ConfTainter is a Static Taint Analysis Infrastructure for configuration options.
It is based on LLVM IR, and analyzes the control and data dependency starting from the specified configuration variable(s)
- ConfTainter: Static Taint Analysis For Configuration Options
Teng Wang, Haochen He, Xiaodong Liu, Shanshan Li, Zhouyang Jia, Yu Jiang, Qing Liao, Wang Li. "ConfTainter: Static Taint Analysis For Configuration Options", In Proceedings of the 38th ACM/IEEE International Conference on Automated Software Engineering (ASE 2023), 11-15 September, 2023, Luxembourg.
- Intra-procedural analysis ( basic LLVM "Use" support )
- Field sensitive analysis
- Inter-procedure (with pointer)
- Implicit data-flow (
phi-node)
- How to formaly determine if a
phi-nodewill be tainted
Given aphiNodelike:we check if:phi i32 [ %5, %bb1.i ], [ 0, %bb1 ] pre_node pre_node2
- How to formaly determine if a
Formaly define how the control flow:
- Control Dependency on Configuration: A block Y is control-dependent on a configuration option C if and only if (a) the branching instruction of block X is tainted by C; (b) Y is control-dependent on X.
- Control Dependent: A block Y is control dependent on block X if and only if: Y post-dominates at least one but not all successors of X.
An example, where the yellow square indicats the complicated code structures that motivate the use of the formal definition.
- Implicit Control flow: Except for explicit control-flow propagation, configuration options also implicitly propagate control dependency and dominate program blocks, using delay statements (e.g., sleep function). If a delay function occurs in a loop, and are tainted or dominated by the target option, other basic blocks in the loop can be considered as implicit control-flow dependencies.
This fork includes important bug fixes for the original ConfTainter implementation:
- Memory Leaks: Added proper deletion of
DominatorTreeandPostDominatorTreeobjects intainter.cpp - StringRef Conversion: Fixed LLVM 10
StringReftostd::stringconversion issues intainter.h - Object Lifecycle: Fixed critical object destruction order bug in
TestMain.cpp(LLVMContext must outlive Module) - File Output: Restored and fixed
writeToFile()functionality for generating analysis results
These fixes resolve segmentation faults and enable the tool to run successfully.
The easiest way to use ConfTainter is with Docker, which provides a pre-configured LLVM 10 environment.
- Docker Desktop installed (Download)
# Build Docker image (first time only)
docker build -t conftainter:latest .
# Run analysis in Docker container
docker run --rm -v "$(pwd):/workspace" conftainter:latest bash -c "
cd /workspace/src/test/demo &&
clang++-10 -O0 -g -fno-discard-value-names -emit-llvm -c test.cpp -o test.bc &&
../../tainter test.bc test-var.txt &&
cat test-var-records.dat
"# Enter container for interactive development
docker run -it --rm -v "$(pwd):/workspace" conftainter:latest /bin/bash
# Inside container:
cd /workspace/src/test/demo
clang++-10 -O0 -g -fno-discard-value-names -emit-llvm -c test.cpp -o test.bc
../../tainter test.bc test-var.txt
cat test-var-records.dat- llvm-10.0.0
- CMake >= 3.5
- Boost >= 1.73.0 (optional, for serialization)
- wllvm or gllvm (for whole-program analysis)
cd src
cmake -DCMAKE_CXX_COMPILER=/usr/bin/clang++-10 \
-DCMAKE_C_COMPILER=/usr/bin/clang-10 \
-DLLVM_DIR=/usr/lib/llvm-10/cmake .
make# Compile your code to LLVM bitcode
clang++-10 -O0 -g -fno-discard-value-names -emit-llvm -c test.cpp -o test.bc
# Run analysis
cd src/test/demo
../../tainter test.bc test-var.txt
# Check results
cat test-var-records.datFor real systems, use wllvm to obtain the .bc file (e.g., mysqld.bc)
SINGLE CONF_VAR_NAMEglobal variable with basic type (int,bool, etc.)STRUCT CONF_VAR_STRUCT.FIELD_NAMEglobal struct with fieldCLASS CONF_VAR_CLASS.FIELD_NAMEglobal class with fieldFIELD CONF_VAR_TPYE.FIELD_COUNTany field of specified type, for example, useFIELD some_type.2to makesome_type.field_Cas the entry point.STRUCT some_type{ int field_A; bool field_B; float field_C; }
- Make sure you have use the right compilation options:
-O0、-fno-discard-value-names、-g; if you want thePhiNodeanalysis, also use these two options. - Make sure the specified configuration variable name is right.
- Check if it exists in source code via simple search
grep CONF_NAME /dir/of/src. - Check if it has been compiled into the target
.bcfilegrep CONF_VAR_NAME /dir/to/target.ll.
- Check if it exists in source code via simple search
An Demo of applying ConfTainter is shown in /src/TestMain.cpp
Users can use the following codes to conduct taint analysis.
string ir_file = string(argv[1]); //input the ir path
string var_file = string(argv[2]); //input the variable mapping path
std::vector<struct ConfigVariableNameInfo *> config_names;
if (!readConfigVariableNames(var_file, config_names)) exit(1);
std::unique_ptr<llvm::Module> module;
LLVMContext context; SMDiagnostic Err;
buildModule(module, context, Err, ir_file); //build the llvm module based on ir
std::vector<struct GlobalVariableInfo *> gvlist = getGlobalVariableInfo(module, config_names); //conduct Configuration Variable Mapping
startAnalysis(gvlist, true, true); //Taint Analysis with implicit data-flow, and implicit control-flowThe details of APIs can be found in /src/tainter.h
For example,
bool readConfigVariableNames( std::string, std::vector< struct ConfigVariableNameInfo* >&);
int buildModule(std::unique_ptr<llvm::Module> &module, LLVMContext &context, SMDiagnostic &Err, string ir_file);
int startAnalysis(std::vector<struct GlobalVariableInfo *> gv_info_list, bool isAnalysisImplicitData, bool isAnalysisImplicitControl);
GlobalVariableInfo::vector<struct InstInfo *> getExplicitDataFlow();
We conduct three prototype experiments by applying ConfTainter to
- Misconfiguration Detection (TInfer in /ApplicabilityExperiment_5_3_1)
- Configuration-related Bug Detection (TCub in /ApplicabilityExperiment_5_3_2) (TFuzz in /ApplicabilityExperiment_5_3_3)