Help with Taint analysis

Hello clang,

I am interested in doing taint analysis. My idea is get a complete list of all variables which are potentially influenced by outside input. Checking the mail list, I found that a way to do this is walking into GRExprEngine and his friends (SVals and MemRegion).

However, I don’t know how to start.

Thanks in advance,

Maybe a new engine, instead of using the path sensitive one(GRExprEngine)? Some work like phoenix have done using SSA & lattices?

2010/1/13 Juan Carlos Martinez Santos <>


Check out the Checker interface. Maybe you can create a new Checker, track all taint information in that Checker with a generic data mapping. Then update the taint information via the Checker::EvalCallExpr() callback. Note that GRExprEngine is path sensitive analysis. I don’t know if that is what you want.

2010/1/13 Juan Carlos Martinez Santos <>

I don’t know if clang now has a right engine for taint analysis.

Of course you can create a new checker to track all taint information using GRExprEngine as Zhongxing said, but GRExprEngine is path sensitive. Maybe flow sensitive analysis for taint analysis is enough?

Otherwise, i think the result from taint analysis may be useful for other checkers. So can we implement it like LiveVariable analysis?

Phoenix is a framework for build compilers or program analysis tools from MS. You can find an taint analysis example from the phoenix SDK docs.Maybe you can borrow some ideas from it.

2010/1/13 Juan Carlos Martinez Santos <>