-
Notifications
You must be signed in to change notification settings - Fork 5
/
taint.py
33 lines (27 loc) · 1 KB
/
taint.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import angr
import claripy
class TaintedAnnotation(claripy.Annotation):
"""
Annotation for doing taint-tracking in angr.
"""
@property
def eliminatable(self):
return False
@property
def relocatable(self):
return True
def relocate(self, src, dst):
srcAnnotations = list(src.annotations)
if len(srcAnnotations) == 0: return None
elif len(srcAnnotations) == 1: return srcAnnotations[0]
else: raise ValueError("more than one annotation: {}".format(srcAnnotations))
def taintedUnconstrainedBits(state, name, bits):
"""
name: a name for the BVS
bits: how many bits long
"""
return state.solver.Unconstrained(name, bits, key=("tainted_"+name,), eternal=False, annotations=(TaintedAnnotation(),))
def is_tainted(ast):
return _is_immediately_tainted(ast) or any(_is_immediately_tainted(v) for v in ast.leaf_asts())
def _is_immediately_tainted(ast):
return any(isinstance(a, TaintedAnnotation) for a in ast.annotations)