-
Notifications
You must be signed in to change notification settings - Fork 42
Client requests
Client requests allows you to perform fine-grained actions during execution.
The TNT_TAINT and TNT_UNTAINT requests are probably the most intuitive to use.
Use these to introduce or remove taint from a variable or memory location in the program. E.g.
int a;
TNT_TAINT(&a, sizeof(a)); // a is tainted from this point on
...
TNT_UNTAINT(&a, sizeof(a)); // a is not tainted from this point on
The first argument is the address of the variable, in this case &a (Note: not a; a will only pass the value).
The second argument is the number of bytes to taint, in this case sizeof(a). On a 32-bit architecture, this will be 4 bytes; on a 64-bit architecture, this will be 8 bytes.
The TNT_TAINT_NAMED request is used when --smt2=yes is enabled. It is similar to TNT_TAINT, with an additional string, which is the chosen name of the variable. This is useful when there are many variables to keep track of.
The TNT_IS_TAINTED request is used to check if a variable or memory location is tainted or not. For example,
int a = 1000, b, c, t_b, t_c;
TNT_TAINT(&a, sizeof(a));
b = a;
c = a & 8;
t_b = TNT_IS_TAINTED(t, &b, sizeof(b)); // On a 32-bit PC, t_b will be 0xffffffff
t_c = TNT_IS_TAINTED(t, &c, sizeof(c)); // On a 32-bit PC, t_c will be 0x8
Tg typically prints instructions that process tainted data, which can get quite verbose. Therefore, the TNT_START_PRINT and TNT_STOP_PRINT requests are for controlling when tg prints its output, regardless of whether tainted data is encountered. They are called without any arguments.
The TNT_STACKTRACE request is a helper for determining what the execution stack trace is at a certain point in the program. This may be useful for debugging or analysing the program. It is called without any arguments.