Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Taint propagation on conditional jumps #1293

Open
namreeb opened this issue Oct 15, 2023 · 1 comment
Open

Taint propagation on conditional jumps #1293

namreeb opened this issue Oct 15, 2023 · 1 comment

Comments

@namreeb
Copy link

namreeb commented Oct 15, 2023

Consider the x86 instruction JG for example, where the jump is taken if ZF = 0 and SF = OF. If ZF has an untainted, concrete value of 1, then I would have expected the instruction to be considered untainted, irrespective of the value/taint of SF and OF, because those two registers can be considered "unused" in the instruction. But looking at https://github.com/JonathanSalwan/Triton/blob/master/src/libtriton/arch/x86/x86Semantics.cpp#L7661-L7664, it seems the taint is spread to the instruction by a simple union.

I realize this may be a deliberate choice, and if so then so be it. But I was hoping to understand the reasoning.

@JonathanSalwan
Copy link
Owner

Yep indeed, Triton performs an over-approximation of tainting. At the beginning it was a choice but we can affine this granularity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants