Skip to main content

Table 1 The strategies of taint propagation for different kinds of instructions

From: ELAID: detecting integer-Overflow-to-Buffer-Overflow vulnerabilities by light-weight and accurate static analysis

Instruction type Intermediate representation Strategy T
Memory instructions store val,ptr T(ptr)=T(val)
  val=loadptr T(val)=T(ptr)
  resptr=getelementptr [struct].[ptr].[idx] (1) T(resptr)=T(ptr)T(ptr+idx) (2) T(ptr+idx)=T(resptr)
Function Call Instructions retval=call fun(arg) //Definition of fun function: define fun(arg_fun) { ret retval_fun } (1) T(arg_fun)=T(arg) (2) T(retval)=T(retval_fun)
  //special library function call, e.g.: retval =call fopen(pathname, mode) T(retval)=T(pathname)
Other instructions res=OP op1,op2,…,opn T(res)=T(op1)T(op2)T(opn)