On Fri, 2019-11-15 at 20:23 -0500, David Malcolm wrote: > This patch adds a state machine checker for tracking "taint", > where data potentially under an attacker's control is used for > things like array indices without sanitization (CWE-129). > > This checker isn't ready for production, and is presented as a > proof-of-concept of the sm-based approach. > > gcc/ChangeLog: > * analyzer/sm-taint.cc: New file. As you know, I'm a big fan of getting some kind of taint analysis into GCC. So I'd certainly encourage someone to pick up on this as well as the more localized work. I'm particularly interested in things like a tainted length/count which is then used to calculate how much memory to allocate in malloc/alloca. If an attacker can control that they can do some nasty things.
I do think we're likely to end up with some more traditional warnings in that space as well. So figuring out the balance/guidelines for when to improve the traditional warnings vs those from the static analyzer will need to be figured out. jeff >
