Package ghidra.pcode.emu.taint

Class TaintPcodeUseropLibrary

java.lang.Object

ghidra.pcode.exec.AnnotatedPcodeUseropLibrary<org.apache.commons.lang3.tuple.Pair<byte[],TaintVec>>

ghidra.pcode.emu.taint.TaintPcodeUseropLibrary

All Implemented Interfaces:

PcodeUseropLibrary<org.apache.commons.lang3.tuple.Pair<byte[],TaintVec>>

public class TaintPcodeUseropLibrary
extends AnnotatedPcodeUseropLibrary<org.apache.commons.lang3.tuple.Pair<byte[],TaintVec>>

A userop library for tainting machine state variables

Because Sleigh doesn't allow string literals, we're somewhat limited in what we allow a client to express. We'll allow the generation of taint variables and taint arrays on a 0-up basis, instead of allowing users to "name" the variable. These p-code ops become accessible to scripts, can be used in p-code injects, and can also be used in a TraceSchedule, i.e., in the "go to time" dialog.

Nested Class Summary

Nested classes/interfaces inherited from class ghidra.pcode.exec.AnnotatedPcodeUseropLibrary

AnnotatedPcodeUseropLibrary.AnnotatedPcodeUseropDefinition<T>, AnnotatedPcodeUseropLibrary.FixedArgsAnnotatedPcodeUseropDefinition<T>, AnnotatedPcodeUseropLibrary.OpExecutor, AnnotatedPcodeUseropLibrary.OpLibrary, AnnotatedPcodeUseropLibrary.OpOutput, AnnotatedPcodeUseropLibrary.OpState, AnnotatedPcodeUseropLibrary.PcodeUserop, AnnotatedPcodeUseropLibrary.VariadicAnnotatedPcodeUseropDefinition<T>

Nested classes/interfaces inherited from interface ghidra.pcode.exec.PcodeUseropLibrary

PcodeUseropLibrary.EmptyPcodeUseropLibrary, PcodeUseropLibrary.PcodeUseropDefinition<T>

Field Summary

Fields inherited from class ghidra.pcode.exec.AnnotatedPcodeUseropLibrary

ops

Fields inherited from interface ghidra.pcode.exec.PcodeUseropLibrary

NIL

Constructor Summary

Constructors

Constructor	Description
TaintPcodeUseropLibrary()

Method Summary

Modifier and Type	Method	Description
protected String	nextArrName()
protected TaintSet	nextVar()
org.apache.commons.lang3.tuple.Pair<byte[],TaintVec>	taint_arr(org.apache.commons.lang3.tuple.Pair<byte[],TaintVec> in)	Taint the given machine variable with an array of taint symbols
org.apache.commons.lang3.tuple.Pair<byte[],TaintVec>	taint_var(org.apache.commons.lang3.tuple.Pair<byte[],TaintVec> in)	Taint the given machine variable with a single taint symbol

Methods inherited from class ghidra.pcode.exec.AnnotatedPcodeUseropLibrary

getMethodLookup, getOperandType, getUserops

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface ghidra.pcode.exec.PcodeUseropLibrary

compose, getSymbols

Constructor Details

TaintPcodeUseropLibrary

public TaintPcodeUseropLibrary()

Method Details

nextVar

protected TaintSet nextVar()

nextArrName

protected String nextArrName()

taint_var

public org.apache.commons.lang3.tuple.Pair<byte[],TaintVec> taint_var(org.apache.commons.lang3.tuple.Pair<byte[],TaintVec> in)

Taint the given machine variable with a single taint symbol

This generates a single taint symbol (mark), places it in a singleton set, and then broadcast unions it with the taint vector already on the input variable. For example, assuming an initial state with no taints, the Sleigh code RAX = taint_var(RAX) will cause every byte of RAX to be tainted with "var_0".

Parameters:

in - the input value

Returns:

the same value, with the generated taint unioned in

taint_arr

public org.apache.commons.lang3.tuple.Pair<byte[],TaintVec> taint_arr(org.apache.commons.lang3.tuple.Pair<byte[],TaintVec> in)

Taint the given machine variable with an array of taint symbols

This generates a 0-up indexed sequence of taint symbols, unioning each with the corresponding taint set of the input taint vector. For example, assuming an initial state with no taints, the Sleigh code RAX = taint_arr(RAX) will cause RAX to be tainted as [arr_0_0][arr_0_1]...[arr_0_7].

Parameters:

in - the input value

Returns:

the same value, with the generated taint unioned in