44 Chapter 6. Theory
JentryK = {}
Jx = input()K = {x = input()}
Jx = int(x)K = {x = int(x)}
Jwhile x > 1K = {x = int(x), y = x/2, x = x − y, x = x/2, z = z − 1}
Jy = x/2K = {x = int(x), y = x/2, x = x − y, x = x/2, z = z − 1}
Jif y > 3K = {x = int(x) , y = x/2, x = x − y, x = x/2, z = z − 1}
Jx = x − yK = {y = x/2, x = x − y, z = z − 1}
Jz = x − 4K = {x = int(x), y = x/2, x = x − y, z = x − 4, x = x/2}
Jif z > 0K = {x = int(x), y = x/2, x = x − y, z = x − 4, x = x/2}
Jx = x/2K = {y = x/2, z = x − 4, x = x/2}
Jz = z − 1K = {x = int(x), y = x/2, x = x − y, x = x/2, z = z − 1}
Jprint(x)K = {x = int(x), y = x/2, x = x − y, x = x/2, z = z − 1}
JexitK = {x = int(x), y = x/2, x = x − y, x = x/2, z = z − 1}
Figure 6.10: Final result of the fixed-point algorithm
Interpreting the result Looking at the final equations the potential flow of values
through the program can be seen. For example, looking at the print statement, the
value of x could have originated from three places in the program: the x = int(x),
x = x − y or the x = x/2 statement. Depending on the purpose of the analysis, this
information can be used to deduce whether any dangerous flows are possible.
6.10 Taint Analysis
The following is based on Schwartz, Avgerinos, and Brumley [26, Part 3]. An
expression which introduces user input in some way is called a source, while a
dangerous destination for such input is called a sink. A function that can neutralise
input so it is not dangerous to send to a sink is called a sanitiser.
Taint analysis is used for tracking the information between sources and sinks.
If some data comes from an untrusted or tainted source it is regarded as being
tainted. All other data is untainted. Which sources introduce taint are defined by
the user of the analysis.
If a taint analysis is marking too much data as tainted, the analysis is overtaint-
ing, while an analysis that is marking too little data as tainted it is undertainting.
If the analysis is neither over- or undertainting it is precise. Undertainting leads to
missing some vulnerabilities while overtainting leads to false positives.
Because finding all vulnerabilities is critical it is common to strive to overtaint-
ing rather than undertainting. This can lead to a problem called taintspread which
is when more and more data is tainted and that with less precision. To help with
that, one can include sanitisers in the analysis which untaints the data.