Package it.unive.lisa.analysis.taint

Class BaseTaint<T extends BaseTaint<T>>

  • Type Parameters:
    T - the concrete type of the analysis
    All Implemented Interfaces:
    it.unive.lisa.analysis.BaseLattice<T>, it.unive.lisa.analysis.Lattice<T>, it.unive.lisa.analysis.nonrelational.NonRelationalDomain<T,​it.unive.lisa.symbolic.value.ValueExpression,​it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T>>, it.unive.lisa.analysis.nonrelational.NonRelationalElement<T,​it.unive.lisa.symbolic.value.ValueExpression,​it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T>>, it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T>, it.unive.lisa.analysis.nonrelational.value.NonRelationalValueDomain<T>, it.unive.lisa.analysis.SemanticEvaluator, it.unive.lisa.util.representation.StructuredObject
    Direct Known Subclasses:
    Taint, ThreeLevelsTaint
    public abstract class BaseTaint<T extends BaseTaint<T>>
extends java.lang.Object
implements it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T>
    A taint analysis, that is, an information-flow analysis tracking only explicit flows.

    • Nested Class Summary

      • Nested classes/interfaces inherited from interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain

        it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain.EvaluationVisitor<T extends it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T>>

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static it.unive.lisa.program.annotations.Annotation CLEAN_ANNOTATION
      The annotation used to mark clean variables, that is, sanitizers of tainted information.
      static it.unive.lisa.program.annotations.matcher.AnnotationMatcher CLEAN_MATCHER
      An AnnotationMatcher for CLEAN_ANNOTATION.
      static it.unive.lisa.program.annotations.Annotation TAINTED_ANNOTATION
      The annotation used to mark tainted variables, that is, sources of tainted information.
      static it.unive.lisa.program.annotations.matcher.AnnotationMatcher TAINTED_MATCHER
      An AnnotationMatcher for TAINTED_ANNOTATION.

      • Fields inherited from interface it.unive.lisa.analysis.Lattice

        BOTTOM_STRING, TOP_STRING

    • Constructor Summary

      Constructors 
      Constructor Description
      BaseTaint()  

    • Method Summary

      All Methods Instance Methods Abstract Methods Concrete Methods 
      Modifier and Type Method Description
      it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T> assume​(it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T> environment, it.unive.lisa.symbolic.value.ValueExpression expression, it.unive.lisa.program.cfg.ProgramPoint src, it.unive.lisa.program.cfg.ProgramPoint dest, it.unive.lisa.analysis.SemanticOracle oracle)  
      protected abstract T clean()
      Yields the domain element that represents clean values.
      protected T defaultApprox​(it.unive.lisa.symbolic.value.Identifier id, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)
      Default approximation for Identifiers.
      T evalBinaryExpression​(it.unive.lisa.symbolic.value.operator.binary.BinaryOperator operator, T left, T right, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      T evalIdentifier​(it.unive.lisa.symbolic.value.Identifier id, it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T> environment, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      T evalNonNullConstant​(it.unive.lisa.symbolic.value.Constant constant, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      T evalNullConstant​(it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      T evalPushAny​(it.unive.lisa.symbolic.value.PushAny pushAny, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      T evalTernaryExpression​(it.unive.lisa.symbolic.value.operator.ternary.TernaryOperator operator, T left, T middle, T right, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      T evalTypeCast​(it.unive.lisa.symbolic.value.BinaryExpression cast, T left, T right, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      T evalTypeConv​(it.unive.lisa.symbolic.value.BinaryExpression conv, T left, T right, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      T evalUnaryExpression​(it.unive.lisa.symbolic.value.operator.unary.UnaryOperator operator, T arg, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      T fixedVariable​(it.unive.lisa.symbolic.value.Identifier id, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      boolean isAlwaysClean()
      Yields true if this instance represents information that is definitely clean across all execution paths.
      abstract boolean isAlwaysTainted()
      Yields true if this instance represents information that is definitely tainted across all execution paths.
      boolean isPossiblyClean()
      Yields true if this instance represents information that is definitely clean in at least one execution path.
      abstract boolean isPossiblyTainted()
      Yields true if this instance represents information that is definitely tainted in at least one execution path.
      it.unive.lisa.analysis.lattices.Satisfiability satisfies​(it.unive.lisa.symbolic.value.ValueExpression expression, it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T> environment, it.unive.lisa.program.cfg.ProgramPoint pp, it.unive.lisa.analysis.SemanticOracle oracle)  
      protected abstract T tainted()
      Yields the domain element that represents tainted values.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

      • Methods inherited from interface it.unive.lisa.analysis.BaseLattice

        equals, glb, glbAux, hashCode, lessOrEqual, lessOrEqualAux, lub, lubAux, narrowing, narrowingAux, toString, widening, wideningAux

      • Methods inherited from interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain

        assumeBinaryExpression, assumeTernaryExpression, assumeUnaryExpression, canProcess, eval, evalPushInv, evalSkip, evalValueExpression, satisfiesAbstractValue, satisfiesBinaryExpression, satisfiesNonNullConstant, satisfiesNullConstant, satisfiesTernaryExpression, satisfiesUnaryExpression

      • Methods inherited from interface it.unive.lisa.analysis.Lattice

        bottom, isBottom, isTop, top

      • Methods inherited from interface it.unive.lisa.analysis.nonrelational.NonRelationalElement

        unknownVariable

      • Methods inherited from interface it.unive.lisa.util.representation.StructuredObject

        representation

    • Field Detail

      • TAINTED_ANNOTATION

        public static final it.unive.lisa.program.annotations.Annotation TAINTED_ANNOTATION
        The annotation used to mark tainted variables, that is, sources of tainted information.

      • TAINTED_MATCHER

        public static final it.unive.lisa.program.annotations.matcher.AnnotationMatcher TAINTED_MATCHER
        An AnnotationMatcher for TAINTED_ANNOTATION.

      • CLEAN_ANNOTATION

        public static final it.unive.lisa.program.annotations.Annotation CLEAN_ANNOTATION
        The annotation used to mark clean variables, that is, sanitizers of tainted information.

      • CLEAN_MATCHER

        public static final it.unive.lisa.program.annotations.matcher.AnnotationMatcher CLEAN_MATCHER
        An AnnotationMatcher for CLEAN_ANNOTATION.

    • Constructor Detail

      • BaseTaint

        public BaseTaint()

    • Method Detail

      • tainted

        protected abstract T tainted()
        Yields the domain element that represents tainted values.
        Returns:
        the tainted domain element

      • clean

        protected abstract T clean()
        Yields the domain element that represents clean values.
        Returns:
        the clean domain element

      • isAlwaysTainted

        public abstract boolean isAlwaysTainted()
        Yields true if this instance represents information that is definitely tainted across all execution paths.
        Returns:
        true if that condition holds

      • isPossiblyTainted

        public abstract boolean isPossiblyTainted()
        Yields true if this instance represents information that is definitely tainted in at least one execution path.
        Returns:
        true if that condition holds

      • isAlwaysClean

        public boolean isAlwaysClean()
        Yields true if this instance represents information that is definitely clean across all execution paths. By default, this method returns true if this is not the bottom instance and isPossiblyTainted() returns false.
        Returns:
        true if that condition holds

      • isPossiblyClean

        public boolean isPossiblyClean()
        Yields true if this instance represents information that is definitely clean in at least one execution path. By default, this method returns true if isAlwaysTainted() returns false.
        Returns:
        true if that condition holds

      • defaultApprox

        protected T defaultApprox​(it.unive.lisa.symbolic.value.Identifier id,
                          it.unive.lisa.program.cfg.ProgramPoint pp,
                          it.unive.lisa.analysis.SemanticOracle oracle)
                   throws it.unive.lisa.analysis.SemanticException
        Default approximation for Identifiers. This method returns the same as NonRelationalElement.fixedVariable(Identifier, ProgramPoint, SemanticOracle) if the given identifier has no annotations. Otherwise, it relies on the presence if TAINTED_ANNOTATION and CLEAN_ANNOTATION to produce abstract values. defaulting to bottom.

        If this method does not return bottom, it is used as return value for both fixedVariable(Identifier, ProgramPoint, SemanticOracle) and evalIdentifier(Identifier, ValueEnvironment, ProgramPoint, SemanticOracle).
        Parameters:
        id - the identifier to evaluate
        pp - the program point where the evaluation happens
        oracle - the oracle for inter-domain communication
        Returns:
        a fixed approximation for the given variable, if any
        Throws:
        it.unive.lisa.analysis.SemanticException - if an exception happens during the evaluation

      • fixedVariable

        public T fixedVariable​(it.unive.lisa.symbolic.value.Identifier id,
                       it.unive.lisa.program.cfg.ProgramPoint pp,
                       it.unive.lisa.analysis.SemanticOracle oracle)
                throws it.unive.lisa.analysis.SemanticException
        Specified by:
        fixedVariable in interface it.unive.lisa.analysis.nonrelational.NonRelationalElement<T extends BaseTaint<T>,​it.unive.lisa.symbolic.value.ValueExpression,​it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T extends BaseTaint<T>>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • evalIdentifier

        public T evalIdentifier​(it.unive.lisa.symbolic.value.Identifier id,
                        it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T> environment,
                        it.unive.lisa.program.cfg.ProgramPoint pp,
                        it.unive.lisa.analysis.SemanticOracle oracle)
                 throws it.unive.lisa.analysis.SemanticException
        Specified by:
        evalIdentifier in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • evalPushAny

        public T evalPushAny​(it.unive.lisa.symbolic.value.PushAny pushAny,
                     it.unive.lisa.program.cfg.ProgramPoint pp,
                     it.unive.lisa.analysis.SemanticOracle oracle)
              throws it.unive.lisa.analysis.SemanticException
        Specified by:
        evalPushAny in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • evalNullConstant

        public T evalNullConstant​(it.unive.lisa.program.cfg.ProgramPoint pp,
                          it.unive.lisa.analysis.SemanticOracle oracle)
                   throws it.unive.lisa.analysis.SemanticException
        Specified by:
        evalNullConstant in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • evalNonNullConstant

        public T evalNonNullConstant​(it.unive.lisa.symbolic.value.Constant constant,
                             it.unive.lisa.program.cfg.ProgramPoint pp,
                             it.unive.lisa.analysis.SemanticOracle oracle)
                      throws it.unive.lisa.analysis.SemanticException
        Specified by:
        evalNonNullConstant in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • evalUnaryExpression

        public T evalUnaryExpression​(it.unive.lisa.symbolic.value.operator.unary.UnaryOperator operator,
                             T arg,
                             it.unive.lisa.program.cfg.ProgramPoint pp,
                             it.unive.lisa.analysis.SemanticOracle oracle)
                      throws it.unive.lisa.analysis.SemanticException
        Specified by:
        evalUnaryExpression in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • evalBinaryExpression

        public T evalBinaryExpression​(it.unive.lisa.symbolic.value.operator.binary.BinaryOperator operator,
                              T left,
                              T right,
                              it.unive.lisa.program.cfg.ProgramPoint pp,
                              it.unive.lisa.analysis.SemanticOracle oracle)
                       throws it.unive.lisa.analysis.SemanticException
        Specified by:
        evalBinaryExpression in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • evalTernaryExpression

        public T evalTernaryExpression​(it.unive.lisa.symbolic.value.operator.ternary.TernaryOperator operator,
                               T left,
                               T middle,
                               T right,
                               it.unive.lisa.program.cfg.ProgramPoint pp,
                               it.unive.lisa.analysis.SemanticOracle oracle)
                        throws it.unive.lisa.analysis.SemanticException
        Specified by:
        evalTernaryExpression in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • evalTypeCast

        public T evalTypeCast​(it.unive.lisa.symbolic.value.BinaryExpression cast,
                      T left,
                      T right,
                      it.unive.lisa.program.cfg.ProgramPoint pp,
                      it.unive.lisa.analysis.SemanticOracle oracle)
               throws it.unive.lisa.analysis.SemanticException
        Specified by:
        evalTypeCast in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • evalTypeConv

        public T evalTypeConv​(it.unive.lisa.symbolic.value.BinaryExpression conv,
                      T left,
                      T right,
                      it.unive.lisa.program.cfg.ProgramPoint pp,
                      it.unive.lisa.analysis.SemanticOracle oracle)
               throws it.unive.lisa.analysis.SemanticException
        Specified by:
        evalTypeConv in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • satisfies

        public it.unive.lisa.analysis.lattices.Satisfiability satisfies​(it.unive.lisa.symbolic.value.ValueExpression expression,
                                                                it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T> environment,
                                                                it.unive.lisa.program.cfg.ProgramPoint pp,
                                                                it.unive.lisa.analysis.SemanticOracle oracle)
                                                         throws it.unive.lisa.analysis.SemanticException
        Specified by:
        satisfies in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Specified by:
        satisfies in interface it.unive.lisa.analysis.nonrelational.NonRelationalElement<T extends BaseTaint<T>,​it.unive.lisa.symbolic.value.ValueExpression,​it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T extends BaseTaint<T>>>
        Throws:
        it.unive.lisa.analysis.SemanticException

      • assume

        public it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T> assume​(it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T> environment,
                                                                             it.unive.lisa.symbolic.value.ValueExpression expression,
                                                                             it.unive.lisa.program.cfg.ProgramPoint src,
                                                                             it.unive.lisa.program.cfg.ProgramPoint dest,
                                                                             it.unive.lisa.analysis.SemanticOracle oracle)
                                                                      throws it.unive.lisa.analysis.SemanticException
        Specified by:
        assume in interface it.unive.lisa.analysis.nonrelational.value.BaseNonRelationalValueDomain<T extends BaseTaint<T>>
        Specified by:
        assume in interface it.unive.lisa.analysis.nonrelational.NonRelationalElement<T extends BaseTaint<T>,​it.unive.lisa.symbolic.value.ValueExpression,​it.unive.lisa.analysis.nonrelational.value.ValueEnvironment<T extends BaseTaint<T>>>
        Throws:
        it.unive.lisa.analysis.SemanticException