ClearBlue
|
Public Member Functions | |
SailFishVulnerability (VulnerabilityCategoryType CTy, const char *Name, const BugDescription::BugImportance Importance, const BugDescription::BugClassification Classification, const char *Desc) | |
virtual void | setSources (const SymbolicExprGraph *SEG, std::vector< ValueSitePairType > &Sources) |
virtual Vulnerability::SiteType | checkSite (const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory) override |
virtual bool | isSource (SEGNodeBase *Node, SEGSiteBase *Site) |
virtual bool | isSink (SEGNodeBase *Node, SEGSiteBase *Site) |
virtual void | setPrerequisites (SymbolicExprGraphSolver *Solver, const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory, SMTExprVec &Prerequisites) override |
virtual void | transfer (const SEGSiteBase *Site, const SEGNodeBase *Arg, std::vector< const SEGNodeBase * > &TransferDsts) |
Public Member Functions inherited from Vulnerability | |
virtual bool | checkNode (const SEGNodeBase *CurrNode, const VulnerabilityTraceBuilder &TraceHistory) |
virtual bool | finalCheck (const VulnerabilityTraceBuilder &TraceHistory) |
virtual void | ConstantCheck (const SymbolicExprGraph *SEG, std::list< shared_ptr< VulnerabilityTrace >> &AllTraces) |
virtual bool | isFlowInsensitive () |
virtual bool | checkTrace (std::shared_ptr< VulnerabilityTrace > &Trace) |
VulnerabilityCategoryType | getCategoryType () const |
bool | isParasitical () const |
void | setParasitical (bool B) |
const char * | getDescription () |
Return the description of the vulnerability. | |
BugDescription::BugImportance | getImportance () const |
BugDescription::BugClassification | getClassification () const |
const char * | getName () |
Return the name of the vulnerability. | |
virtual PSAReportDecoratorDefault * | allocNewDecorator () |
virtual void | destroyDecorator (PSAReportDecoratorDefault *decorator) |
virtual void | getAnalysisUsage (AnalysisUsage &AU) |
virtual void | initializeAnalysis (Pass *P) |
Static Public Member Functions | |
static bool | classof (const Vulnerability *vuln) |
Additional Inherited Members | |
Public Types inherited from Vulnerability | |
enum | SiteType { ST_Return = 1 << 0, ST_Call = 1 << 1, ST_Sink = 1 << 2, ST_Others = 1 << 3 } |
enum | VulnerabilityCategoryType { VCT_Begin, VCT_SinkMustReach, VCT_SinkMustNotReach, VCT_Taint, VCT_End } |
typedef std::pair< const SEGOperandNode *, const SEGSiteBase * > | ValueSitePairType |
|
inlineoverridevirtual |
Checking the type of CurrSite
, given the trace history TraceHistory
, which represents the trace just before reaching CurrSite
.
Implements Vulnerability.
|
inlineoverridevirtual |
This function defines the prerequisite of this vulnerability, given the trace history and current use site.
For example, for Null Pointer Dereference, the prerequisite is the dereference pointer should be nullptr, otherwise Null Pointer Dereference cannot happen. Thus, this function should add Solver->getOrInsertExpr
(TraceHistory.recentObjAs<SEGNodeBase>()) == 0 to Prerequisites
; here, nullptr is modeled as 0.
Users can implement an empty function, if there is no prerequisite.
Implements Vulnerability.
|
inlinevirtual |
Collecting a list of source nodes and corresponding source sites If the source site is null, it means it starts at the very beginning of the function.
Users should override the function, and collecting sources into Sources
Implements Vulnerability.
|
inlinevirtual |
It add the destination nodes, which may get tainted data from Arg
at Site
, into TransferDsts
For example, If Site
is void* ret = memcpy(dst, src, n) and Arg
is src, then we may the ret and dst to TransferDsts
.