Add custom taint rules from sarif file parsing

mamaria-k · mamaria-k · commit 036c02ebf531 · 2024-05-26T02:13:09.000+03:00
diff --git a/include/klee/Module/SarifReport.h b/include/klee/Module/SarifReport.h
@@ -43,20 +43,31 @@ template <typename T> struct adl_serializer<std::optional<T>> {
 } // namespace nlohmann
 
 namespace klee {
-enum ReachWithError {
+enum ReachWithErrorType {
   DoubleFree = 0,
   UseAfterFree,
   MayBeNullPointerException,  // void f(int *x) { *x = 42; } - should it error?
   MustBeNullPointerException, // MayBeNPE = yes, MustBeNPE = no
   NullCheckAfterDerefException,
   Reachable,
   None,
+  MaybeTaint,
+};
+
+struct ReachWithError {
+  ReachWithErrorType type;
+  std::optional<std::string> data;
 
-  TaintFormatString,
-  TaintSensitiveData,
-  TaintExecute,
+  explicit ReachWithError(ReachWithErrorType type,
+                          std::optional<std::string> data = std::nullopt);
+
+  bool operator==(const ReachWithError &other) const;
+  bool operator!=(const ReachWithError &other) const;
+  bool operator<(const ReachWithError &other) const;
 };
 
+using ReachWithErrors = std::vector<ReachWithError>;
+
 const char *getErrorString(ReachWithError error);
 std::string getErrorsString(const std::vector<ReachWithError> &errors);
 
diff --git a/lib/Core/ExecutionState.h b/lib/Core/ExecutionState.h
@@ -421,7 +421,7 @@ class ExecutionState {
 
   ExprHashMap<llvm::Type *> gepExprBases;
 
-  mutable ReachWithError error = ReachWithError::None;
+  mutable ReachWithError error = ReachWithError(ReachWithErrorType::None);
   std::atomic<HaltExecution::Reason> terminationReasonType{
       HaltExecution::NotHalt};
 
diff --git a/lib/Core/Executor.cpp b/lib/Core/Executor.cpp
@@ -1294,8 +1294,8 @@ bool mustVisitForkBranches(ref<Target> target, KInstruction *instr) {
   // fork branches here
   if (auto reprErrorTarget = dyn_cast<ReproduceErrorTarget>(target)) {
     return reprErrorTarget->isTheSameAsIn(instr) &&
-           reprErrorTarget->isThatError(
-               ReachWithError::NullCheckAfterDerefException);
+           reprErrorTarget->isThatError(ReachWithError(
+               ReachWithErrorType::NullCheckAfterDerefException));
   }
   return false;
 }
@@ -2674,8 +2674,9 @@ void Executor::checkNullCheckAfterDeref(ref<Expr> cond, ExecutionState &state) {
   if (eqPointerCheck && eqPointerCheck->left->isZero() &&
       state.resolvedPointers.count(
           makePointer(eqPointerCheck->right)->getBase())) {
-    reportStateOnTargetError(state,
-                             ReachWithError::NullCheckAfterDerefException);
+    reportStateOnTargetError(
+        state,
+        ReachWithError(ReachWithErrorType::NullCheckAfterDerefException));
   }
 }
 
@@ -2687,10 +2688,11 @@ void Executor::executeInstruction(ExecutionState &state, KInstruction *ki) {
       auto target = kvp.first;
       if (target->shouldFailOnThisTarget() &&
           cast<ReproduceErrorTarget>(target)->isThatError(
-              ReachWithError::Reachable) &&
+              ReachWithError(ReachWithErrorType::Reachable)) &&
           target->getBlock() == ki->parent &&
           cast<ReproduceErrorTarget>(target)->isTheSameAsIn(ki)) {
-        terminateStateOnTargetError(state, ReachWithError::Reachable);
+        terminateStateOnTargetError(
+            state, ReachWithError(ReachWithErrorType::Reachable));
         return;
       }
     }
@@ -4998,25 +5000,25 @@ void Executor::terminateStateOnTargetError(ExecutionState &state,
   // Proceed with normal `terminateStateOnError` call
   std::string messaget;
   StateTerminationType terminationType;
-  switch (error) {
-  case ReachWithError::MayBeNullPointerException:
-  case ReachWithError::MustBeNullPointerException:
+  switch (error.type) {
+  case ReachWithErrorType::MayBeNullPointerException:
+  case ReachWithErrorType::MustBeNullPointerException:
     messaget = "memory error: null pointer exception";
     terminationType = StateTerminationType::Ptr;
     break;
-  case ReachWithError::DoubleFree:
+  case ReachWithErrorType::DoubleFree:
     messaget = "double free error";
     terminationType = StateTerminationType::Ptr;
     break;
-  case ReachWithError::UseAfterFree:
+  case ReachWithErrorType::UseAfterFree:
     messaget = "use after free error";
     terminationType = StateTerminationType::Ptr;
     break;
-  case ReachWithError::Reachable:
+  case ReachWithErrorType::Reachable:
     messaget = "";
     terminationType = StateTerminationType::Reachable;
     break;
-  case ReachWithError::None:
+  case ReachWithErrorType::None:
   default:
     messaget = "unspecified error";
     terminationType = StateTerminationType::User;
@@ -5025,11 +5027,15 @@ void Executor::terminateStateOnTargetError(ExecutionState &state,
       state, new ErrorEvent(locationOf(state), terminationType, messaget));
 }
 
-// TODO: add taint target errors to taint-annotations.json and change function
-void Executor::terminateStateOnTargetTaintError(ExecutionState &state, size_t rule) {
-  const std::string &ruleStr = annotationsData.taintAnnotation.rules[rule];
+void Executor::terminateStateOnTargetTaintError(ExecutionState &state,
+                                                size_t rule) {
+  if (rule >= annotationsData.taintAnnotation.rules.size()) {
+    terminateStateOnUserError(state, "Incorrect rule id");
+  }
 
-//  reportStateOnTargetError(state, rule);
+  const std::string &ruleStr = annotationsData.taintAnnotation.rules[rule];
+  reportStateOnTargetError(
+      state, ReachWithError(ReachWithErrorType::MaybeTaint, ruleStr));
 
   terminateStateOnProgramError(state, ruleStr + " taint error",
                                StateTerminationType::Taint);
@@ -5500,8 +5506,8 @@ void Executor::executeFree(ExecutionState &state, ref<PointerExpr> address,
     if (!resolveExact(*zeroPointer.second, address,
                       typeSystemManager->getUnknownType(), rl, "free") &&
         guidanceKind == GuidanceKind::ErrorGuidance) {
-      terminateStateOnTargetError(*zeroPointer.second,
-                                  ReachWithError::DoubleFree);
+      terminateStateOnTargetError(
+          *zeroPointer.second, ReachWithError(ReachWithErrorType::DoubleFree));
       return;
     }
 
@@ -5566,9 +5572,9 @@ bool Executor::resolveExact(ExecutionState &estate, ref<Expr> address,
   ExecutionState *bound = branches.first;
   if (bound) {
     auto error = isReadFromSymbolicArray(uniqueBase)
-                     ? ReachWithError::MayBeNullPointerException
-                     : ReachWithError::MustBeNullPointerException;
-    terminateStateOnTargetError(*bound, error);
+                     ? ReachWithErrorType::MayBeNullPointerException
+                     : ReachWithErrorType::MustBeNullPointerException;
+    terminateStateOnTargetError(*bound, ReachWithError(error));
   }
   if (!branches.second) {
     address =
@@ -6248,9 +6254,9 @@ void Executor::executeMemoryOperation(
   ExecutionState *bound = branches.first;
   if (bound) {
     auto error = (isReadFromSymbolicArray(base) && branches.second)
-                     ? ReachWithError::MayBeNullPointerException
-                     : ReachWithError::MustBeNullPointerException;
-    terminateStateOnTargetError(*bound, error);
+                     ? ReachWithErrorType::MayBeNullPointerException
+                     : ReachWithErrorType::MustBeNullPointerException;
+    terminateStateOnTargetError(*bound, ReachWithError(error));
   }
   if (!branches.second)
     return;
@@ -6372,7 +6378,8 @@ void Executor::executeMemoryOperation(
     solver->setTimeout(time::Span());
 
     if (!success) {
-      terminateStateOnTargetError(*state, ReachWithError::UseAfterFree);
+      terminateStateOnTargetError(
+          *state, ReachWithError(ReachWithErrorType::UseAfterFree));
       return;
     }
   }
@@ -6986,7 +6993,7 @@ void Executor::runFunctionAsMain(Function *f, int argc, char **argv,
         auto kCallBlock = kfIt->second->entryKBlock;
         forest = new TargetForest(kEntryFunction);
         forest->add(ReproduceErrorTarget::create(
-            {ReachWithError::Reachable}, "",
+            {ReachWithError(ReachWithErrorType::Reachable)}, "",
             ErrorLocation(kCallBlock->getFirstInstruction()), kCallBlock));
       }
     }
@@ -7461,9 +7468,9 @@ bool Executor::getSymbolicSolution(const ExecutionState &state, KTest &res) {
   // we cannot be sure that an irreproducible state proves the presence of an
   // error
   if (uninitObjects.size() > 0 || state.symbolics.size() != symbolics.size()) {
-    state.error = ReachWithError::None;
+    state.error = ReachWithError(ReachWithErrorType::None);
   } else if (FunctionCallReproduce != "" &&
-             state.error == ReachWithError::Reachable) {
+             state.error.type == ReachWithErrorType::Reachable) {
     setHaltExecution(HaltExecution::ReachedTarget);
   }
 
diff --git a/lib/Core/SpecialFunctionHandler.cpp b/lib/Core/SpecialFunctionHandler.cpp
@@ -1264,13 +1264,14 @@ void SpecialFunctionHandler::handleGetTaintRule(
     return;
   }
 
-//    ref<Expr> result = ConstantExpr::create(4, Expr::Int64);
-//    executor.bindLocal(target, state, result);
+  // TODO: now mock
+  ref<Expr> result = ConstantExpr::create(1, Expr::Int64);
+  executor.bindLocal(target, state, result);
 }
 
-void SpecialFunctionHandler::handleTaintHit(
-    klee::ExecutionState &state, klee::KInstruction *target,
-    std::vector<ref<Expr>> &arguments) {
+void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,
+                                            klee::KInstruction *target,
+                                            std::vector<ref<Expr>> &arguments) {
   if (arguments.size() != 1) {
     executor.terminateStateOnUserError(
         state, "Incorrect number of arguments to klee_taint_hit(size_t)");
@@ -1283,8 +1284,5 @@ void SpecialFunctionHandler::handleTaintHit(
     executor.terminateStateOnUserError(
         state, "Incorrect argument 0 to klee_taint_hit(size_t)");
   }
-
-  klee_warning("!!!: %s\n", arguments[0]->toString().c_str());
-
   executor.terminateStateOnTargetTaintError(state, rule);
 }
diff --git a/lib/Core/TargetedExecutionManager.cpp b/lib/Core/TargetedExecutionManager.cpp
@@ -552,7 +552,8 @@ bool TargetedExecutionManager::reportTruePositive(ExecutionState &state,
 
     atLeastOneReported = true;
     assert(!errorTarget->isReported);
-    if (errorTarget->isThatError(ReachWithError::Reachable)) {
+    if (errorTarget->isThatError(
+            ReachWithError(ReachWithErrorType::Reachable))) {
       klee_warning("100.00%% %s Reachable at trace %s", getErrorString(error),
                    errorTarget->getId().c_str());
     } else {
diff --git a/lib/Module/SarifReport.cpp b/lib/Module/SarifReport.cpp
@@ -55,76 +55,78 @@ tryConvertRuleJson(const std::string &ruleId, const std::string &toolName,
                    const std::optional<Message> &errorMessage) {
   if (toolName == "SecB") {
     if ("NullDereference" == ruleId) {
-      return {ReachWithError::MustBeNullPointerException};
+      return {ReachWithError(ReachWithErrorType::MustBeNullPointerException)};
     } else if ("CheckAfterDeref" == ruleId) {
-      return {ReachWithError::NullCheckAfterDerefException};
+      return {ReachWithError(ReachWithErrorType::NullCheckAfterDerefException)};
     } else if ("DoubleFree" == ruleId) {
-      return {ReachWithError::DoubleFree};
+      return {ReachWithError(ReachWithErrorType::DoubleFree)};
     } else if ("UseAfterFree" == ruleId) {
-      return {ReachWithError::UseAfterFree};
+      return {ReachWithError(ReachWithErrorType::UseAfterFree)};
     } else if ("Reached" == ruleId) {
-      return {ReachWithError::Reachable};
+      return {ReachWithError(ReachWithErrorType::Reachable)};
     } else {
-      return {};
+      return {ReachWithError(ReachWithErrorType::MaybeTaint, ruleId)};
     }
   } else if (toolName == "clang") {
     if ("core.NullDereference" == ruleId) {
-      return {ReachWithError::MayBeNullPointerException,
-              ReachWithError::MustBeNullPointerException};
+      return {ReachWithError(ReachWithErrorType::MayBeNullPointerException),
+              ReachWithError(ReachWithErrorType::MustBeNullPointerException)};
     } else if ("unix.Malloc" == ruleId) {
       if (errorMessage.has_value()) {
         if (errorMessage->text == "Attempt to free released memory") {
-          return {ReachWithError::DoubleFree};
+          return {ReachWithError(ReachWithErrorType::DoubleFree)};
         } else if (errorMessage->text == "Use of memory after it is freed") {
-          return {ReachWithError::UseAfterFree};
+          return {ReachWithError(ReachWithErrorType::UseAfterFree)};
         } else {
           return {};
         }
       } else {
-        return {ReachWithError::UseAfterFree, ReachWithError::DoubleFree};
+        return {ReachWithError(ReachWithErrorType::UseAfterFree),
+                ReachWithError(ReachWithErrorType::DoubleFree)};
       }
     } else if ("core.Reach" == ruleId) {
-      return {ReachWithError::Reachable};
+      return {ReachWithError(ReachWithErrorType::Reachable)};
     } else {
-      return {};
+      return {ReachWithError(ReachWithErrorType::MaybeTaint, ruleId)};
     }
   } else if (toolName == "CppCheck") {
     if ("nullPointer" == ruleId || "ctunullpointer" == ruleId) {
-      return {ReachWithError::MayBeNullPointerException,
-              ReachWithError::MustBeNullPointerException}; // TODO: check it out
+      return {
+          ReachWithError(ReachWithErrorType::MayBeNullPointerException),
+          ReachWithError(
+              ReachWithErrorType::MustBeNullPointerException)}; // TODO: check
+                                                                // it out
     } else if ("doubleFree" == ruleId) {
-      return {ReachWithError::DoubleFree};
+      return {ReachWithError(ReachWithErrorType::DoubleFree)};
     } else {
-      return {};
+      return {ReachWithError(ReachWithErrorType::MaybeTaint, ruleId)};
     }
   } else if (toolName == "Infer") {
     if ("NULL_DEREFERENCE" == ruleId || "NULLPTR_DEREFERENCE" == ruleId) {
-      return {ReachWithError::MayBeNullPointerException,
-              ReachWithError::MustBeNullPointerException}; // TODO: check it out
+      return {
+          ReachWithError(ReachWithErrorType::MayBeNullPointerException),
+          ReachWithError(
+              ReachWithErrorType::MustBeNullPointerException)}; // TODO: check
+                                                                // it out
     } else if ("USE_AFTER_DELETE" == ruleId || "USE_AFTER_FREE" == ruleId) {
-      return {ReachWithError::UseAfterFree, ReachWithError::DoubleFree};
+      return {ReachWithError(ReachWithErrorType::UseAfterFree),
+              ReachWithError(ReachWithErrorType::DoubleFree)};
     } else {
-      return {};
+      return {ReachWithError(ReachWithErrorType::MaybeTaint, ruleId)};
     }
   } else if (toolName == "Cooddy") {
     if ("NULL.DEREF" == ruleId || "NULL.UNTRUSTED.DEREF" == ruleId) {
-      return {ReachWithError::MayBeNullPointerException,
-              ReachWithError::MustBeNullPointerException};
+      return {ReachWithError(ReachWithErrorType::MayBeNullPointerException),
+              ReachWithError(ReachWithErrorType::MustBeNullPointerException)};
     } else if ("MEM.DOUBLE.FREE" == ruleId) {
-      return {ReachWithError::DoubleFree};
+      return {ReachWithError(ReachWithErrorType::DoubleFree)};
     } else if ("MEM.USE.FREE" == ruleId) {
-      return {ReachWithError::UseAfterFree};
-    } else if ("SV.STR.FMT.TAINT" == ruleId) {
-      return {ReachWithError::TaintFormatString};
-    } else if ("TAINT.SDE" == ruleId) {
-      return {ReachWithError::TaintSensitiveData};
-    } else if ("TAINT.STRING.CLI" == ruleId) {
-      return {ReachWithError::TaintExecute};
+      return {ReachWithError(ReachWithErrorType::UseAfterFree)};
     } else {
-      return {};
+      return {ReachWithError(ReachWithErrorType::MaybeTaint, ruleId)};
     }
   } else {
-    return {};
+    return {ReachWithError(ReachWithErrorType::MaybeTaint, ruleId)};
   }
 }
 
@@ -133,7 +135,7 @@ std::optional<Result> tryConvertResultJson(const ResultJson &resultJson,
                                            const std::string &id) {
   std::vector<ReachWithError> errors = {};
   if (!resultJson.ruleId.has_value()) {
-    errors = {ReachWithError::Reachable};
+    errors = {ReachWithError(ReachWithErrorType::Reachable)};
   } else {
     errors =
         tryConvertRuleJson(*resultJson.ruleId, toolName, resultJson.message);
@@ -190,8 +192,27 @@ static const char *ReachWithErrorNames[] = {
     "None",
 };
 
+ReachWithError::ReachWithError(ReachWithErrorType type,
+                               std::optional<std::string> data)
+    : type(type), data(std::move(data)) {}
+
+bool ReachWithError::operator==(const ReachWithError &other) const {
+  if (type == other.type && ReachWithErrorType::MaybeTaint == type) {
+    return data == other.data;
+  }
+  return (type == other.type);
+}
+
+bool ReachWithError::operator!=(const ReachWithError &other) const {
+  return !(*this == other);
+}
+
+bool ReachWithError::operator<(const ReachWithError &other) const {
+  return type < other.type;
+}
+
 const char *getErrorString(ReachWithError error) {
-  return ReachWithErrorNames[error];
+  return ReachWithErrorNames[error.type];
 }
 
 std::string getErrorsString(const std::vector<ReachWithError> &errors) {
