Code Monkey home page Code Monkey logo

Comments (1)

RootLUG avatar RootLUG commented on June 5, 2024

Hello,
great question. Like you noted the system currently propagates tainted/not tainted via that attached object, this is now the initial implementation but it has it's drawbacks like you noted.

I already found several use cases where this is not sufficient like probably sql injection may not be applicable to shell and vice versa. I briefly played with an idea of having multiple flows that can be mixed together and tracked independently.

This was just an experiment so it's not in the code base but it showed promising results but it's not currently on top of the list or in active development. There isn't a concrete plan but it's one of the things I would like to re-design on how it works.

There is also another drawback tied to this that the system would need to be designed in a way to not only independently track different flows that can be then mixed (which is the "easy" part) but to be able to track multiple representations of the same variable at once; and I haven't figured this out completely, which is one of the blockers if we go with redesigning/improving the taint flow analysis. The problem is that a variable can end up with a different typing/code path if there is a recursion, for loops, or something like that (I can't think of a good example right now from top of my head) and in ends up in a situation where on semantic level the variable is the same (place in a code) but on taint level analysis it is something different and cannot be combined with a different flow going through the same place.
I'm not sure if there is technical term for this but I call it internally "streams" where streams cannot be combined together (in the same variable) but different flow in the same stream can be combined if that makes sense. So this is in short one of the "features" that needs to be designed properly as it is very closely related to being able to combine and track multiple flows correctly and also in performance wise manner. Taint analysis currently already takes a significant portion of the analysis time and one thing I am worried is that with introduction of the streams it would multiply significantly at the points where the stream need to be split into multiple ones that are tracked separately.

Any ideas and help are more than welcome on this, I tried researching it for a while and experimenting but I haven't found much info online and in research papers.

from aura.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.