Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Tainting string data type #41

Open
misalungi opened this issue Apr 12, 2021 · 5 comments
Open

Tainting string data type #41

misalungi opened this issue Apr 12, 2021 · 5 comments

Comments

@misalungi
Copy link

misalungi commented Apr 12, 2021

Hi,

Is Taintgrind follows operations on std::string?
In my code, the data is tainted until it is converted to the string data type. After that, taintgrind loses the flow of the data!

@wmkhoo
Copy link
Owner

wmkhoo commented Apr 13, 2021

Thanks for bringing up this issue.
Could you provide a test case that demonstrates the issue?

@misalungi
Copy link
Author

misalungi commented Apr 14, 2021

Here I have two modules. The first one produces a random data (ebBalance). The second module sends reading request in TLM to the first one to read ebBalance.
Immediately after data conversion to string, the taint flow will be lost.

in energyBalance module:

`
{ ...
ebBalance= rand()%2000-1000;

		  		    	TNT_TAINT(&ebBalance, sizeof(ebBalance));
		  				 std::cout<< " data for tainting is: " << ebBalance << std::endl;

} // balanceGenerator()

void energyBalance::b_transport(int id, tlm::tlm_generic_payload& tlmPayload, sc_core::sc_time& delay)
{
if(tlmPayload.get_command() == tlm::TLM_READ_COMMAND)
{
if (tlmPayload.get_address() == 0x10 ) {

 	    	tlmPayload.set_data_ptr((unsigned char*)ebBalance);
 	    	tlmPayload.set_response_status(tlm::TLM_OK_RESPONSE); }

}
}

`

in second mudole:

`
{ ...
if(tlmPayload.get_response_status() == tlm::TLM_OK_RESPONSE)
{

		 int reveivedEB= (int)(tlmPayload.get_data_ptr());

		 sEBalance= std::to_string(reveivedEB);                             // data after here is not tainted

                    std::string temp = sEBalance;                         // I made this one for testing. temp is not tainted

`

@misalungi
Copy link
Author

Another issue is that when I get string data to the TNT_TAINT(&a, sizeof(a)) or to TNT_IS_TAINTED(t, &a, sizeof(a)) it raises an error.
So I have to first convert the data to int, then pass it to TNT_IS_TAINTED(t, &a, sizeof(a))!

@misalungi
Copy link
Author

misalungi commented Apr 20, 2021

I think the problem is not about tainting string data type, it is about the size of tainted data which will be changed after converting to string.
In piece of code which I mentioned above, in second module sEBalance is tainted, but the propagation of sEBalance is not followed in the rest of program.
To check if Taintgrind can follow the propagation of string data type, instead of tainting ebBalance in module 1, I passed sEBalance to the TNT_TAINT function. It followed the propagation of sEBalance through the rest of program.
The size of ebBalance which is a integer is 4 and the size of sEBalance is 32.

@wmkhoo
Copy link
Owner

wmkhoo commented May 5, 2021

At least for me, std::to_string is implemented by _itoa.c.

const char _itoa_upper_digits[36]
= "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
...
const char *digits = (upper_case? _itoa_upper_digits : _itoa_lower_digits);
...
*--buflim = digits[value % Base];

In the above, value, which is tainted, is used as an index to copy the corresponding characters into buflim. The taint will not be propagated, because pointer tainting is not implemented (see Pointer tainting).

So, yes. sEBalance will not be tainted after std::to_string. The only way is to taint it manually after std::to_string.
Thanks for raising this issue.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants