Taint Models

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

C and C++

Taint Models

CodeSonar supports modeling the introduction and transmission of tainted values, and provides mechanisms for triggering warnings when tainted values are used in dangerous ways.

Modeling Taint Phenomena
Analysis Phase Handling

Modeling Taint Phenomena

We do not exhaustively list all library models that model one or more phenomena involved in data taint tracking, because there are too many such models for a list to be of any practical use. Instead, we outline the Extension API functions/prototypes used to model the various phenomena: consult the Extension API documentation for details and examples.

Modeled Phenomenon	Notes
taint sources	The introduction of tainted values into the program is modeled by assigning values derived from any of the following. csonar_taint_source_kname() csonar_taint_source_any() csonar_taint_source_any_no_time() The taint can be of various kinds, determined by the function used to introduce it. See the section on CodeSonar Taint Kinds for details.
taint propagation	The following function model taint propagation. csonar_string_taint() csonar_taint_transfer() csonar_taint_union2() .. csonar_taint_union9() csonar_wcstring_taint()
taint sinks	Use csonar_taint_sink() to model a program point which some kind of harm will be caused if a tainted value is used.
taint cleansing	Use csonar_taint_clear_<NAME_OF_ATTRIBUTE> to model the cleansing of taint from a value. (CodeSonar does not ship with any models for taint cleansing functions, but this prototype is available for use in custom models.)

Analysis Phase Handling

The taint analysis takes place in a separate analysis traversal. It can therefore be useful to write models that are handled differently depending on the current analysis phase: that is, whether or not the taint analysis is currently taking place. The Extension API provides the following functions to support this.

To report problems with this documentation, please visit https://support.codesecure.com/.