From 5e5fb0d4f94575a740091aaf66699d59da6a8466 Mon Sep 17 00:00:00 2001 From: ivg Date: Mon, 16 Nov 2020 16:37:45 -0500 Subject: [PATCH] makes the taint-attached observation on taint introductions The observation was missing when the taint was introduced with new_direct or new_indirect operators. Although known for a long time, this behavior was considered more as a feature rather than a bug. We finally decided to rectify it and post the observation when a new taint is introduced to make the behavior match with the semantics described in the low-level terms. It also makes it much easier to debug taint-related issues. --- lib/bap_taint/bap_taint.ml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/bap_taint/bap_taint.ml b/lib/bap_taint/bap_taint.ml index 9187eaf50..cee9d091e 100644 --- a/lib/bap_taint/bap_taint.ml +++ b/lib/bap_taint/bap_taint.ml @@ -194,6 +194,8 @@ module Taint = struct open Machine.Syntax + let report_attached r t v = + Machine.Observation.make attach (r,t,v) let change v (Rel {field; key}) ~f = Machine.Local.update tainter ~f:(fun t -> @@ -234,7 +236,9 @@ module Taint = struct (Primus.Value.id value) ~f:(function | None -> Object.Set.singleton taint | Some taints -> Set.add taints taint) - }) >>| fun () -> taint + }) >>= fun () -> + report_attached Rel.direct taint value >>| fun () -> + taint let new_indirect ~addr ~len kind = Taint.create kind >>= fun taint -> @@ -242,7 +246,8 @@ module Taint = struct Machine.Local.get tainter >>= fun s -> Seq.range 0 len |> Machine.Seq.fold ~init:s.indirect ~f:(fun indirect off -> - Value.nsucc addr off >>| fun addr -> + Value.nsucc addr off >>= fun addr -> + report_attached Rel.indirect taint addr >>| fun () -> Map.update indirect addr ~f:(function | None -> Object.Set.singleton taint | Some taints -> Set.add taints taint)) >>= fun indirect ->