ClearBlue
Public Member Functions | Static Public Member Functions
SailFishVulnerability Class Reference
Inheritance diagram for SailFishVulnerability:
Inheritance graph
[legend]
Collaboration diagram for SailFishVulnerability:
Collaboration graph
[legend]

Public Member Functions

 SailFishVulnerability (VulnerabilityCategoryType CTy, const char *Name, const BugDescription::BugImportance Importance, const BugDescription::BugClassification Classification, const char *Desc)
 
virtual void setSources (const SymbolicExprGraph *SEG, std::vector< ValueSitePairType > &Sources)
 
virtual Vulnerability::SiteType checkSite (const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory) override
 
virtual bool isSource (SEGNodeBase *Node, SEGSiteBase *Site)
 
virtual bool isSink (SEGNodeBase *Node, SEGSiteBase *Site)
 
virtual void setPrerequisites (SymbolicExprGraphSolver *Solver, const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory, SMTExprVec &Prerequisites) override
 
virtual void transfer (const SEGSiteBase *Site, const SEGNodeBase *Arg, std::vector< const SEGNodeBase * > &TransferDsts)
 
- Public Member Functions inherited from Vulnerability
virtual bool checkNode (const SEGNodeBase *CurrNode, const VulnerabilityTraceBuilder &TraceHistory)
 
virtual bool finalCheck (const VulnerabilityTraceBuilder &TraceHistory)
 
virtual void ConstantCheck (const SymbolicExprGraph *SEG, std::list< shared_ptr< VulnerabilityTrace >> &AllTraces)
 
virtual bool isFlowInsensitive ()
 
virtual bool checkTrace (std::shared_ptr< VulnerabilityTrace > &Trace)
 
VulnerabilityCategoryType getCategoryType () const
 
bool isParasitical () const
 
void setParasitical (bool B)
 
const char * getDescription ()
 Return the description of the vulnerability.
 
BugDescription::BugImportance getImportance () const
 
BugDescription::BugClassification getClassification () const
 
const char * getName ()
 Return the name of the vulnerability.
 
virtual PSAReportDecoratorDefault * allocNewDecorator ()
 
virtual void destroyDecorator (PSAReportDecoratorDefault *decorator)
 
virtual void getAnalysisUsage (AnalysisUsage &AU)
 
virtual void initializeAnalysis (Pass *P)
 

Static Public Member Functions

static bool classof (const Vulnerability *vuln)
 

Additional Inherited Members

- Public Types inherited from Vulnerability
enum  SiteType { ST_Return = 1 << 0, ST_Call = 1 << 1, ST_Sink = 1 << 2, ST_Others = 1 << 3 }
 
enum  VulnerabilityCategoryType {
  VCT_Begin, VCT_SinkMustReach, VCT_SinkMustNotReach, VCT_Taint,
  VCT_End
}
 
typedef std::pair< const SEGOperandNode *, const SEGSiteBase * > ValueSitePairType
 

Member Function Documentation

◆ checkSite()

virtual Vulnerability::SiteType SailFishVulnerability::checkSite ( const SEGSiteBase CurrSite,
const VulnerabilityTraceBuilder &  TraceHistory 
)
inlineoverridevirtual

Checking the type of CurrSite, given the trace history TraceHistory, which represents the trace just before reaching CurrSite.

Implements Vulnerability.

◆ setPrerequisites()

virtual void SailFishVulnerability::setPrerequisites ( SymbolicExprGraphSolver Solver,
const SEGSiteBase CurrSite,
const VulnerabilityTraceBuilder &  TraceHistory,
SMTExprVec &  Prerequisites 
)
inlineoverridevirtual

This function defines the prerequisite of this vulnerability, given the trace history and current use site.

For example, for Null Pointer Dereference, the prerequisite is the dereference pointer should be nullptr, otherwise Null Pointer Dereference cannot happen. Thus, this function should add Solver->getOrInsertExpr(TraceHistory.recentObjAs<SEGNodeBase>()) == 0 to Prerequisites; here, nullptr is modeled as 0.

Users can implement an empty function, if there is no prerequisite.

Implements Vulnerability.

◆ setSources()

virtual void SailFishVulnerability::setSources ( const SymbolicExprGraph SEG,
std::vector< ValueSitePairType > &  Sources 
)
inlinevirtual

Collecting a list of source nodes and corresponding source sites If the source site is null, it means it starts at the very beginning of the function.

Users should override the function, and collecting sources into Sources

Implements Vulnerability.

◆ transfer()

virtual void SailFishVulnerability::transfer ( const SEGSiteBase Site,
const SEGNodeBase Arg,
std::vector< const SEGNodeBase * > &  TransferDsts 
)
inlinevirtual

It add the destination nodes, which may get tainted data from Arg at Site, into TransferDsts For example, If Site is void* ret = memcpy(dst, src, n) and Arg is src, then we may the ret and dst to TransferDsts.


The documentation for this class was generated from the following file: