Add taint rules

Author: mamaria-k

configs/taint-annotations.json

@@ -1,11 +1,20 @@
 {
   "SensitiveDataLeak": [
-    "SensitiveDataSource"
+    {
+      "source": "SensitiveDataSource",
+      "rule": "TAINT.SDE"
+    }
   ],
   "FormatString": [
-    "UntrustedSource"
+    {
+      "source": "UntrustedSource",
+      "rule": "SV.STR.FMT.TAINT"
+    }
   ],
   "Execute": [
-    "UntrustedSource"
+    {
+      "source": "UntrustedSource",
+      "rule": "TAINT.STRING.CLI"
+    }
   ]
 }

include/klee/Core/MockBuilder.h

@@ -50,8 +50,8 @@ class MockBuilder {
                             const std::string &symbolicName);
   llvm::CallInst *buildCallKleeTaintFunction(const std::string &functionName,
                                              llvm::Value *source, size_t taint,
-                                             bool returnBool);
-  void buildCallKleeTaintSinkHit(size_t taintSink);
+                                             llvm::Type *returnType);
+  void buildCallKleeTaintHit(llvm::Value *taintRule);
 
   void buildAnnotationTaintOutput(llvm::Value *elem,
                                   const Statement::Ptr &statement);

include/klee/Module/SarifReport.h

@@ -51,6 +51,10 @@ enum ReachWithError {
   NullCheckAfterDerefException,
   Reachable,
   None,
+
+  TaintFormatString,
+  TaintSensitiveData,
+  TaintExecute,
 };
 
 const char *getErrorString(ReachWithError error);

include/klee/Module/TaintAnnotation.h

@@ -10,18 +10,30 @@ using json = nlohmann::json;
 
 namespace klee {
 
-// TODO: set<size_t> to set<pair<size_t, size)t>>, where pair is sink and target
-using TaintSinksSourcesMap = std::map<size_t, std::set<size_t>>;
+using source_ty = size_t;
+using sink_ty = size_t;
+using rule_ty = size_t;
 
-class TaintAnnotation final {
-public:
-  TaintSinksSourcesMap sinksToSources;
-  std::map<std::string, size_t> sinks;
-  std::map<std::string, size_t> sources;
-  // TODO: add map from size_t target to string
+struct TaintHitInfo final {
+  source_ty source;
+  sink_ty sink;
+
+  explicit TaintHitInfo(source_ty source, sink_ty sink);
+
+  bool operator<(const TaintHitInfo &other) const;
+  bool operator==(const TaintHitInfo &other) const;
+};
+
+using TaintHitsMap = std::map<TaintHitInfo, rule_ty>;
+
+struct TaintAnnotation final {
+  TaintHitsMap hits;
+
+  std::unordered_map<std::string, source_ty> sources;
+  std::unordered_map<std::string, sink_ty> sinks;
+  std::vector<std::string> rules;
 
   explicit TaintAnnotation(const std::string &path);
-  virtual ~TaintAnnotation();
 };
 
 } // namespace klee

include/klee/klee.h

@@ -61,19 +61,19 @@ void klee_clear_taint(void *array, size_t taint_source);
  */
 bool klee_check_taint_source(void *array, size_t taint_source);
 
-/* klee_check_taint_sink - Check that the contents of the object pointer
- * to \arg addr causes a taint sink \arg taint_sink hit.
+/* klee_get_taint_rule - Return taint rule id +1 if contents of the object pointer
+ * to \arg addr causes a taint sink \arg taint_sink hit, else return 0.
  *
  * \arg addr - The start of the object.
  * \arg taint_sink - Taint sink.
  */
-bool klee_check_taint_sink(void *array, size_t taint_sink);
+size_t klee_get_taint_rule(void *array, size_t taint_sink);
 
-/* klee_taint_sink_hit - Execute taint sink \arg taint_sink hit.
+/* klee_taint_hit - Execute taint hit with rule.
  *
- * \arg taint_sink - Taint sink.
+ * \arg rule - Taint rule id.
  */
-void klee_taint_sink_hit(size_t taint_sink);
+void klee_taint_hit(size_t rule);
 
 /* klee_range - Construct a symbolic value in the signed interval
  * [begin,end).

lib/Core/Executor.cpp

@@ -5026,18 +5026,12 @@ void Executor::terminateStateOnTargetError(ExecutionState &state,
 }
 
 // TODO: add taint target errors to taint-annotations.json and change function
-void Executor::terminateStateOnTaintError(ExecutionState &state, size_t sink) {
-  //  reportStateOnTargetError(state, error);
-
-  const auto &sinks = annotationsData.taintAnnotation.sinks;
-  auto taintSink = std::find_if(sinks.begin(), sinks.end(),
-                                [&](const std::pair<std::string, size_t> &i) {
-                                  return i.second == sink;
-                                });
-  if (taintSink == std::end(sinks)) {
-    klee_error("Unknown sink index");
-  }
-  terminateStateOnProgramError(state, taintSink->first + " taint error",
+void Executor::terminateStateOnTargetTaintError(ExecutionState &state, size_t rule) {
+  const std::string &ruleStr = annotationsData.taintAnnotation.rules[rule];
+
+//  reportStateOnTargetError(state, rule);
+
+  terminateStateOnProgramError(state, ruleStr + " taint error",
                                StateTerminationType::Taint);
 }
 

lib/Core/Executor.h

@@ -634,7 +634,7 @@ class Executor : public Interpreter {
   /// Then just call `terminateStateOnError`
   void terminateStateOnTargetError(ExecutionState &state, ReachWithError error);
 
-  void terminateStateOnTaintError(ExecutionState &state, size_t sink);
+  void terminateStateOnTargetTaintError(ExecutionState &state, size_t rule);
 
   /// Call error handler and terminate state in case of program errors
   /// (e.g. free()ing globals, out-of-bound accesses)

lib/Core/MockBuilder.cpp

@@ -421,7 +421,8 @@ void MockBuilder::buildAnnotationTaintOutput(llvm::Value *elem,
                  taintOutputPtr->getTaintType().c_str());
     return;
   }
-  buildCallKleeTaintFunction("klee_add_taint", elem, source->second, false);
+  buildCallKleeTaintFunction("klee_add_taint", elem, source->second,
+                             llvm::Type::getVoidTy(mockModule->getContext()));
 }
 
 void MockBuilder::buildAnnotationTaintPropagation(
@@ -460,11 +461,13 @@ void MockBuilder::buildAnnotationTaintPropagation(
   llvm::Value *propagationValue =
       func->getArg(taintPropagationPtr->propagationParameterIndex);
   auto brValuePropagate = buildCallKleeTaintFunction(
-      "klee_check_taint_source", propagationValue, source->second, true);
+      "klee_check_taint_source", propagationValue, source->second,
+      llvm::Type::getInt1Ty(mockModule->getContext()));
   builder->CreateCondBr(brValuePropagate, propagateBB, contBB);
 
   builder->SetInsertPoint(propagateBB);
-  buildCallKleeTaintFunction("klee_add_taint", elem, source->second, false);
+  buildCallKleeTaintFunction("klee_add_taint", elem, source->second,
+                             llvm::Type::getVoidTy(mockModule->getContext()));
   builder->CreateBr(contBB);
 
   curFunc->getBasicBlockList().push_back(contBB);
@@ -495,8 +498,13 @@ void MockBuilder::buildAnnotationTaintSink(llvm::Value *elem,
       llvm::BasicBlock::Create(mockModule->getContext(), sinkCondName, curFunc);
   llvm::BasicBlock *contBB = llvm::BasicBlock::Create(
       mockModule->getContext(), "continue_" + sinkCondName);
-  auto brValueSink = buildCallKleeTaintFunction("klee_check_taint_sink", elem,
-                                                sink->second, true);
+  auto taintRule = buildCallKleeTaintFunction(
+      "klee_get_taint_rule", elem, sink->second,
+      llvm::Type::getInt64Ty(mockModule->getContext()));
+  const auto brValueSink =
+      builder->CreateCmp(llvm::CmpInst::Predicate::ICMP_NE, taintRule,
+                         llvm::ConstantInt::get(mockModule->getContext(),
+                                                llvm::APInt(64, 0, false)));
   builder->CreateCondBr(brValueSink, sinkBB, contBB);
 
   builder->SetInsertPoint(sinkBB);
@@ -509,13 +517,16 @@ void MockBuilder::buildAnnotationTaintSink(llvm::Value *elem,
                             sinkHitCondName);
   fromIf = builder->GetInsertBlock();
   curFunc = fromIf->getParent();
-  llvm::BasicBlock *sinkHitBB = llvm::BasicBlock::Create(
+  llvm::BasicBlock *taintHitBB = llvm::BasicBlock::Create(
       mockModule->getContext(), sinkHitCondName, curFunc);
-  auto brValueSinkHit = builder->CreateLoad(intType, sinkHitCond);
-  builder->CreateCondBr(brValueSinkHit, sinkHitBB, contBB);
-
-  builder->SetInsertPoint(sinkHitBB);
-  buildCallKleeTaintSinkHit(sink->second);
+  auto brValueTaintHit = builder->CreateLoad(intType, sinkHitCond);
+  builder->CreateCondBr(brValueTaintHit, taintHitBB, contBB);
+
+  builder->SetInsertPoint(taintHitBB);
+  const auto taintRuleId = builder->CreateSub(
+      taintRule, llvm::ConstantInt::get(mockModule->getContext(),
+                                        llvm::APInt(64, 1, false)));
+  buildCallKleeTaintHit(taintRuleId);
   builder->CreateBr(contBB);
 
   curFunc->getBasicBlockList().push_back(contBB);
@@ -525,11 +536,7 @@ void MockBuilder::buildAnnotationTaintSink(llvm::Value *elem,
 llvm::CallInst *
 MockBuilder::buildCallKleeTaintFunction(const std::string &functionName,
                                         llvm::Value *source, size_t taint,
-                                        bool returnBool) {
-  const auto returnType = returnBool
-                              ? llvm::Type::getInt1Ty(mockModule->getContext())
-                              : llvm::Type::getVoidTy(mockModule->getContext());
-
+                                        llvm::Type *returnType) {
   auto *kleeTaintFunctionType = llvm::FunctionType::get(
       returnType,
       {llvm::Type::getInt8PtrTy(mockModule->getContext()),
@@ -592,17 +599,13 @@ MockBuilder::buildCallKleeTaintFunction(const std::string &functionName,
                                         llvm::APInt(64, taint, false))});
 }
 
-void MockBuilder::buildCallKleeTaintSinkHit(size_t taintSink) {
-  auto *kleeTaintSinkHitType = llvm::FunctionType::get(
+void MockBuilder::buildCallKleeTaintHit(llvm::Value *taintRule) {
+  auto *kleeTaintHitType = llvm::FunctionType::get(
       llvm::Type::getVoidTy(mockModule->getContext()),
       {llvm::Type::getInt64Ty(mockModule->getContext())}, false);
-  auto kleeTaintSinkHitCallee = mockModule->getOrInsertFunction(
-      "klee_taint_sink_hit", kleeTaintSinkHitType);
-
-  builder->CreateCall(
-      kleeTaintSinkHitCallee,
-      {llvm::ConstantInt::get(mockModule->getContext(),
-                              llvm::APInt(64, taintSink, false))});
+  auto kleeTaintSinkHitCallee =
+      mockModule->getOrInsertFunction("klee_taint_hit", kleeTaintHitType);
+  builder->CreateCall(kleeTaintSinkHitCallee, {taintRule});
 }
 
 void MockBuilder::buildAnnotationForExternalFunctionArgs(

lib/Core/SpecialFunctionHandler.cpp

@@ -133,8 +133,8 @@ static SpecialFunctionHandler::HandlerInfo handlerInfo[] = {
     add("klee_add_taint", handleAddTaint, false),
     add("klee_clear_taint", handleClearTaint, false),
     add("klee_check_taint_source", handleCheckTaintSource, true),
-    add("klee_check_taint_sink", handleCheckTaintSink, true),
-    add("klee_taint_sink_hit", handleTaintSinkHit, false),
+    add("klee_get_taint_rule", handleGetTaintRule, true),
+    add("klee_taint_hit", handleTaintHit, false),
 
 #ifdef SUPPORT_KLEE_EH_CXX
     add("_klee_eh_Unwind_RaiseException_impl", handleEhUnwindRaiseExceptionImpl,
@@ -1254,35 +1254,37 @@ void SpecialFunctionHandler::handleCheckTaintSource(
   }
 }
 
-void SpecialFunctionHandler::handleCheckTaintSink(
+void SpecialFunctionHandler::handleGetTaintRule(
     klee::ExecutionState &state, klee::KInstruction *target,
     std::vector<ref<Expr>> &arguments) {
   if (arguments.size() != 2) {
     executor.terminateStateOnUserError(state,
                                        "Incorrect number of arguments to "
-                                       "klee_check_taint_sink(void*, size_t)");
+                                       "klee_get_taint_rule(void*, size_t)");
     return;
   }
 
-  //  ref<Expr> result = ConstantExpr::create(true, Expr::Bool);
-  //  executor.bindLocal(target, state, result);
+//    ref<Expr> result = ConstantExpr::create(4, Expr::Int64);
+//    executor.bindLocal(target, state, result);
 }
 
-void SpecialFunctionHandler::handleTaintSinkHit(
+void SpecialFunctionHandler::handleTaintHit(
     klee::ExecutionState &state, klee::KInstruction *target,
     std::vector<ref<Expr>> &arguments) {
   if (arguments.size() != 1) {
     executor.terminateStateOnUserError(
-        state, "Incorrect number of arguments to klee_taint_sink_hit(size_t)");
+        state, "Incorrect number of arguments to klee_taint_hit(size_t)");
     return;
   }
 
   char *end = nullptr;
-  size_t sink = strtoul(arguments[0]->toString().c_str(), &end, 10);
+  size_t rule = strtoul(arguments[0]->toString().c_str(), &end, 10);
   if (*end != '\0' || errno == ERANGE) {
     executor.terminateStateOnUserError(
-        state, "Incorrect argument 0 to klee_taint_sink_hit(size_t)");
+        state, "Incorrect argument 0 to klee_taint_hit(size_t)");
   }
 
-  executor.terminateStateOnTaintError(state, sink);
+  klee_warning("!!!: %s\n", arguments[0]->toString().c_str());
+
+  executor.terminateStateOnTargetTaintError(state, rule);
 }

lib/Core/SpecialFunctionHandler.h

@@ -184,8 +184,8 @@ class SpecialFunctionHandler {
   HANDLER(handleAddTaint);
   HANDLER(handleClearTaint);
   HANDLER(handleCheckTaintSource);
-  HANDLER(handleCheckTaintSink);
-  HANDLER(handleTaintSinkHit);
+  HANDLER(handleGetTaintRule);
+  HANDLER(handleTaintHit);
 #undef HANDLER
 };
 } // namespace klee