Documentation
¶
Overview ¶
Package taint implements most of the taint analysis functionality. It consumes the inter-procedural dataflow graph that is built by the functions in the dataflow package. The main entry point of the analysis is the Analyze function, which returns an AnalysisResult containing all the taint flows discovered as well as the analyzer state resulting from running all the analyses.
When the analysis is not set to on-demand, the decision on summary building is encoded in [ShouldBuildSummary].
When the analysis is set to use the escape analysis, the taint analysis runs the escape analysis and the dataflow analysis separately, and then cross-checks the results, making sure none of the tainted data ever escapes.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AnalysisPreamble ¶
AnalysisPreamble groups different minor analyses that need to run before the intra-procedural step of the taint analysis.
Types ¶
type AnalysisReqs ¶
type AnalysisReqs struct {
// Tag is the tag to analyze, ignored if non-empty.
Tag string
}
AnalysisReqs provides constraints on the taint analysis to run.
type AnalysisResult ¶
type AnalysisResult struct {
// TaintFlows contains all the data flows from the sources to the sinks detected during the analysis
TaintFlows *Flows
// State is the state at the end of the analysis, if you need to chain another analysis
State *dataflow.State
// Graph is the cross function dataflow graph built by the dataflow analysis. It contains the linked summaries of
// each function appearing in the program and analyzed.
Graph dataflow.InterProceduralFlowGraph
// Errors contains a list of errors produced by the analysis. Errors may have been added at different steps of the
// analysis.
Errors []error
}
An AnalysisResult from the taint analysis contains the tainted flows in TaintFLows and the analyzer state at the end of the analysis in State. Optionally, an explicit inter-procedural graph is constructed.
func Analyze ¶
func Analyze(state *dataflow.State, reqs AnalysisReqs) (AnalysisResult, error)
Analyze runs the taint analysis on the provided state, which contains the program to analyze as well as the config defining the taint analysis problems. THe reqs arguments provides additional constraints on which problems to analyze.
type CondError ¶
type CondError struct {
Cond *ssa.If // Cond is the conditional statement
ParentName string // ParentName is the name of the function in which the conditional statement occurs
Trace string // Trace is a string representing the taint trace
Pos token.Position // Pos is the position
}
CondError represents an error where taint flows to a conditional statement.
type EscapeInfo ¶
type EscapeInfo struct {
InstructionLocality map[ssa.Instruction]*df.EscapeRationale
CallSiteInfo map[*ssa.Call]df.EscapeCallsiteInfo
}
EscapeInfo contains information relative to the escape analysis
func (*EscapeInfo) String ¶
func (e *EscapeInfo) String() string
type FlowNode ¶
type FlowNode struct {
// Instr is the SSA instruction of the node.
Instr ssa.Instruction
// Trace is a string representation of the trace of the node.
Trace string
}
FlowNode represents a node in Flows.Sinks. This is very similar to dataflow.NodeWithTrace, except it is more easily comparable.
func NewFlowNode ¶
func NewFlowNode(node df.NodeWithTrace) FlowNode
NewFlowNode returns a new FlowNode from node's SSA instruction and trace.
type FlowReport ¶
type FlowReport struct {
Tag string
Source dataflow.ReportNodeInfo
Sink dataflow.ReportNodeInfo
Trace []dataflow.ReportNodeInfo
}
A FlowReport contains the information we serialize about a taint flow: a tag, the source and the sink, and the trace from source to sink.
type Flows ¶
type Flows struct {
// Sinks maps the sink nodes to the source node from which the data flows
// More precisely, Sinks[sink][source] <== data from source flows to sink
Sinks map[FlowNode]map[FlowNode]bool
// Escapes maps the instructions where data escapes, coming from the source instruction it maps to.
// More precisely, Escapes[instr][source] <== data from source escapes the thread at instr
Escapes map[ssa.Instruction]map[ssa.Instruction]bool
}
Flows stores information about where the data coming from specific instructions flows to.
type Visitor ¶
type Visitor struct {
// contains filtered or unexported fields
}
Visitor represents a taint flow Visitor that tracks taint flows from sources to sinks. It implements the pkg/github.com/awslabs/ar-go-tools/Analysis/Dataflow.Visitor interface.
func NewVisitor ¶
NewVisitor returns a Visitor that can be used with pkg/github.com/awslabs/ar-go-tools/analysis/dataflow.BuildAndRunVisitor to run the taint analysis independently of the Analyze function
Source Files