// Model for tainted pointer is to mix all the labels from the pointer and then // union that mix with each byte of the actual copied data. So if the pointer // is labeled [1], [2], [3], [4], and the bytes are labeled [5], [6], [7], [8], // we get [12345], [12346], [12347], [12348] as output taint of the load/store. void taint_pointer( FastShad *shad_dest, uint64_t dest, FastShad *shad_ptr, uint64_t ptr, uint64_t ptr_size, FastShad *shad_src, uint64_t src, uint64_t size) { taint_log("ptr: %s[%lx+%lx] <- %s[%lx] @ %s[%lx+%lx]\n", shad_dest->name(), dest, size, shad_src->name(), src, shad_ptr->name(), ptr, ptr_size); if (unlikely(dest + size > shad_dest->get_size())) { taint_log(" Ignoring IO RW\n"); return; } else if (unlikely(src + size > shad_src->get_size())) { taint_log(" Source IO.\n"); src = ones; // ignore source. } // this is [1234] in our example TaintData ptr_td = mixed_labels(shad_ptr, ptr, ptr_size, false); if (src == ones) { bulk_set(shad_dest, dest, size, ptr_td); } else { for (unsigned i = 0; i < size; i++) { TaintData byte_td = shad_src->query_full(src + i); TaintData dest_td = TaintData::make_union(ptr_td, byte_td, false); // Unions usually destroy controlled bits. Tainted pointer is // a special case. dest_td.cb_mask = byte_td.cb_mask; shad_dest->set_full(dest + i, dest_td); } } }
void taint_pointer( FastShad *shad_dest, uint64_t dest, FastShad *shad_ptr, uint64_t ptr, uint64_t ptr_size, FastShad *shad_src, uint64_t src, uint64_t size) { taint_log("ptr: %lx[%lx+%lx] <- %lx[%lx] @ %lx[%lx+%lx]\n", (uint64_t)shad_dest, dest, size, (uint64_t)shad_src, src, (uint64_t)shad_ptr, ptr, ptr_size); if (unlikely(dest + size > shad_dest->get_size())) { taint_log(" Ignoring IO RW\n"); return; } else if (unlikely(src + size > shad_src->get_size())) { taint_log(" Source IO.\n"); src = ones; // ignore source. } TaintData td = mixed_labels(shad_ptr, ptr, ptr_size); #ifndef CONFIG_INT_LABEL if (td.ls) td.tcn++; #endif if (src == ones) { bulk_set(shad_dest, dest, size, td); } else { unsigned i; for (i = 0; i < size; i++) { shad_dest->set_full(dest + i, TaintData::copy_union(td, shad_src->query_full(src + i))); } } }
void taint_mix_compute( FastShad *shad, uint64_t dest, uint64_t dest_size, uint64_t src1, uint64_t src2, uint64_t src_size) { taint_log("mcompute: %lx[%lx+%lx] <- %lx + %lx\n", (uint64_t)shad, dest, dest_size, src1, src2); TaintData td = TaintData::comp_union( mixed_labels(shad, src1, src_size), mixed_labels(shad, src2, src_size)); bulk_set(shad, dest, dest_size, td); }
void taint_mix( FastShad *shad, uint64_t dest, uint64_t dest_size, uint64_t src, uint64_t src_size) { taint_log("mix: %lx[%lx+%lx] <- %lx+%lx\n", (uint64_t)shad, dest, dest_size, src, src_size); TaintData td = mixed_labels(shad, src, src_size); #ifndef CONFIG_INT_LABEL if (td.ls) td.tcn++; #endif bulk_set(shad, dest, dest_size, td); }
void taint_mix( FastShad *shad, uint64_t dest, uint64_t dest_size, uint64_t src, uint64_t src_size, llvm::Instruction *I) { taint_log("mix: %s[%lx+%lx] <- %lx+%lx\n", shad->name(), dest, dest_size, src, src_size); TaintData td = mixed_labels(shad, src, src_size, true); bulk_set(shad, dest, dest_size, td); if (I) update_cb(shad, dest, shad, src, dest_size, I); }
void taint_mix_compute( FastShad *shad, uint64_t dest, uint64_t dest_size, uint64_t src1, uint64_t src2, uint64_t src_size, llvm::Instruction *ignored) { taint_log("mcompute: %s[%lx+%lx] <- %lx + %lx\n", shad->name(), dest, dest_size, src1, src2); TaintData td = TaintData::make_union( mixed_labels(shad, src1, src_size, false), mixed_labels(shad, src2, src_size, false), true); bulk_set(shad, dest, dest_size, td); }
void taint_sext(FastShad *shad, uint64_t dest, uint64_t dest_size, uint64_t src, uint64_t src_size) { taint_log("taint_sext\n"); FastShad::copy(shad, dest, shad, src, src_size); bulk_set(shad, dest + src_size, dest_size - src_size, shad->query_full(dest + src_size - 1)); }
void taint_set( FastShad *shad_dest, uint64_t dest, uint64_t dest_size, FastShad *shad_src, uint64_t src) { bulk_set(shad_dest, dest, dest_size, shad_src->query_full(src)); }