Skip to content

Client requests

Jump to bottom Edit New page
Wei Ming Khoo edited this page Aug 5, 2020 · 5 revisions

Client requests allows you to perform fine-grained actions during execution. To use these requests, you will need to include the taintgrind.h header file. And since taintgrind.h is in the taintgrind directory, and it makes use of valgrind.h, you will also need to include the taintgrind and valgrind-xxx/include directories when compiling your executable.

TNT_TAINT and TNT_UNTAINT

The TNT_TAINT and TNT_UNTAINT requests are probably the most intuitive to use. Use these to introduce or remove taint from a variable or memory location in the program. For example,

int a;
TNT_TAINT(&a, sizeof(a)); // a is tainted from this point on
...
TNT_UNTAINT(&a, sizeof(a)); // a is not tainted from this point on

The first argument is the address of the variable, in this case &a (Note: not a; a will only pass the value). The second argument is the number of bytes to taint, in this case sizeof(a). On a 32-bit architecture, this will be 4 bytes; on a 64-bit architecture, this will be 8 bytes.

TNT_TAINT_NAMED

The TNT_TAINT_NAMED request is used when --smt2=yes is enabled. It is similar to TNT_TAINT, with an additional string, which is the chosen name of the variable. This is useful when there are many variables to keep track of.

TNT_IS_TAINTED

The TNT_IS_TAINTED request is used to check if a variable or memory location is tainted or not. For example,

int a = 1000, b, c, t_b, t_c;
TNT_TAINT(&a, sizeof(a));
b = a;
c = a & 8;
TNT_IS_TAINTED(t_b, &b, sizeof(b)); // On a 32-bit PC, t_b will be 0xffffffff
TNT_IS_TAINTED(t_c, &c, sizeof(c)); // On a 32-bit PC, t_c will be 0x8

Check out tests/checktaint.c for a full example.

TNT_START_PRINT and TNT_STOP_PRINT

Tg typically prints instructions that process tainted data, which can get quite verbose. Therefore, the TNT_START_PRINT and TNT_STOP_PRINT requests are for controlling when tg prints its output, regardless of whether tainted data is encountered. They are called without any arguments.

TNT_STACKTRACE

The TNT_STACKTRACE request is a helper for printing the execution stack trace at a certain point in the program. This may be useful for debugging or analysing the program. It is called without any arguments.

Add a custom footer
Add a custom sidebar
Clone this wiki locally