M> hi,
M> I would like to know how this code can be interpreted by bitblaze :
M> int main(int argc, char **argv)
M> {
M> int x;
M> int z;
M> int y;
M> scanf("%d", &x);
M> if (x != 5)
M> y=x;
M> else
M> y=z;
M> }
M> And which decision taken by STP? which path will be taken? which
M> variables will be tainted?
I'm a little unclear on the motivation behind this question.
Have you tried running this example through a BitBlaze tool yourself?
It seems like the kind of simple example that would most be useful for
learning how the tools work, but if that is your goal I'd think it
would be better served by using the tools yourself. Maybe even better
would be to study how the tools work based on the papers and
documentation, and predict the answers to the questions you ask above,
and then run the tools and see whether your predictions were right.
(This example is in fact quite similar to the one that's used in the
tutorial sections of the TEMU and Vine manuals, so there's step by
step instructions on how to run it.)
As a starting point for thinking about this, let me point out that
several of the questions you ask are incomplete, since their answers
depend not just on the program but on other choices you haven't
mentioned. For instance the path a program takes when you execute it
depends on what inputs you give it, and the results of dynamic taint
analysis further depend on what parts of that input you mark as
tainted.
Hope this helps,
-- Stephen
M> I want to know if the taint mechanism depends only of the input
M> data? In the code below if x=3, only y will be tainted? or z too?
M> int main(int argc, char **argv)
M> {
M> int x;
M> int z;
M> int y;
M> scanf("%d", &x);
M> if (x != 5)
M> y=x;
M> else
M> z=x;
M> }
M> I would know if bitblaze take account of the dependencies of
M> control flow independently of the branche executed?
M> That's mean since x is tainted then y and z must be tainted?
Ah, okay, I think I understand your question better now. I still think
that if you have a question of the form "what would TEMU/Vine do if I
gave it a program like this?" you should try the experiment yourself
rather than merely asking others to speculate on it, but I can explain
some of the principles involved.
The taint mechanism implemented in TEMU is dynamic taint analysis,
which means that its tainting results are based on the instructions
that were actually executed in a given trace. For instance in your
example, when the statement "z=x" is not executed, there will be no
taint propagated to "z". (In an extreme case, you could imagine that
the instructions for the "else" branch were on a different page of the
binary that was never even loaded into memory on the execution TEMU
observed.)
It is the case in an example like this that the value of "z" depends
in some sense on the value of "x": for instance, if you saw that "z"
had not been modified, you could infer that "x" was not 5. So for some
applications you might want it to be tainted. Situations like this are
called "implicit flow", and it's a subject of ongoing research the
best way to include them in a tainting system without causing too many
other things to be tainted. A couple of our papers in this area that
you can find on the BitBlaze web site include:
"Measuring Channel Capacity to Distinguish Undue Influence"
James Newsome, Stephen McCamant, and Dawn Song. In Proceedings of the
Fourth ACM SIGPLAN Workshop on Programming Languages and Analysis for
Security, June 2009.
"DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation"
Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. In
Proceedings of the 18th Annual Network and Distributed System Security
Symposium, February 2011.