Static taint analysis

Hi

I am trying to use clang analyzer to conduct static taint analysis on the Linux kernel. I am wondering whether clang has a static taint analysis framework or do I have to write a new one. If so, any suggestions or hints to write the static taint analysis tool. Many thanks

Regards
Muhui

Hi Muhui,

It looks like clang has some kind of taint analysis already. I don’t know if it fits your purpose. But have a look at DivZeroChecker.cpp and GenericTaintChecker.cpp in clang. There are also other files.

If these do not fit your purpose, I think you should be able to construct your own. If you have any questions about how to do this, please also elaborate on your experience with clang. It’s much easier to guide you in the right direction, if we know your current level.

Best regards,
Mads Ravn

Hi Mads

Thanks for your reply. Actually, I am completely new to clang. I know the theory of program analysis and I tried to find a powerful tool to carry out static analysis for my research. I need taint propagation,field sensitive, context sensitive,flow sensitive with implicit and explicit flows and pointer analysis. I think Clang should be available to develop such a tool. I am familiar with C, C++ linux programming. There are about one month left for me. Do you have any suggestions and do you have any comments on the difficulty of implementation. Many Thanks

Regards
Muhui

Hi Muhui,

I am not sure how much of these static analysis are already present in Clang, but I’m sure you can develop them here. I would look into the files and directories I mentioned in my previous mail. I can’t say how hard it will be to implement. There is also a IRC channel, if you want a more flowing conversation about the subject.

Best regards,
Mads Ravn

Hi Mads

Thanks. I made the decision to develop the tool in Clang. I never used Clang before. The only thing I know is that clang is the frontend of llvm. I also watched the tutorial for write a checker in 24hours in clang and had a basic understanding now. Do you have any suggestions to me. Do I need to understand llvm IR or other thing related to llvm before using clang. Many Thanks

Regards
Muhui

Hello!

I personally think that if you only have 1 month then that is very little time. Sorry but I personally don’t think it’s realistic to first learn Clang and then implement and commit a new analysis framework in that time.

I suggest you try to limit the scope. Learn Clang and use existing framework to develop a new small check or tweak some existing check.

You don’t need to worry about LLVM IR at all. There are many utility classes like StringRef,SmallSet,etc… but I suggest you focus on the analysis. You can spend a lot of time looking around at utility classes and learning all details about the framework… and getting no work done.

Good luck!!

Best regards,
Daniel Marjamäki

Daniel Marjamäki Senior Engineer

Evidente ES East AB Warfvinges väg 34 SE-112 51 Stockholm Sweden

Mobile: +46 (0)709 12 42 62

E-mail: Daniel.Marjamaki@evidente.se

www.evidente.se

Clang-tidy is a good start. By writing one simple check you can learn about AST