Module TaintTracking

Provides classes for performing local (intra-procedural) and global (inter-procedural) taint-tracking analyses.

We define taint propagation informally to mean that a substantial part of the information from the source is preserved at the sink. For example, taint propagates from x to x + 100, but it does not propagate from x to x > 100 since we consider a single bit of information to be too little.

To use global (interprocedural) taint tracking, extend the class TaintTracking::Configuration as documented on that class. To use local (intraprocedural) taint tracking between expressions, call TaintTracking::localExprTaint. For more general cases of local taint tracking, call TaintTracking::localTaint or TaintTracking::localTaintStep with arguments of type DataFlow::Node.

Import path

import semmle.code.cpp.ir.dataflow.TaintTracking

Imports

DataFlow

Provides a library for local (intra-procedural) and global (inter-procedural) data flow analysis: deciding whether data can flow from a source to a sink. This library differs from the one in semmle.code.cpp.dataflow in that this library uses the IR (Intermediate Representation) library, which provides a more precise semantic representation of the program, whereas the other dataflow library uses the more syntax-oriented ASTs. This library should provide more accurate results than the AST-based library in most scenarios.

Modules

TaintTracking