StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POsplint how to perform taint analysis
primarykey
Id
12649864
data
AcceptedAnswerId
12757744
AnswerCount
1
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2012-09-29T04:17:58.860
FavoriteCount
0
LastActivityDate
2012-11-05T20:45:42.230
LastEditDate
2012-11-05T20:45:42.230
LastEditorUserId
1707750
OwnerUserId
1707750
ParentId
0
PostTypeId
1
Score
2
ViewCount
608
LastEditorDisplayName
text
Body
How to perform Taint Analysis using Splint? I have installed Splint on my Ubuntu 12.04. Created a small test case as below: <pre><code>#include<stdio.h> #include<string.h> int main(int argc, char *argv[]) { char a[10]; strncpy(a,argv[1],10); printf(a); return 0; } </code></pre> Also created splint.xh file with the following contents: <pre><code>int printf (/*@untainted@*/ char *fmt, ...); char *fgets (char *s, int n, FILE *stream) /*@ensures tainted s@*/ ; char *strcat (/*@returned@*/ char *s1, char *s2) /*@ensures s1:taintedness = s1:taintedness | s2:taintedness @*/ ; void strncpy (/*@returned@*/ char *s1, char *s2, size_t num) /*@ensures s1:taintedness = s1:taintedness | s2:taintedness @*/ ; </code></pre> Also created splint.mts file with the below contents: <pre><code> attribute taintedness context reference char * oneof untainted, tainted annotations tainted reference ==> tainted untainted reference ==> untainted transfers tainted as untainted ==> error "Possibly tainted storage used where untainted required." merge tainted + untainted ==> tainted defaults reference ==> tainted literal ==> untainted null ==> untainted end </code></pre> Then finally ran the splint tool with the command: <pre><code> splint -mts splint prg001.c </code></pre> Where prg001.c is the sample input, "splint" refers to splint.mts and splint.xh file. All the files are in the current directory. The output I received is: Splint 3.1.2 --- 21 Aug 2012 prg001.c: (in function main) prg001.c:6:1: Format string parameter to printf is not a compile-time constant: a Format parameter is not known at compile-time. This can lead to security vulnerabilities because the arguments cannot be type checked. (Use -formatconst to inhibit warning) prg001.c:3:14: Parameter argc not used A function parameter is not used in the body of the function. If the argument is needed for type compatibility or future plans, use /@unused@/ in the argument declaration. (Use -paramuse to inhibit warning) Finished checking --- 2 code warnings There is no hint of any taint analysis in the output. Can someone please help me on how to get the taint analysis done using Splint. Thanks
Tags
<c><analysis><static-code-analysis><splint><taint>
Title
splint how to perform taint analysis
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USRomaan
UserOwnerUserId
1. USRomaan
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POsplint how to perform taint analysis
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COI also tested by taking input into char array from fgets function and printing it. But output had no clue regarding taint
 singulars
 PostPostId
 POsplint how to perform taint analysis
 UserUserId
 USRomaan
2. COThe problem was with splint.xh file. I change the printf to printfxxx and it worked fine. This implied that standard definition was overwriting my .xh file. This solved my problem
 singulars
 PostPostId
 POsplint how to perform taint analysis
 UserUserId
 USRomaan

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.