Struct cwe_checker_lib::analysis::taint::state::State

source · 
pub struct State { /* private fields */ }
Expand description

The state object of the taint analysis representing all known tainted memory and register values at a certain location within the program.

Implementations§

source§

impl State

source

pub fn new_empty() -> Self

Returns an empty state.

source

pub fn new_return( taint_source: &ExternSymbol, vsa_result: &impl VsaResult<ValueDomain = PiData>, return_node: NodeIndex ) -> Self

Returns a state where only return values of the extern call are tainted.

source

pub fn eval(&self, expression: &Expression) -> Taint

Evaluate whether the result of the given expression is tainted in the current state.

source

pub fn load_taint_from_memory(&self, address: &PiData, size: ByteSize) -> Taint

Returns the taint of the value at the given address (with the given size).

If the address may point to more than one location, then the taint state of all possible locations is merged. Only exact locations are considered, all other locations are treated as untainted.

source

pub fn save_taint_to_memory(&mut self, address: &PiData, taint: Taint)

Mark the value at the given address with the given taint.

If the address may point to more than one object, we merge the taint into all objects for which the corresponding offset is exact. Since we merge, this will never remove any taint.

If the pointee object and offset are exactly known, we write the taint to the object at the given offset. This may remove taint.

In all other cases we do nothing.

source

pub fn remove_all_memory_taints(&mut self)

Remove all knowledge about taints contained in memory objects.

source

pub fn set_register_taint(&mut self, register: &Variable, taint: Taint)

Set the taint of a register.

source

pub fn get_register_taint(&self, register: &Variable) -> Taint

Returns the taint state of the given register.

source

pub fn check_mem_id_for_taint(&self, id: &AbstractIdentifier) -> bool

Returns true if the memory object with the given ID contains a tainted value.

source

pub fn check_if_address_points_to_taint(&self, address: PiData) -> bool

Check if the given address points to tainted memory.

Returns true iff the value at any of the exact memory locations that the pointer may point to is tainted.

source

pub fn check_generic_function_params_for_taint<const POINTER_TAINT: bool>( &self, vsa_result: &impl VsaResult<ValueDomain = PiData>, call_tid: &Tid, project: &Project, calling_convention_hint: &Option<String> ) -> bool

Check if a generic function call may contain tainted values in its arguments.

If POINTER_TAINT is selected, pointers to tainted memory are considered to be tainted.

Since we don’t know the actual parameters of the call, we approximate the parameters with all parameter registers of the calling convention of the function or of the standard calling convention of the project.

In case no standard calling convention is found. We assume everything may be parameters or referenced by parameters, i.e., we assume the parameters of the call are tainted iff there is taint in the state.

source

pub fn check_return_values_for_taint<const POINTER_TAINT: bool>( &self, vsa_result: &impl VsaResult<ValueDomain = PiData>, return_tid: &Tid, project: &Project, calling_convention_hint: &Option<String> ) -> bool

Check if the return registers may contain tainted values.

If POINTER_TAINT is selected, pointers to tainted memory are considered to be tainted.

Since we don’t know the actual return registers, we approximate them by all return registers of the calling convention of the function or of the standard calling convention of the project.

If no standard calling convention is found, we assume that everything may be a return value or referenced by return values.

source

pub fn remove_non_callee_saved_taint( &mut self, calling_conv: &CallingConvention )

Remove the taint from all registers not contained in the callee-saved register list of the given calling convention.

source

pub fn check_extern_parameters_for_taint<const POINTER_TAINT: bool>( &self, vsa_result: &impl VsaResult<ValueDomain = PiData>, extern_symbol: &ExternSymbol, call_tid: &Tid ) -> bool

Check parameters of a call to an extern symbol for taint.

If POINTER_TAINT is selected, we also return true if a pointer to tainted memory is passed as an argument.

source

pub fn is_empty(&self) -> bool

Check whether self contains any taint at all.

source

pub fn has_register_taint(&self) -> bool

Check whether there are any tainted registers in the state.

source

pub fn has_memory_taint(&self) -> bool

Check whether there is any tainted memory in the state.

source

pub fn merge_with_renaming( &mut self, other: &Self, renaming_map: Option<&BTreeMap<AbstractIdentifier, PiData>> )

Merges the given other state into this state with renaming of abstract identifiers.

The set of valid abstract identfiers (aIDs) is local to a given function. When merging states across function boundaries it is necessary to map aIDs into the set of valid aIDs in the target context before performing the merging.

This function assumes that the target context is the one of self and that renaming_map specifies how valid aIDs in the context of other correspond to the aIDs of this context.

source

pub fn into_mem_reg_taint( self ) -> (DomainMap<Variable, Taint, UnionMergeStrategy>, DomainMap<AbstractIdentifier, MemRegion<Taint>, MemoryTaintMergeStrategy>)

Deconstructs a State into its register and memory taint maps.

source

pub fn from_mem_reg_taint( register_taint: DomainMap<Variable, Taint, UnionMergeStrategy>, memory_taint: DomainMap<AbstractIdentifier, MemRegion<Taint>, MemoryTaintMergeStrategy> ) -> Self

Constructs a State from register and memory taint maps.

source§

impl State

source

pub fn to_json_compact(&self) -> Value

Get a more compact json-representation of the state. Intended for pretty printing, not useable for serialization/deserialization.

Trait Implementations§

source§

impl AbstractDomain for State

source§

fn merge(&self, other: &Self) -> Self

Merge two states.

Any value tainted in at least one input state is also tainted in the merged state.

source§

fn is_top(&self) -> bool

The state has no explicit Top element.

source§

fn merge_with(&mut self, other: &Self) -> &mut Self

Returns an upper bound (with respect to the partial order on the domain) for the two inputs self and other. Read more
source§

impl Clone for State

source§

fn clone(&self) -> State

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for State

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl<'de> Deserialize<'de> for State

source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
source§

impl PartialEq for State

source§

fn eq(&self, other: &Self) -> bool

Two states are equal if the same values are tainted in both states.

1.0.0 · source§

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
source§

impl Serialize for State

source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
source§

impl ToJsonCompact for State

source§

fn to_json_compact(&self) -> Value

Returns a json representation of values of type self that is suitable for debugging purposes. Read more
source§

fn print_compact_json(&self)

Print values of type Self for debugging purposes.
source§

impl Eq for State

source§

impl StructuralEq for State

Auto Trait Implementations§

§

impl RefUnwindSafe for State

§

impl Send for State

§

impl Sync for State

§

impl Unpin for State

§

impl UnwindSafe for State

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,