Skip to main content

Table 1 The strategies of taint propagation for different kinds of instructions

From: ELAID: detecting integer-Overflow-to-Buffer-Overflow vulnerabilities by light-weight and accurate static analysis

Instruction type

Intermediate representation

Strategy T

Memory instructions

store val,ptr

T(ptr)=T(val)

 

val=loadptr

T(val)=T(ptr)

 

resptr=getelementptr [struct].[ptr].[idx]

(1) T(resptr)=T(ptr)∨T(ptr+idx) (2) T(ptr+idx)=T(resptr)

Function Call Instructions

retval=call fun(arg) //Definition of fun function: define fun(arg_fun) { ⋯ret retval_fun }

(1) T(arg_fun)=T(arg) (2) T(retval)=T(retval_fun)

 

//special library function call, e.g.: retval =call fopen(pathname, mode)

T(retval)=T(pathname)

Other instructions

res=OP op1,op2,…,opn

T(res)=T(op1)∨T(op2)∨⋯∨T(opn)