Tag analysis is not working when tracking Result.

Question

Tag analysis is not working when tracking Result.

fshaked opened this issue 3 years ago · comments

Issue

Tag analysis seems to miss obvious information flow, when tracking Result.
Minimal example here.

Steps to Reproduce

git clone https://github.com/fshaked/mirai-bug1.git
cd mirai-bug1
RUSTFLAGS="-Z always_encode_mir" RUSTC_WRAPPER=mirai MIRAI_FLAGS="--diag verify" cargo build

Expected Behavior

The verify! macro should fail in both tests.

Actual Results

MIRAI terminates with no warnings.

Environment

$ rustup show
Default host: x86_64-unknown-linux-gnu
rustup home:  /home/---/.rustup

installed toolchains
--------------------

nightly-2021-05-06-x86_64-unknown-linux-gnu (default)
nightly-x86_64-unknown-linux-gnu

active toolchain
----------------

nightly-2021-05-06-x86_64-unknown-linux-gnu (default)
rustc 1.54.0-nightly (bacf770f2 2021-05-05)

Herman Venter · Answer 1 · Sat Jul 03 2021 08:31:33 GMT+0800 (China Standard Time)

The first test case is fixed by #903.

The second illustrates a design issue: A field of the tainted value x flows into a field of y. This is not sufficient to taint all of y, even though the sub component propagation rule for the tag propagates the taint from x to the field that flows into y. For that to happen, we need a new tag propagation rule that specifies that tagging a field also tags the parent of the field.

Creating such a rule is not a trivial thing and not just from an implementation point of view. For instance, should we propagate to the parent of the parent? If so, what exactly counts as a parent? What if the parent in wrapped in an Rc? And so on.

For now I'm going to punt on this and declare the behavior of MIRAI for the second test case to be by design. If you have ideas about this and a proposed design that you can motivate by a scenario you can share, I'd be very happy to think it over some more.

Shaked Flur · Answer 2 · Sat Jul 03 2021 16:21:15 GMT+0800 (China Standard Time)

Thank you for the quick reply and fix. Regarding the second test, I don't think this is an issue of the analysis, it's more an issue of the does_not_have_tag macro. The use case is a function I don't want to leak information to, so before calling it I want to check the arguments I'm passing to the function are not tagged. I could potentially destruct each argument and check every field (recursively), but that can be tedious, and I won't be able to check private fields! Can does_not_have_tag (or a new macro?) check all the fields?

…

On Sat, 3 Jul 2021, 01:31 Herman Venter, ***@***.***> wrote: The first test case is fixed by #903 <#903>. The second illustrates a design issue: A field of the tainted value x flows into a field of y. This is not sufficient to taint all of y, even though the sub component propagation rule for the tag propagates the taint from x to the field that flows into y. For that to happen, we need a new tag propagation rule that specifies that tagging a field also tags the parent of the field. Creating such a rule is not a trivial thing and not just from an implementation point of view. For instance, should we propagate to the parent of the parent? If so, what exactly counts as a parent? What if the parent in wrapped in an Rc? And so on. For now I'm going to punt on this and declare the behavior of MIRAI for the second test case to be by design. If you have ideas about this and a proposed design that you can motivate by a scenario you can share, I'd be very happy to think it over some more. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#902 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACTBFFEK6U7YMSFYNUDX7TLTVZK7DANCNFSM47WNKRQA> .

Herman Venter · Answer 3 · Sun Jul 04 2021 00:37:43 GMT+0800 (China Standard Time)

Ah, looking at it from the perspective of does_not_have_tag makes quite a difference. I'll think this one over some more.