Data Taint Tracking

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

C and C++

Binaries

Description: Data Taint Tracking For C/C++

CodeSonar includes a taint analysis that tracks the influence of untrusted data on program execution. The taint analysis takes place during the pointer analysis phase.

The taint analysis and GUI functionality described in this page apply to analyzed C/C++ code only. C# and Java code undergo similar analyses, but the analyses do not depend on the configuration parameters listed in this page and the resulting taint propagation is not depicted in the CodeSonar GUI. See Taint Tracking for CodeSonar C# Warning Classes and Taint Tracking for CodeSonar Java Warning Classes for more information.

Terminology
Uses
Availability
Viewing Taint Propagation
Further Information

Terminology

A data value is considered to be tainted if it originates from an untrusted source and has not yet been verified to be safe, or if its computation included one or more values that are themselves tainted.

We use the following terminology.

taint source

A point at which a tainted value can enter a program.

taint sink

A program point which some kind of harm will be caused if a tainted value is used.

taint propagation

A program operation in which taint from an operand is transmitted to the result (or to other operands).

taint cleansing (or sanitizing)

A program operation in which taint is removed from one or more operands.

Uses

Taint Metrics	There are three built-in taint metrics, all with procedure granularity. Is Taint Sink Is Taint Source Propagates Taint
Warning Classes	The following warning classes make use of the CodeSonar taint analysis. Addition Overflow of Allocation Size * , Multiplication Overflow of Allocation Size * , Subtraction Underflow of Allocation Size * , Truncation of Allocation Size * Addition Overflow of Size * , Multiplication Overflow of Size, Subtraction Underflow of Size , Truncation of Size * Command Injection, Format String Injection, LDAP Injection, Library Injection, SQL Injection Tainted Allocation Size, Tainted Configuration Setting, Tainted Filename, Tainted Network Address, Tainted Write Tainted Buffer Access * Untrusted Library Load, Untrusted Network Host, Untrusted Network Port, Untrusted Process Creation Classes marked with an asterisk * are "taint plus decision problem" ("taint+dp") classes. In particular, these warnings of these classes undergo a dedicated refinement phase that cannot be disabled. One consequence of this is that warning reporting for taint+dp classes exhibits some unavoidable nondeterminism: if result stability is important to you, you may want to ensure that these classes are disabled (note that all but Tainted Buffer Access are disabled by default).
Taint Propagation	Taint propagation checking is available through the CodeSonar GUI.
Extension API	The CodeSonar Extension API provides programmatic access to taint analysis functionality for use in creating custom checks or extending the coverage of existing checks.

Availability

If one or more taint warning classes are enabled, the CodeSonar analysis will automatically perform sufficient taint-related analysis to detect warnings of those classes.

Further tainted-value checking is performed in the pointer analysis phase, and is controlled by configuration file parameters TAINT_HIGHLIGHTING and MAX_POINTER_ANALYSIS_PASSES.

TAINT_HIGHLIGHTING	Set to Yes to enable source highlighting.
MAX_POINTER_ANALYSIS_PASSES	1 (in combination with TAINT_HIGHLIGHTING=Yes) is sufficient to resolve taint propagation. This provides information for source highlighting, and can also improve analysis results for taint warning classes.

Various aspects of the taint analysis are controlled by other configuration parameters:

Viewing Taint Propagation

CodeSonar presents taint propagation information in the web GUI.

Source Highlighting	Source code displayed in the following CodeSonar GUI locations is highlighted to show tainted values in the code. You can customize the highlighting scheme in the highlight legend: by default, tainted values are underlined in red. Warning Report Source Listing Information Window Code Search Results Side by Side Source Listing Tainted Value For details, see Source Coloring and Interaction: Tainted Values.
Taint Propagation	Taint propagation checking is available in the Explore Callers and Search Callers pages. The Tainted Value page displays a single taint propagation path.

Source Highlighting

Source code displayed in the following CodeSonar GUI locations is highlighted to show tainted values in the code. You can customize the highlighting scheme in the highlight legend: by default, tainted values are underlined in red.

For details, see Source Coloring and Interaction: Tainted Values.

Taint Propagation

Taint propagation checking is available in the Explore Callers and Search Callers pages. The Tainted Value page displays a single taint propagation path.

Further Information

To report problems with this documentation, please visit https://support.codesecure.com/.