Module TaintTracking

Provides classes for performing local (intra-procedural) and global (inter-procedural) taint-tracking analyses.

We define taint propagation informally to mean that a substantial part of the information from the source is preserved at the sink. For example, taint propagates from x to x + 100, but it does not propagate from x to x > 100 since we consider a single bit of information to be too little.

To use global (interprocedural) taint tracking, extend the class TaintTracking::Configuration as documented on that class. To use local (intraprocedural) taint tracking between expressions, call TaintTracking::localExprTaint. For more general cases of local taint tracking, call TaintTracking::localTaint or TaintTracking::localTaintStep with arguments of type DataFlow::Node.

Import path

import semmle.code.cpp.ir.dataflow.TaintTracking

Imports

DataFlow

Provides a library for local (intra-procedural) and global (inter-procedural) data flow analysis: deciding whether data can flow from a source to a sink. This library differs from the one in semmle.code.cpp.dataflow in that this library uses the IR (Intermediate Representation) library, which provides a more precise semantic representation of the program, whereas the other dataflow library uses the more syntax-oriented ASTs. This library should provide more accurate results than the AST-based library in most scenarios.

DataFlow2

Provides a DataFlow2 module, which is a copy of the DataFlow module. Use this class when data-flow configurations must depend on each other. Two classes extending DataFlow::Configuration should never depend on each other, but one of them should instead depend on a DataFlow2::Configuration, a DataFlow3::Configuration, or a DataFlow4::Configuration.

Modules

TaintTracking