Package ghidra.taint.model

Class TaintVec

java.lang.Object
ghidra.taint.model.TaintVec
public class TaintVec extends Object
A mutable, but fixed-size, buffer of taint sets

This is the auxiliary type used by the Taint Analyzer's emulator.

Regarding serialization, we do not serialize the vector for storage, but only for display. For storage, we instead serialize and store each taint set on an address-by-address basis. Thus, we do not (yet) have a parse(String) method.

  • Field Details

    • length

      public final int length

  • Constructor Details

    • TaintVec

      public TaintVec(int length)
      Create a new uninitialized taint vector of the given length
      Parameters:
      length - the length

  • Method Details

    • of

      public static TaintVec of(TaintSet... taints)

    • empties

      public static TaintVec empties(int size)
      Create a vector of empty taint sets
      Parameters:
      size - the length of the vector
      Returns:
      the new vector

    • copies

      public static TaintVec copies(TaintSet taint, int size)
      Broadcast the given set into a new vector or the given length
      Parameters:
      taint - the taint set
      size - the length of the vector
      Returns:
      the new vector

    • array

      public static TaintVec array(String name, long start, int size)
      Create a taint vector representing a new tainted byte array, where each element is given a distinct name

      For example, the parameters ("arr", 0, 4) will produce the vector "[arr_0][arr_1][arr_2][arr_3]". Each element is a singleton set containing the mark for a byte in the tainted array.

      Parameters:
      name - the base for naming each element
      start - the starting index for naming each element
      size - the number of bytes, i.e., the length of the vector
      Returns:
      the new vector

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • toDisplay

      public String toDisplay()
      Convert the vector to a string suitable for display in the UI
      Returns:
      the string

    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class Object

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object

    • getSets

      public List<TaintSet> getSets()
      Get the vector as a list
      Returns:
      the list

    • get

      public TaintSet get(int i)
      Get an element from the vector
      Parameters:
      i - the index
      Returns:
      the taint set

    • set

      public void set(int i, TaintSet s)
      Set an element in the vector
      Parameters:
      i - the index
      s - the taint set

    • set

      public TaintVec set(int start, TaintVec vec)
      Set several elements in the vector

      This is essentially just an array copy. The entire source vec is copied into this vector such that the first element of the source is placed at the start index of the destination.

      Parameters:
      start - the starting index
      vec - the vector of sets
      Returns:
      this vector

    • zipUnion

      public TaintVec zipUnion(TaintVec that)
      Union each element with its corresponding element from another vector, forming a new result vector
      Parameters:
      that - the other vector
      Returns:
      the result

    • eachUnion

      public TaintVec eachUnion(TaintSet set)
      Union each element with the given set, forming a new result vector
      Parameters:
      set - the taint set
      Returns:
      the result

    • union

      public TaintSet union()
      Reduce this vector to a single taint set by union
      Returns:
      the resulting taint set

    • tagIndirectRead

      public TaintVec tagIndirectRead(TaintVec offset)
      Combine this and another taint vector to represent a tainted indirect read

      Because the all bytes of the address offset "affect" the value read, we first union all the taint sets of the that offset. We then tag each mark in that union with "indR". Finally we union that result with each element of this vector (this vector representing the bytes read from memory).

      Parameters:
      offset - the vector representing the bytes that encode the offset
      Returns:
      the vector representing the tainted bytes read from memory

    • tagIndirectWrite

      public TaintVec tagIndirectWrite(TaintVec offset)
      Combine this and another taint vector to represent a tainted indirect write

      This works the same as tagIndirectRead(TaintVec), except with the tag "indW" and it occurs before the actual write.

      Parameters:
      offset - the vector representing the bytes that encode the offset
      Returns:
      the vector representing the tainted bytes to be written to memory

    • setCopies

      public TaintVec setCopies(TaintSet taint)
      Broadcast the given set over this vector, modifying it in place
      Parameters:
      taint - the taint set
      Returns:
      this vector

    • setEmpties

      public TaintVec setEmpties()
      Broadcast the empty taint set over this vector, modifying it in place
      Returns:
      this vector

    • setArray

      public TaintVec setArray(String name, long start)
      Fill this vector as in array(String, long, int), modifying it in place
      Parameters:
      name - the base for naming each element
      start - the starting index for naming each element
      Returns:
      this vector

    • setCascade

      public TaintVec setCascade(boolean isBigEndian)
      Modify the vector so each element becomes the union of itself and all elements of lesser significance

      This should be used after zipUnion(TaintVec) to model operations with carries.

      Parameters:
      isBigEndian - true if smaller indices have greater significance
      Returns:
      this vector

    • setBlur

      public TaintVec setBlur(boolean right)
      Modify the vector so each element becomes the union of itself and its neighbor

      This should be used to model shift operations. Both the shift direction and the endianness must be considered.

      Parameters:
      right - true to cause each greater index to be unioned in place with less-indexed neighbor
      Returns:
      this vector

    • setShifted

      public TaintVec setShifted(int right, TaintVec.ShiftMode mode)
      Shift this vector some number of elements, in place
      Parameters:
      right - the number of elements to shift right, or negative for left
      mode - the behavior of the shift
      Returns:
      this vector

    • truncated

      public TaintVec truncated(int length, boolean isBigEndian)
      Drop all but length elements from this vector, creating a new vector

      Drops the most significant elements of this vector, as specified by the endianness

      Parameters:
      length - the length fo the new vector
      isBigEndian - true to drop lower-indexed elements, false to drop higher-indexed elements
      Returns:
      the truncated vector

    • copy

      public TaintVec copy()
      Create a copy of this vector
      Returns:
      the copy

    • extended

      public TaintVec extended(int length, boolean isBigEndian, boolean isSigned)
      Extend this vector to create a new vector of the given length

      Elements are appended at the most significant end, as specified by the endianness. If signed, the appended elements are copies of the most significant element in this vector. Otherwise, they are empty taint sets.

      Parameters:
      length - the length of the new vector
      isBigEndian - true to append to the lower-indexed end, false to append to the higher-indexed end
      isSigned - true to append copies of the most significant element, false to append empty sets
      Returns:
      the new vector

    • sub

      public TaintVec sub(int offset, int length)
      Extract a subpiece of this vector
      Parameters:
      offset - the offset into this vector
      length - the number of sets to extract
      Returns:
      the resulting vector