Add taint to Memory

mamaria-k · mamaria-k · commit 202f6cfabbea · 2024-05-26T02:13:10.000+03:00
diff --git a/lib/Core/Memory.cpp b/lib/Core/Memory.cpp
@@ -110,40 +110,46 @@ ObjectState::ObjectState(const MemoryObject *mo, const Array *array, KType *dt)
     : copyOnWriteOwner(0), object(mo), valueOS(ObjectStage(array, nullptr)),
       baseOS(ObjectStage(array->size, Expr::createPointer(0), false,
                          Context::get().getPointerWidth())),
+      taintOS(ObjectStage(array->size, Expr::createEmptyTaint(), false, Expr::TaintWidth)),
       lastUpdate(nullptr), size(array->size), dynamicType(dt), readOnly(false) {
   baseOS.initializeToZero();
+  taintOS.initializeToZero();
 }
 
 ObjectState::ObjectState(const MemoryObject *mo, KType *dt)
     : copyOnWriteOwner(0), object(mo),
       valueOS(ObjectStage(mo->getSizeExpr(), nullptr)),
       baseOS(ObjectStage(mo->getSizeExpr(), Expr::createPointer(0), false,
                          Context::get().getPointerWidth())),
+      taintOS(ObjectStage(mo->getSizeExpr(), Expr::createEmptyTaint(), false, Expr::TaintWidth)),
       lastUpdate(nullptr), size(mo->getSizeExpr()), dynamicType(dt),
       readOnly(false) {
   baseOS.initializeToZero();
+  taintOS.initializeToZero();
 }
 
 ObjectState::ObjectState(const ObjectState &os)
     : copyOnWriteOwner(0), object(os.object), valueOS(os.valueOS),
-      baseOS(os.baseOS), lastUpdate(os.lastUpdate), size(os.size),
-      dynamicType(os.dynamicType), readOnly(os.readOnly),
+      baseOS(os.baseOS), taintOS(os.taintOS), lastUpdate(os.lastUpdate),
+      size(os.size), dynamicType(os.dynamicType), readOnly(os.readOnly),
       wasWritten(os.wasWritten) {}
 
 /***/
 
 void ObjectState::initializeToZero() {
   valueOS.initializeToZero();
   baseOS.initializeToZero();
+  taintOS.initializeToZero();
 }
 
 ref<Expr> ObjectState::read8(unsigned offset) const {
   ref<Expr> val = valueOS.readWidth(offset);
   ref<Expr> base = baseOS.readWidth(offset);
-  if (base->isZero()) {
+  ref<Expr> taint = taintOS.readWidth(offset);
+  if (base->isZero() && taint->isZero()) {
     return val;
   } else {
-    return PointerExpr::create(base, val);
+    return PointerExpr::create(base, val, taint);
   }
 }
 
@@ -155,6 +161,10 @@ ref<Expr> ObjectState::readBase8(unsigned offset) const {
   return baseOS.readWidth(offset);
 }
 
+ref<Expr> ObjectState::readTaint8(unsigned offset) const {
+  return taintOS.readWidth(offset);
+}
+
 ref<Expr> ObjectState::read8(ref<Expr> offset) const {
   assert(!isa<ConstantExpr>(offset) &&
          "constant offset passed to symbolic read8");
@@ -177,10 +187,11 @@ ref<Expr> ObjectState::read8(ref<Expr> offset) const {
   }
   ref<Expr> val = valueOS.readWidth(offset);
   ref<Expr> base = baseOS.readWidth(offset);
-  if (base->isZero()) {
+  ref<Expr> taint = taintOS.readWidth(offset);
+  if (base->isZero() && taint->isZero()) {
     return val;
   } else {
-    return PointerExpr::create(base, val);
+    return PointerExpr::create(base, val, taint);
   }
 }
 
@@ -230,21 +241,48 @@ ref<Expr> ObjectState::readBase8(ref<Expr> offset) const {
   return baseOS.readWidth(offset);
 }
 
+ref<Expr> ObjectState::readTaint8(ref<Expr> offset) const {
+  assert(!isa<ConstantExpr>(offset) &&
+         "constant offset passed to symbolic read8");
+
+  if (object) {
+    if (ref<ConstantExpr> sizeExpr =
+            dyn_cast<ConstantExpr>(object->getSizeExpr())) {
+      auto moSize = sizeExpr->getZExtValue();
+      if (object && moSize > 4096) {
+        std::string allocInfo;
+        object->getAllocInfo(allocInfo);
+        klee_warning_once(nullptr,
+                          "Symbolic memory access will send the following "
+                          "array of %lu bytes to "
+                          "the constraint solver -- large symbolic arrays may "
+                          "cause significant "
+                          "performance issues: %s",
+                          moSize, allocInfo.c_str());
+      }
+    }
+  }
+  return taintOS.readWidth(offset);
+}
+
 void ObjectState::write8(unsigned offset, uint8_t value) {
   valueOS.writeWidth(offset, value);
   baseOS.writeWidth(offset,
                     ConstantExpr::create(0, Context::get().getPointerWidth()));
+  taintOS.writeWidth(offset, Expr::createEmptyTaint());
 }
 
 void ObjectState::write8(unsigned offset, ref<Expr> value) {
   wasWritten = true;
   if (auto pointer = dyn_cast<PointerExpr>(value)) {
     valueOS.writeWidth(offset, pointer->getValue());
     baseOS.writeWidth(offset, pointer->getBase());
+    taintOS.writeWidth(offset, pointer->getTaint());
   } else {
     valueOS.writeWidth(offset, value);
     baseOS.writeWidth(
         offset, ConstantExpr::create(0, Context::get().getPointerWidth()));
+    taintOS.writeWidth(offset, Expr::createEmptyTaint());
   }
 }
 
@@ -272,17 +310,22 @@ void ObjectState::write8(ref<Expr> offset, ref<Expr> value) {
   if (auto pointer = dyn_cast<PointerExpr>(value)) {
     valueOS.writeWidth(offset, pointer->getValue());
     baseOS.writeWidth(offset, pointer->getBase());
+    taintOS.writeWidth(offset, pointer->getTaint());
   } else {
     valueOS.writeWidth(offset, value);
     baseOS.writeWidth(
         offset, ConstantExpr::create(0, Context::get().getPointerWidth()));
+    taintOS.writeWidth(offset, Expr::createEmptyTaint());
   }
 }
 
 void ObjectState::write(ref<const ObjectState> os) {
   wasWritten = true;
+
   valueOS.write(os->valueOS);
   baseOS.write(os->baseOS);
+  taintOS.write(os->taintOS);
+
   lastUpdate = os->lastUpdate;
 }
 
@@ -295,20 +338,22 @@ ref<Expr> ObjectState::read(ref<Expr> offset, Expr::Width width) const {
 
   ref<Expr> val = readValue(offset, width);
   ref<Expr> base = readBase(offset, width);
-  if (base->isZero()) {
+  ref<Expr> taint = readTaint(offset, width);
+  if (base->isZero() && taint->isZero()) {
     return val;
   } else {
-    return PointerExpr::create(base, val);
+    return PointerExpr::create(base, val, taint);
   }
 }
 
 ref<Expr> ObjectState::read(unsigned offset, Expr::Width width) const {
   ref<Expr> val = readValue(offset, width);
   ref<Expr> base = readBase(offset, width);
-  if (base->isZero()) {
+  ref<Expr> taint = readTaint(offset, width);
+  if (base->isZero() && taint->isZero()) {
     return val;
   } else {
-    return PointerExpr::create(base, val);
+    return PointerExpr::create(base, val, taint);
   }
 }
 
@@ -368,10 +413,6 @@ ref<Expr> ObjectState::readBase(ref<Expr> offset, Expr::Width width) const {
   if (width == Expr::Bool)
     return ExtractExpr::create(readBase8(offset), 0, Expr::Bool);
 
-  // Treat bool specially, it is the only non-byte sized write we allow.
-  if (width == Expr::Bool)
-    return ExtractExpr::create(readBase8(offset), 0, Expr::Bool);
-
   // Otherwise, follow the slow general case.
   unsigned NumBytes = width / 8;
   assert(width == NumBytes * 8 && "Invalid read size!");
@@ -416,6 +457,52 @@ ref<Expr> ObjectState::readBase(unsigned offset, Expr::Width width) const {
   return Res;
 }
 
+ref<Expr> ObjectState::readTaint(ref<Expr> offset, Expr::Width width) const {
+  // Truncate offset to 32-bits.
+  offset = ZExtExpr::create(offset, Expr::Int32);
+
+  // Check for reads at constant offsets.
+  if (ConstantExpr *CE = dyn_cast<ConstantExpr>(offset))
+    return readTaint(CE->getZExtValue(32), width);
+
+  // Treat bool specially, it is the only non-byte sized write we allow.
+  if (width == Expr::Bool)
+    return ExtractExpr::create(readTaint8(offset), 0, Expr::Bool);
+
+  // Otherwise, follow the slow general case.
+  unsigned NumBytes = width / 8;
+  assert(width == NumBytes * 8 && "Invalid read size!");
+  ref<Expr> Res(0);
+  ref<Expr> null = Expr::createPointer(0);
+  for (unsigned i = 0; i != NumBytes; ++i) {
+    unsigned idx = Context::get().isLittleEndian() ? i : (NumBytes - i - 1);
+    ref<Expr> Byte = readTaint8(
+        AddExpr::create(offset, ConstantExpr::create(idx, Expr::Int32)));
+    Res = i ? OrExpr::create(Byte, Res) : Byte;
+  }
+
+  return Res;
+}
+
+ref<Expr> ObjectState::readTaint(unsigned offset, Expr::Width width) const {
+  // Treat bool specially, it is the only non-byte sized write we allow.
+  if (width == Expr::Bool)
+    return ExtractExpr::create(readTaint8(offset), 0, Expr::Bool);
+
+  // Otherwise, follow the slow general case.
+  unsigned NumBytes = width / 8;
+  assert(width == NumBytes * 8 && "Invalid width for read size!");
+  ref<Expr> Res(0);
+  ref<Expr> null = Expr::createPointer(0);
+  for (unsigned i = 0; i != NumBytes; ++i) {
+    unsigned idx = Context::get().isLittleEndian() ? i : (NumBytes - i - 1);
+    ref<Expr> Byte = readTaint8(offset + idx);
+    Res = i ? OrExpr::create(Byte, Res) : Byte;
+  }
+
+  return Res;
+}
+
 void ObjectState::write(ref<Expr> offset, ref<Expr> value) {
   // Truncate offset to 32-bits.
   offset = ZExtExpr::create(offset, Expr::Int32);
@@ -516,6 +603,8 @@ void ObjectState::print() const {
   valueOS.print();
   llvm::errs() << "\tOffset ObjectStage:\n";
   baseOS.print();
+  llvm::errs() << "\tTaint ObjectStage:\n";
+  taintOS.print();
 }
 
 KType *ObjectState::getDynamicType() const { return dynamicType; }
diff --git a/lib/Core/Memory.h b/lib/Core/Memory.h
@@ -267,6 +267,11 @@ class ObjectStage {
   }
   void initializeToZero();
 
+  void reset(ref<Expr> newDefault) {
+    knownSymbolics->reset(std::move(newDefault));
+    unflushedMask->reset(false);
+  }
+
 private:
   const UpdateList &getUpdates() const;
 
@@ -291,6 +296,7 @@ class ObjectState {
 
   ObjectStage valueOS;
   ObjectStage baseOS;
+  ObjectStage taintOS;
 
   ref<UpdateNode> lastUpdate;
 
@@ -318,7 +324,8 @@ class ObjectState {
   void initializeToZero();
 
   size_t getSparseStorageEntries() {
-    return valueOS.getSparseStorageEntries() + baseOS.getSparseStorageEntries();
+    return valueOS.getSparseStorageEntries() +
+           baseOS.getSparseStorageEntries() + taintOS.getSparseStorageEntries();
   }
 
   void swapObjectHack(MemoryObject *mo) { object = mo; }
@@ -328,10 +335,13 @@ class ObjectState {
   ref<Expr> read8(unsigned offset) const;
   ref<Expr> readValue(ref<Expr> offset, Expr::Width width) const;
   ref<Expr> readBase(ref<Expr> offset, Expr::Width width) const;
+  ref<Expr> readTaint(ref<Expr> offset, Expr::Width width) const;
   ref<Expr> readValue(unsigned offset, Expr::Width width) const;
   ref<Expr> readBase(unsigned offset, Expr::Width width) const;
+  ref<Expr> readTaint(unsigned offset, Expr::Width width) const;
   ref<Expr> readValue8(unsigned offset) const;
   ref<Expr> readBase8(unsigned offset) const;
+  ref<Expr> readTaint8(unsigned offset) const;
 
   void write(unsigned offset, ref<Expr> value);
   void write(ref<Expr> offset, ref<Expr> value);
@@ -347,10 +357,13 @@ class ObjectState {
 
   KType *getDynamicType() const;
 
+  void resetTaint(ref<Expr> newTaint) { taintOS.reset(std::move(newTaint)); }
+
 private:
   ref<Expr> read8(ref<Expr> offset) const;
   ref<Expr> readValue8(ref<Expr> offset) const;
   ref<Expr> readBase8(ref<Expr> offset) const;
+  ref<Expr> readTaint8(ref<Expr> offset) const;
   void write8(unsigned offset, ref<Expr> value);
   void write8(ref<Expr> offset, ref<Expr> value);
 };
diff --git a/lib/Core/SpecialFunctionHandler.cpp b/lib/Core/SpecialFunctionHandler.cpp
@@ -1253,6 +1253,10 @@ void SpecialFunctionHandler::handleCheckTaintSource(
                "klee_check_taint_source(void*, size_t)");
     return;
   }
+
+//  uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
+//  executor.executeCheckTaintSource(state, target,
+//                                   executor.makePointer(arguments[0]), taintSource);
 }
 
 void SpecialFunctionHandler::handleGetTaintRule(
@@ -1265,9 +1269,13 @@ void SpecialFunctionHandler::handleGetTaintRule(
     return;
   }
 
-  // TODO: now mock
+//  // TODO: now mock
   ref<Expr> result = ConstantExpr::create(1, Expr::Int64);
   executor.bindLocal(target, state, result);
+
+//  uint64_t taintSink = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
+//  executor.executeGetTaintRule(state, target,
+//                               executor.makePointer(arguments[0]), taintSink);
 }
 
 void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,
@@ -1279,8 +1287,7 @@ void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,
     return;
   }
 
-//  printf("klee_taint_hit for rule: %s\n", arguments[0]->toString().c_str());
-
-  executor.terminateStateOnTargetTaintError(
-      state, dyn_cast<ConstantExpr>(arguments[0])->getZExtValue());
+  uint64_t ruleId = dyn_cast<ConstantExpr>(arguments[0])->getZExtValue();
+//  printf("klee_taint_hit for rule: %zu\n", ruleId);
+  executor.terminateStateOnTargetTaintError(state, ruleId);
 }

Original file line number	Diff line number	Diff line change
`@@ -1253,6 +1253,10 @@ void SpecialFunctionHandler::handleCheckTaintSource(`
`1253`	`1253`	`"klee_check_taint_source(void*, size_t)");`
`1254`	`1254`	`return;`
`1255`	`1255`	`}`
	`1256`	`+`
	`1257`	`+// uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();`
	`1258`	`+// executor.executeCheckTaintSource(state, target,`
	`1259`	`+// executor.makePointer(arguments[0]), taintSource);`
`1256`	`1260`	`}`
`1257`	`1261`
`1258`	`1262`	`void SpecialFunctionHandler::handleGetTaintRule(`
`@@ -1265,9 +1269,13 @@ void SpecialFunctionHandler::handleGetTaintRule(`
`1265`	`1269`	`return;`
`1266`	`1270`	`}`
`1267`	`1271`
`1268`		`- // TODO: now mock`
	`1272`	`+// // TODO: now mock`
`1269`	`1273`	`ref<Expr> result = ConstantExpr::create(1, Expr::Int64);`
`1270`	`1274`	`executor.bindLocal(target, state, result);`
	`1275`	`+`
	`1276`	`+// uint64_t taintSink = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();`
	`1277`	`+// executor.executeGetTaintRule(state, target,`
	`1278`	`+// executor.makePointer(arguments[0]), taintSink);`
`1271`	`1279`	`}`
`1272`	`1280`
`1273`	`1281`	`void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,`
`@@ -1279,8 +1287,7 @@ void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,`
`1279`	`1287`	`return;`
`1280`	`1288`	`}`
`1281`	`1289`
`1282`		`-// printf("klee_taint_hit for rule: %s\n", arguments[0]->toString().c_str());`
`1283`		`-`
`1284`		`- executor.terminateStateOnTargetTaintError(`
`1285`		`- state, dyn_cast<ConstantExpr>(arguments[0])->getZExtValue());`
	`1290`	`+ uint64_t ruleId = dyn_cast<ConstantExpr>(arguments[0])->getZExtValue();`
	`1291`	`+// printf("klee_taint_hit for rule: %zu\n", ruleId);`
	`1292`	`+ executor.terminateStateOnTargetTaintError(state, ruleId);`
`1286`	`1293`	`}`