revisit warn-unused and check-value analyses #1076
Comments
ivg
added a commit
to ivg/bap
that referenced
this issue
Nov 20, 2020
This PR adds a new interface, `Machine.Other`, that enables access to the local state of other machines. It is possible both to pry into others local state and even change it. So is it carefuly. This PR is a step towards the solution of the BinaryAnalysisPlatform#1076 issue. More will come.
ivg
added a commit
to ivg/bap
that referenced
this issue
Nov 20, 2020
This PR resolves BinaryAnalysisPlatform#1076 and enables better handling of the may analysis (analysis that require analyzing all paths). The Taint Engine now tracks taint objects globally across machines, unlike previously when each machine had its own set of taint objects, and taint object identifier was specific to a machine. This enables a new implementation of the Taint Garbage Collection and refinement of the taint-finalize observation. The GC is now folding over all machines to check if the taint is unreachable in all machines. The observation is triggered with live=true if the taint becomes unreachable in the current machine but is still reachable in others, and with live=false, when it comes out of existence in all machines, or when the system terminates. This approach enables both may and must analysis as we can both track liveness per machine and per system (i.e., for all paths up to the linearity constraint). The garbage collector is now run each machine instruction to prevent undesired interference with other observations. This PR also changes the semantics of the sanitize operation. Now, when an object is sanitized, it is no longer tracked and removed from the tracker (i.e., detached from all values and addresses). Before that it was only detached from the selected value.
ivg
added a commit
that referenced
this issue
Nov 20, 2020
This PR adds a new interface, `Machine.Other`, that enables access to the local state of other machines. It is possible both to pry into others local state and even change it. So is it carefuly. This PR is a step towards the solution of the #1076 issue. More will come.
ivg
added a commit
that referenced
this issue
Nov 20, 2020
* enables intermachine communication This PR adds a new interface, `Machine.Other`, that enables access to the local state of other machines. It is possible both to pry into others local state and even change it. So is it carefuly. This PR is a step towards the solution of the #1076 issue. More will come. * tweaks the Taint Engine and partially rewrites the Taint GC This PR resolves #1076 and enables better handling of the may analysis (analysis that require analyzing all paths). The Taint Engine now tracks taint objects globally across machines, unlike previously when each machine had its own set of taint objects, and taint object identifier was specific to a machine. This enables a new implementation of the Taint Garbage Collection and refinement of the taint-finalize observation. The GC is now folding over all machines to check if the taint is unreachable in all machines. The observation is triggered with live=true if the taint becomes unreachable in the current machine but is still reachable in others, and with live=false, when it comes out of existence in all machines, or when the system terminates. This approach enables both may and must analysis as we can both track liveness per machine and per system (i.e., for all paths up to the linearity constraint). The garbage collector is now run each machine instruction to prevent undesired interference with other observations. This PR also changes the semantics of the sanitize operation. Now, when an object is sanitized, it is no longer tracked and removed from the tracker (i.e., detached from all values and addresses). Before that it was only detached from the selected value.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The #1075 PR highlighted some fundamental problems with our warn-unused/must-check-value analyses that we need to revisit once #1075 is merged.
Problem 1: analyses summaries should not rely on observations
When we summarize the run of a machine or a system we shall not use observations to post the summary results as during summarization the observations are usually blocked (or it they not, then the summarization procedure may trigger its own observation that will kill it in an asynchronous manner).
This is not a fundamental problem but a technical one. It, however, limits the flexibility of Primus, so we might reconsider some of our design decisions, e.g., by playing with the clock interface. (We can move clock to a different component and enable/disable them).
Problem 2: taint-finalize shall not be used for may analysis
Or, more general, microexecution is bad for may analyses. If we have a program property that is computed as may analysis (i.e., the property holds if it holds on at least one path), then in order to prove that the property doesn't hold we need to wait until all paths converge and the we can summarize. Compare it with UAF/DF which is must analysis, i.e., where the security property must hold on all paths, so once we find at least one counterexample we can immediately report it.
Currently, we use Taint analysis with its GC to find unused/unchecked values. We, hower, rely on the taint-finalize observation which is path-specific, therefore if a taint is finalized in a given path, it doesn't mean that we don't have any other machines where it is still live. That means that we need to revisit the taint analysis on the next iteration and implement the taint-liveness analysis on the global level.
The text was updated successfully, but these errors were encountered: