| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 30 Jul 2025 20:08:25 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
x-robots-tag: none
etag: W/"ddaa0e0617bcd5898b5219d965b9676b"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=SCLmD%2B2jF%2FvDujZ8ypNhBEUFxY7WzKB0Dud%2BpFi4rDE%2FzHV5H5axXzDtd7zn6bAXGyEqTy%2Bc%2BfQjQ7TkVLxGd8FWrH5vrvJb3Cjh%2FOThm43DjK3fYL%2BrNz3rclMfKW7EtI8dWFNNFH7dGypuGvNILeInN3REqkAZlX7KE8lzziTOIPk2yjdqw4x1j%2Bo2j5jRRegIkaq2jHpAIBXKe3azAwgGxWkTPHyKX0Y9NL1mDrYWfHVAZ2M4xL%2FqAuXgYQQTo6U%2FunYKSc9X1bP7Cd29Aw%3D%3D--gdUDIshCPPD%2Fnqbs--l0lk078tRaVpIlZCwXezNg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.756147314.1753906105; Path=/; Domain=github.com; Expires=Thu, 30 Jul 2026 20:08:25 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 30 Jul 2026 20:08:25 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: BAE2:1667F:9366F:BF1F1:688A7BB9
Control flow and Pointer tainting · wmkhoo/taintgrind Wiki · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 43
Control flow and Pointer tainting
Wei Ming Khoo edited this page Aug 5, 2020
·
4 revisions
There are at least three types of taint dependency. Let x be tainted.
- Direct/Data-flow dependence, e.g. y = x
- Indirect/Control-flow dependence, e.g. if(x){ y = 2; }
- Address/Pointer dependence, e.g. y = a[x] and y = *x
Taintgrind, which follows Valgrind memcheck, only implements 1, not 2 or 3. This means it will under-taint, i.e. it will miss some dependencies. On the other hand, it is tricky to handle 2 and 3, as it may lead to over-tainting, i.e. reporting dependencies where there is none.
Let's take an example (https://bitblaze.cs.berkeley.edu/papers/dta%2B%2B-ndss11.pdf Fig. 3):
char output[256];
long input = user_input();
long len = 0;
if (input > 100) {
strcpy(output, "large");
len = 5;
} else {
strcpy(output, "small");
len = 5;
}
print_output(output, len);
In this case, len has a control-flow dependence on input. However, len is not dependent on input because it is 5 no matter which branch is taken, so transferring taint from input to len may be considered incorrect.
Some other dynamic taint analysis tools I'm aware of, but have not tried (and the info may not be up-to-date):
- libdft: According to their paper, "in this work, we do not consider cases of implicit data flow that are in accordance with previous work on the subject". (https://nsl.cs.columbia.edu/papers/2012/libdft.vee12.pdf, Pg. 2)
- triton: "Dynamic Taint Analysis. (DTA) aims to detect which data and instructions along an execution depend on user input. We consider direct tainting.(https://triton.quarkslab.com/files/DIMVA2018-deobfuscation-salwan-bardin-potet.pdf, Pg. 6)
- bap: If you want to experiment with and implement different taint rules, I hear that bap will let you do that (but again, I have not tried it).
- polytracker: Polytracker is an LLVM pass that instruments the programs it compiles to track which bytes of an input file are operated on by which functions. It outputs a JSON file containing the function-to-input-bytes mapping.
For more information on the theoretical aspects of taint analysis, check out https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf.
You can’t perform that action at this time.