts a Lookup instruction

func (*TaintSwitcher) CaseMakeChan

func (s *TaintSwitcher) CaseMakeChan(inst *ssa.MakeChan)

CaseMakeChan accepts a MakeChan instruction

func (*TaintSwitcher) CaseMakeClosure

func (s *TaintSwitcher) CaseMakeClosure(inst *ssa.MakeClosure)

CaseMakeClosure accepts a MakeClosure instruction

func (*TaintSwitcher) CaseMakeInterface

func (s *TaintSwitcher) CaseMakeInterface(inst *ssa.MakeInterface)

CaseMakeInterface accepts a MakeInterface instruction

func (*TaintSwitcher) CaseMakeMap

func (s *TaintSwitcher) CaseMakeMap(inst *ssa.MakeMap)

CaseMakeMap accepts a MakeMap instruction

func (*TaintSwitcher) CaseMakeSlice

func (s *TaintSwitcher) CaseMakeSlice(inst *ssa.MakeSlice)

CaseMakeSlice accepts a MakeSlice instruction

func (*TaintSwitcher) CaseMapUpdate

func (s *TaintSwitcher) CaseMapUpdate(inst *ssa.MapUpdate)

CaseMapUpdate accepts a MapUpdate instruction

func (*TaintSwitcher) CaseNext

func (s *TaintSwitcher) CaseNext(inst *ssa.Next)

CaseNext accepts a Next instruction

func (*TaintSwitcher) CasePhi

func (s *TaintSwitcher) CasePhi(inst *ssa.Phi)

CasePhi accepts a Phi instruction

func (*TaintSwitcher) CaseRange

func (s *TaintSwitcher) CaseRange(inst *ssa.Range)

CaseRange accepts a Range instruction

func (*TaintSwitcher) CaseReturn

func (s *TaintSwitcher) CaseReturn(inst *ssa.Return)

CaseReturn accepts a Return instruction

func (*TaintSwitcher) CaseSelect

func (s *TaintSwitcher) CaseSelect(inst *ssa.Select)

CaseSelect accepts a Select instruction

func (*TaintSwitcher) CaseSend

func (s *TaintSwitcher) CaseSend(inst *ssa.Send)

CaseSend accepts a Send instruction

func (*TaintSwitcher) CaseSlice

func (s *TaintSwitcher) CaseSlice(inst *ssa.Slice)

CaseSlice accepts a Slice instruction

func (*TaintSwitcher) CaseStore

func (s *TaintSwitcher) CaseStore(inst *ssa.Store)

CaseStore accepts a Store instruction

func (*TaintSwitcher) CaseTypeAssert

func (s *TaintSwitcher) CaseTypeAssert(inst *ssa.TypeAssert)

CaseTypeAssert accepts a TypeAssert instruction

func (*TaintSwitcher) CaseUnOp

func (s *TaintSwitcher) CaseUnOp(inst *ssa.UnOp)

CaseUnOp accepts a UnOp instruction

type TaintWrapper added in v0.0.18

type TaintWrapper struct {
	// contains filtered or unexported fields
}

TaintWrapper represents a wrapper of taint

func GetTaintWrapper added in v0.0.18

func GetTaintWrapper(flow *map[any]any, name string) *TaintWrapper

GetTaintWrapper gets wrapper with a key

func NewTaintWrapper added in v0.0.18

func NewTaintWrapper(taints ...string) *TaintWrapper

NewTaintWrapper returns a TaintWrapper

func SetTaintWrapper added in v0.0.18

func SetTaintWrapper(flow *map[any]any, name string, wrapper *TaintWrapper) *TaintWrapper

SetTaintWrapper sets wrapper wtih a key

func (*TaintWrapper) AddTaint added in v0.0.18

func (w *TaintWrapper) AddTaint(taints ...string)

AddTaint adds taints to innerTaint

func (*TaintWrapper) HasTaint added in v0.0.18

func (w *TaintWrapper) HasTaint(taint string) bool

HasTaint returns whether innerTaint has the taint

func (*TaintWrapper) InheritTaint added in v0.0.18

func (w *TaintWrapper) InheritTaint(flow *map[any]any, name string)

InheritTaint inherits taints from a wrapper with key

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL