Public Types | |
| enum | SiteType { ST_Return = 1 << 0, ST_Call = 1 << 1, ST_Sink = 1 << 2, ST_Others = 1 << 3 } |
| enum | VulnerabilityCategoryType { VCT_Begin, VCT_SinkMustReach, VCT_SinkMustNotReach, VCT_Taint, VCT_End } |
| typedef std::pair< const SEGOperandNode *, const SEGSiteBase * > | ValueSitePairType |
Public Member Functions | |
| virtual void | setSources (const SymbolicExprGraph *SEG, std::vector< ValueSitePairType > &Sources)=0 |
| virtual void | setPrerequisites (SymbolicExprGraphSolver *Solver, const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory, SMTExprVec &Prerequisites)=0 |
| virtual bool | checkNode (const SEGNodeBase *CurrNode, const VulnerabilityTraceBuilder &TraceHistory) |
| virtual SiteType | checkSite (const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory)=0 |
| virtual bool | checkTrace (std::shared_ptr< VulnerabilityTrace > &Trace) |
| VulnerabilityCategoryType | getCategoryType () const |
| bool | isParasitical () const |
| void | setParasitical (bool B) |
| const char * | getDescription () |
| Return the description of the vulnerability. | |
| BugDescription::BugImportance | getImportance () const |
| BugDescription::BugClassification | getClassification () const |
| const char * | getName () |
| Return the name of the vulnerability. | |
| virtual PSAReportDecoratorDefault * | allocNewDecorator () |
| virtual void | destroyDecorator (PSAReportDecoratorDefault *decorator) |
| virtual void | getAnalysisUsage (AnalysisUsage &AU) |
| virtual void | initializeAnalysis (Pass *P) |
Member Typedef Documentation
◆ ValueSitePairType
| typedef std::pair<const SEGOperandNode *, const SEGSiteBase *> Vulnerability::ValueSitePairType |
This type describes a value is used or defined at some site. For a constant value that does not need to be defined, use nullptr as the definition site.
Member Enumeration Documentation
◆ SiteType
The type of a use site for a vulnerability Others: an insensitive use site Return: the use site is a return inst Call: the use site is a call inst Sink: the use site is the sink of the source-sink style vulnerability
For a call site (or return site), if you regard it as a sink of a vulnerability, you should mark it as ST_Sink. If you expect to continue inter-procedural analysis from the call site (or return site), it should be marked as ST_Call (or ST_Return). If both, return ST_Call (or ST_Return) | ST_Sink.
◆ VulnerabilityCategoryType
It describes the types of source-sink style vulnerability.
VCT_SinkMustReach: given a fresh value as source, if there exist some path, the source does not reach a sink, it will be a vulnerability. Here a fresh value includes constant value, the return value of a library call or an alloca instruction, etc.
VCT_SinkMustNotReach: given a fresh value as source, if the source reaches a sink along certain path, it will be considered as a vulnerability.
VCT_Taint: It is similar to VCT_SinkMustNotReach, but the source is not required as a fresh value. Besides, if a pointer, e.g. ptr, is regarded as a source, *ptr will also be regarded as a source.
Member Function Documentation
◆ checkNode()
|
inlinevirtual |
Checking if the node CurrNode can flow to a sink site along the value flow.
TraceHistory represents the trace history just before reaching CurrNode.
Users can implement some analysis, which can be loaded using Vulnerability::getAnalysisUsage and Vulnerability::initializeAnalysis, to help check if some nodes cannot trigger the vulnerability so that the checking process can speed up.
◆ checkSite()
|
pure virtual |
Checking the type of CurrSite, given the trace history TraceHistory, which represents the trace just before reaching CurrSite.
Implemented in SailFishVulnerability.
◆ checkTrace()
|
inlinevirtual |
Checking each node of the whole possibly vulnerable trace Trace to verify if the source to sink is valid.
◆ getAnalysisUsage()
|
inlinevirtual |
LLVM Analysis can be declared here.
Using AnalysisUsage::addRequired() to declare what analysis will be used. All required analysis is preserved in default. Extra AnalysisUsage::addPreserved() or AnalysisUsage::setPreservesAll() are not necessary.
◆ initializeAnalysis()
|
inlinevirtual |
Initializing the analysis here using P. You can declare a class member field, e.g.,
and in the function, you can initialize it as
◆ isParasitical()
|
inline |
It returns true if the vulnerability cannot exist independently. In other words, it must exist in a multi-vulnerability.
◆ setPrerequisites()
|
pure virtual |
This function defines the prerequisite of this vulnerability, given the trace history and current use site.
For example, for Null Pointer Dereference, the prerequisite is the dereference pointer should be nullptr, otherwise Null Pointer Dereference cannot happen. Thus, this function should add Solver->getOrInsertExpr(TraceHistory.recentObjAs<SEGNodeBase>()) == 0 to Prerequisites; here, nullptr is modeled as 0.
Users can implement an empty function, if there is no prerequisite.
Implemented in SailFishVulnerability.
◆ setSources()
|
pure virtual |
Collecting a list of source nodes and corresponding source sites If the source site is null, it means it starts at the very beginning of the function.
Users should override the function, and collecting sources into Sources
Implemented in SailFishVulnerability.
The documentation for this class was generated from the following file:
- /builds/prismers/clearblue/include/Checker/PSA/Vulnerability.h
