llvm_ir_taint/
lib.rs

1pub mod config;
2mod function_summary;
3mod function_taint_state;
4mod globals;
5mod modules;
6mod named_structs;
7mod pointee;
8mod taint_result;
9mod taint_state;
10mod tainted_type;
11mod worklist;
12
13pub use config::Config;
14pub use tainted_type::TaintedType;
15pub use pointee::Pointee;
16pub use taint_result::TaintResult;
17pub use named_structs::NamedStructInitialDef;
18
19use llvm_ir::{Module, Name};
20use taint_state::TaintState;
21use std::collections::HashMap;
22
23/// The main function in this module. Given an LLVM module or modules and the
24/// name of a function to analyze, returns a `TaintResult` with data on that
25/// function and all functions it calls, directly or transitively.
26///
27/// `args`: the `TaintedType` to assign to each argument of the start function.
28/// If this is not provided, all arguments (and everything they point to, etc)
29/// will be marked untainted.
30///
31/// `nonargs`: (optional) Initial `TaintedType`s for any nonargument variables in
32/// the start function. For instance, you can use this to set some variable in
33/// the middle of the function to tainted. If this map is empty, all
34/// `TaintedType`s will simply be inferred normally from the argument
35/// `TaintedType`s.
36pub fn do_taint_analysis_on_function<'m>(
37    modules: impl IntoIterator<Item = &'m Module>,
38    config: &'m Config,
39    start_fn_name: &str,
40    args: Option<Vec<TaintedType>>,
41    nonargs: HashMap<Name, TaintedType>,
42    named_structs: HashMap<String, NamedStructInitialDef>,
43) -> TaintResult<'m> {
44    TaintState::do_analysis_single_function(modules, config, start_fn_name, args, nonargs, named_structs)
45        .into_taint_result()
46}
47
48/// Like `do_taint_analysis_on_function`, but analyzes all functions in the
49/// `Module`, rather than only a start function and the functions it calls.
50///
51/// `args`: Map of LLVM function name to a vector specifying the `TaintedType`s
52/// to assign to each argument of that function.
53/// For functions not included in `args`, all arguments will be assumed to be
54/// untainted, unless inferred otherwise from the taint-tracking process.
55///
56/// `nonargs`: Map of LLVM function name to a map of nonargument variable name to
57/// initial `TaintedType` for that variable. For instance, you can use this to
58/// set some variable in the middle of some function to tainted. All variables
59/// not specified this way will simply be inferred normally from the argument
60/// `TaintedType`s.
61pub fn do_taint_analysis_on_module<'m>(
62    modules: impl IntoIterator<Item = &'m Module>,
63    config: &'m Config,
64    args: HashMap<&'m str, Vec<TaintedType>>,
65    nonargs: HashMap<&'m str, HashMap<Name, TaintedType>>,
66    named_structs: HashMap<String, NamedStructInitialDef>,
67) -> TaintResult<'m> {
68    TaintState::do_analysis_multiple_functions(modules, config, args, nonargs, named_structs)
69        .into_taint_result()
70}