Documentation
¶
Overview ¶
Package summary provides function summaries for a range of standard library functions that could be involved in a taint propagation. Function summaries describe the taint-propagation behavior of a given function, e.g. "if these arguments are tainted, then the following arguments/return values should also be tainted".
Package summary provides function summaries for a range of standard library functions that could be involved in a taint propagation. Function summaries describe the taint-propagation behavior of a given function, e.g. "if these arguments are tainted, then the following arguments/return values should also be tainted".
Index ¶
Constants ¶
This section is empty.
Variables ¶
var FuncSummaries = map[string]Summary{}/* 192 elements not displayed */
FuncSummaries contains summaries for regular functions that could be called statically.
var InterfaceFuncSummaries = map[funcKey]Summary{ {"Read", "([]byte)(int,error)"}: { IfTainted: first, TaintedArgs: []int{1}, }, {"Write", "([]byte)(int,error)"}: { IfTainted: second, TaintedArgs: []int{0}, }, {"ReadFrom", "(Reader)(int64,error)"}: { IfTainted: second, TaintedArgs: []int{0}, }, {"WriteTo", "(Writer)(int64,error)"}: { IfTainted: first, TaintedArgs: []int{1}, }, {"ReadAt", "([]byte,int64)(int,error)"}: { IfTainted: first, TaintedArgs: []int{1}, }, {"WriteAt", "([]byte,int64)(int,error)"}: { IfTainted: second, TaintedArgs: []int{0}, }, {"WriteString", "(string)(int,error)"}: { IfTainted: second, TaintedArgs: []int{0}, }, {"String", "()(string)"}: { IfTainted: first, TaintedRets: []int{0}, }, {"GoString", "()(string)"}: { IfTainted: first, TaintedRets: []int{0}, }, {"Error", "()(string)"}: { IfTainted: first, TaintedRets: []int{0}, }, {"Unwrap", "()(error)"}: { IfTainted: first, TaintedRets: []int{0}, }, {"Bytes", "()([]byte)"}: { IfTainted: first, TaintedRets: []int{0}, }, {"Err", "()(error)"}: { IfTainted: first, TaintedRets: []int{0}, }, {"Value", "(interface{})(interface{})"}: { IfTainted: first, TaintedRets: []int{0}, }, }
InterfaceFuncSummaries contains summaries for common interface functions such as Write or Read, that could be called statically (i.e. a call to a concrete method whose signature matches an interface method) or dynamically (i.e. a call to an interface method on an interface value). Since all of these functions have receivers, the "first" argument in `ifTainted` always corresponds to the receiver.
Functions ¶
This section is empty.
Types ¶
type Summary ¶
type Summary struct {
// IfTainted is a bitset which contains positions for parameters
// such that if one of these parameters is tainted, taint should
// be propagated to the arguments and return values.
// There is a 1-to-1 mapping between the bits and the function's
// parameters, with the least significant bit corresponding to the
// first (0th) argument.
IfTainted int64
// the positions of the arguments that taint propagates to if one of the
// positions in ifTainted is tainted
TaintedArgs []int
// the positions of the return values that taint propagates to if one of the
// positions in ifTainted is tainted
TaintedRets []int
}
A Summary captures the behavior of a function with respect to taint propagation. Specifically: given that at least one of the necessary arguments is tainted, which arguments/return values become tainted? Note that when it's present, the receiver counts as an argument.
As an example, consider fmt.Fprintf:
func Fprintf(w io.Writer, format string, a ...interface{}) (n int, err error) {
Its Summary is:
"fmt.Fprintf": {
ifTainted: 0b110,
taintedArgs: []int{0},
},
In English, this says that if the format string or the varargs slice are tainted, then the Writer is tainted. (In an actual summary, 0b110 should be written as second | third for readability.)
func For ¶
func For(call ssa.CallInstruction) *Summary
For returns the summary for a given call if it exists, or nil if no summary matches the called function.
Source Files