Reputation: 750
How to enable clang static analyzer's "alpha.security.taint check" checker
I am trying to execute clang static analyzer (version 3.8) on some of the examples shown in its documentation (https://clang-analyzer.llvm.org/alpha_checks.html#security_alpha_checkers).
I created a small C program, as follows:
// note: requires alpha.security.taint check turned on.
void test() {
char s[] = "abc";
int x = getchar();
char c = s[x]; // warn: index is tainted
}
I am executing following command to analyze the above code:
/usr/lib/llvm-3.8/bin/scan-build -enable-checker alpha.security.taint.TaintPropagation clang -c example.c
The above command generates following error report:
scan-build: Using '/usr/lib/llvm-3.8/bin/clang' for static analysis
example.c:5:8: warning: Value stored to 'c' during its initialization is never read
char c = s[x]; // warn: index is tainted
^ ~~~~
1 warning generated.
scan-build: 1 bug found.
scan-build: Run 'scan-view /tmp/scan-build-2018-04-09-143549-15413-1' to examine bug reports.
I was expecting clang SA will complain about possible buffer overflow and buffer underflow at line 5, but it seems like taint analysis is not performed.
Can someone please suggest how to enable "alpha.security.taint" check?
Upvotes: 4
Views: 2122
Answers (1)
Reputation: 12749
To get a warning when using a tainted array index, you have to enable alpha.security.ArrayBoundV2 and alpha.security.taint.TaintPropagation:
$ ~/bld/llvm-project/build/bin/scan-build -enable-checker \
alpha.security.taint.TaintPropagation,alpha.security.ArrayBoundV2 \
gcc -c taint2.c
scan-build: Using '/home/scott/bld/llvm-project/build/bin/clang-9' for static analysis
taint2.c:6:10: warning: Value stored to 'c' during its initialization is never read
char c = s[x]; // warn: index is tainted
^ ~~~~
taint2.c:6:14: warning: Out of bound memory access (index is tainted)
char c = s[x]; // warn: index is tainted
^~~~
2 warnings generated.
scan-build: 2 bugs found.
scan-build: Run 'scan-view /tmp/scan-build-2019-09-11-204837-97704-1' to examine bug reports.
The TaintPropagation checker reports some things by itself, for example, passing tainted data to system(). It also exports tainting information for other checkers to use.
(I discovered this information primarily by looking at the source code, and secondarily through trial and error. The documentation isn't much help.)
Upvotes: 2
Related Questions
- Clang Static Analyzer doesn't find the most basic problems
- How to check only one checker by CLANG?
- clang static analyzer skipping some checks
- some checkers of clang static analyzer do not work under linux
- start clang static analyzer with xcodebuild
- Clang Analyzer in Xcode 4.4 not showing any issues
- false positives Xcode4 Analyzer
- Example code to trigger Clang's static analyser
- Clang static analyzer on Windows
- Clang static analyzer gives warning over autoreleased