Hi,
I don't get how this pointcut could ever work:
sym input after returning (from) :
call(Data DataFactory.makeData(String)) && call(*
*.markAsTainted(..));
This is saying that there should be a call to makeData that at the same time
is a call to markAsTainted, isn't it? Or am I missing something?
Cheers,
Thiago
2008/11/23 Kazunori Kawauchi <kazu_at_graco.c.u-tokyo.ac.jp>
> Hi,
>
> I'm a Kazunori Kawauchi and a doctoral student supervised by Dr. Hidehiko
> Masuhara at University of Tokyo.
>
> I attempt to implement "dataflow pointcut" which is analogous to "taint
> mode" in
> perl by using tracematch (included in abc 1.3.0) to implement "taint bit
> propagation". But, Some propagations on local variables doesn't work.
>
> I define the following tracematch:
>
> tracematch (Data from, Data to) {
> sym input after returning (from) :
> call(Data DataFactory.makeData(String)) && call(*
> *.markAsTainted(..));
> sym propagation after returning (to) :
> call(Data Data.filter()) && target(from);
>
> input propagation+ {
> System.out.println(" DEBUG: propagation from " + from + " to " +
> to);
> markAsTainted(to) // (Identity function)
> }
> }
>
> Then I define an application program too (I'll show the excerpt of the
> program):
>
> Data d = DataFactory.makeData("Tainted");
> d = d.filter(); // I would like to propagate a 'taint bit'
>
> But, the above tracematch body(i.e., taint bit propagation) isn't executed.
>
> I found suspicious instructions in the weaved bytecode:
> 61: aload_0
> 62: invokevirtual #43; //Method app/Data.filter:()Lapp/Data;
> 65: astore_0
> 66: goto 84
> (snip)
> 84: aload_1
> 85: invokevirtual #34; //Method
> tracematches/SampleTM.beforeafter$3:()V
> 88: aload_1
> 89: aload_0
> 90: aload_0
> 91: invokevirtual #14; //Method
> tracematches/SampleTM.afterReturning$2:(Lapp/Data;Lapp/Data;)V
> local variable "d" is allocated to #0, and an aspect instance to #1.
> Instruction 65 ("astore_0") overwrites a old value of 'd'(i.e., 'from') by
> a
> filtered value of 'd'(i.e., 'to'), and Instruction 91 ("invokevirtual")
> takes
> the filtered value as a value bound to 'from' in the tracematch body,
> doesn't it?
> Is it a correct behavior in terms of tracematches semantics?
>
> I also found taint bit propagation occurs with the following modification:
> Data d = DataFactory.makeData("Tainted");
> Data new_d = d.filter()
> in this case, the value bound to 'new_d' is marked as tainted.
>
> Thank you for your help in this matter.
>
> Regards,
>
> Kazunori Kawauchi
> kazu_at_graco.c.u-tokyo.ac.jp
>
>
>
>
Received on Sun Nov 23 2008 - 15:21:01 GMT
This archive was generated by hypermail 2.2.0 : Sun Nov 23 2008 - 15:30:13 GMT