Thread

Topic: Tainted attributes

Author: Dale Weiler <weilercdale@gmail.com>
Date: Mon, 22 Dec 2014 20:00:57 -0800 (PST) Raw View

------=_Part_3136_1439016536.1419307257429
Content-Type: multipart/alternative;
 boundary="----=_Part_3137_590088038.1419307257429"

------=_Part_3137_590088038.1419307257429
Content-Type: text/plain; charset=UTF-8

When working with outside data (mmap or read from file, network, shared
memory, etc) it's often advised that you verify the bounds and range of all
of it to prevent possible attack vectors for outside data to exploit.

I'd like to propose *[[tained]]* and *[[tainted_sink]]* which do two
different things, as well as *std::kill_taint *and *std::is_tainted* which
I'll describe below, but first an example.

Example
// all data is loaded from a file
void do_something(uint8_t value) { ... }
uint8_t *some_data = read_data();
size_t some_data_length = read_length();
size_t index = read_index();
do_something(some_data[index]);

In the example we make the assumption that all local variable values can be
trusted, when in fact they can't. There is no way for the compiler to
produce a diagnostic about this either. This is where the attributes help.

Annotated
void do_something(uint8_t value) { }
[[tainted_sink]] uint8_t *some_data = read_data(); // Any read from here,
or alias of this implicitly becomes marked with [[tainted]]
[[tainted]] size_t some_data_len = read_length();
[[tainted]] size_t index = read_index();
if (index >= some_data_len) abort();
do_something(std::kill_taint(some_data[std::kill_taint(index)])); // like
std::kill_dependency, removes the [[taint]]

Explination
Lets rundown the attributes:

*[[tainted_sink]]* is used to specify that any read from the array or
pointer stored to anything becomes tainted.

So in other words if I do:

[[tainted_sink]] int data[100];
int x = data[0]; // this becomes [[tainted]] int x = data[0]

*[[tained]]* is used to specify that the result stored in a variable is
tainted (not to be trusted). When a tainted variable is referenced
somewhere that [[tainted]] attribute propagates until it's directly used
somewhere.
When directly used somewhere that is not also marked [[tainted]] then the
compiler emits a warning.

So in other words if I do:
[[tainted]] int x = read_int();
use(x); // warning: `x' is tainted

std::kill_taint is used to remove the [[taint]] on something that may be
tainted directly or indirectly (propagated from another [[tainted]]
variable or from a [[tainted_sink]])

So in other words if I do:

[[tainted] int x = read_int();
use(std::kill_taint(x)); // no warning emitted

This enforces people to be more cautious and to verify their data before
using it possibly unsafely.

Implementation
*[[tainted]]* and *[[tainted_sink]]* would have to be implemented as part
of the compiler.

The following would be added to *<type_traits>*
template <typename T>
struct is_tainted : false_type {};

template <typename T>
struct is_tainted<[[tainted]] T> : true_type {};

template <typename T>
struct is_tainted<[[tainted_sink]] T> : true_type {};

While the following would be added to












*<utility>template <typename T>struct kill_taint { typedef T type;
};template <typename T>struct kill_taint<[[tainted]] T> { typedef T type;
};template <typename T>struct kill_taint<[[tainted_sink]] T> { typedef T
type; };*

--

---
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+unsubscribe@isocpp.org.
To post to this group, send email to std-proposals@isocpp.org.
Visit this group at http://groups.google.com/a/isocpp.org/group/std-proposals/.

------=_Part_3137_590088038.1419307257429
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">When working with outside data (mmap or read from file, ne=
twork, shared memory, etc) it's often advised that you verify the bounds an=
d range of all of it to prevent possible attack vectors for outside data to=
 exploit.<br><br>I'd like to propose <i>[[tained]]</i> and <i>[[tainted_sin=
k]]</i> which do two different things, as well as <i>std::kill_taint </i>an=
d <i>std::is_tainted</i> which I'll describe below, but first an example.<b=
r><br><font size=3D"4">Example</font><br><div class=3D"prettyprint" style=
=3D"background-color: rgb(250, 250, 250); border-color: rgb(187, 187, 187);=
 border-style: solid; border-width: 1px; word-wrap: break-word;"><code clas=
s=3D"prettyprint"><div class=3D"subprettyprint"><font size=3D"4"><span styl=
e=3D"color: rgb(136, 0, 0);" class=3D"styled-by-prettify">// all data is lo=
aded from a file</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled=
-by-prettify"></span><br><span style=3D"color: rgb(0, 0, 0);" class=3D"styl=
ed-by-prettify"><code class=3D"prettyprint"><span style=3D"color: rgb(0, 0,=
 136);" class=3D"styled-by-prettify">void</span><span style=3D"color: rgb(0=
, 0, 0);" class=3D"styled-by-prettify"> do_something</span><span style=3D"c=
olor: rgb(102, 102, 0);" class=3D"styled-by-prettify">(</span><span style=
=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify">uint8_t value</span>=
<span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">)</sp=
an><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify"> </spa=
n><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">{</=
span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify"> </s=
pan><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">.=
...</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify">=
 </span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettif=
y">}</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify=
"><br></span></code>uint8_t </span><span style=3D"color: rgb(102, 102, 0);"=
 class=3D"styled-by-prettify">*</span><span style=3D"color: rgb(0, 0, 0);" =
class=3D"styled-by-prettify">some_data </span><span style=3D"color: rgb(102=
, 102, 0);" class=3D"styled-by-prettify">=3D</span><span style=3D"color: rg=
b(0, 0, 0);" class=3D"styled-by-prettify"> read_data</span><span style=3D"c=
olor: rgb(102, 102, 0);" class=3D"styled-by-prettify">();</span><span style=
=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify"><br>size_t some_data=
_length </span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-=
prettify">=3D</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by=
-prettify"> read_length</span><span style=3D"color: rgb(102, 102, 0);" clas=
s=3D"styled-by-prettify">();</span><span style=3D"color: rgb(0, 0, 0);" cla=
ss=3D"styled-by-prettify"><br>size_t index </span><span style=3D"color: rgb=
(102, 102, 0);" class=3D"styled-by-prettify">=3D</span><span style=3D"color=
: rgb(0, 0, 0);" class=3D"styled-by-prettify"> read_index</span><span style=
=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">();</span><span =
style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify"><br>do_somethin=
g</span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettif=
y">(</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify=
">some_data</span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-=
by-prettify">[</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-b=
y-prettify">index</span><span style=3D"color: rgb(102, 102, 0);" class=3D"s=
tyled-by-prettify">]);</span></font><span style=3D"color: #000;" class=3D"s=
tyled-by-prettify"><br></span></div></code></div><br>In the example we make=
 the assumption that all local variable values can be trusted, when in fact=
 they can't. There is no way for the compiler to produce a diagnostic about=
 this either. This is where the attributes help.<br><br><font size=3D"4">An=
notated</font><br><div class=3D"prettyprint" style=3D"background-color: rgb=
(250, 250, 250); border-color: rgb(187, 187, 187); border-style: solid; bor=
der-width: 1px; word-wrap: break-word;"><code class=3D"prettyprint"><div cl=
ass=3D"subprettyprint"><font size=3D"4"><span style=3D"color: rgb(102, 102,=
 0);" class=3D"styled-by-prettify"><code class=3D"prettyprint"><span style=
=3D"color: rgb(0, 0, 136);" class=3D"styled-by-prettify">void</span><span s=
tyle=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify"> do_something</s=
pan><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">(=
</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify">ui=
nt8_t value</span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-=
by-prettify">)</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-b=
y-prettify"> </span><span style=3D"color: rgb(102, 102, 0);" class=3D"style=
d-by-prettify">{</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled=
-by-prettify"> </span><span style=3D"color: rgb(102, 102, 0);" class=3D"sty=
led-by-prettify"></span><span style=3D"color: rgb(102, 102, 0);" class=3D"s=
tyled-by-prettify">}</span><span style=3D"color: rgb(0, 0, 0);" class=3D"st=
yled-by-prettify"><br></span></code>[[</span><span style=3D"color: rgb(0, 0=
, 0);" class=3D"styled-by-prettify">tainted_sink</span><span style=3D"color=
: rgb(102, 102, 0);" class=3D"styled-by-prettify">]]</span><span style=3D"c=
olor: rgb(0, 0, 0);" class=3D"styled-by-prettify"> uint8_t </span><span sty=
le=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">*</span><span =
style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify">some_data </spa=
n><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">=3D=
</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify"> r=
ead_data</span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-=
prettify">();</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by=
-prettify"> </span><span style=3D"color: rgb(136, 0, 0);" class=3D"styled-b=
y-prettify">// Any read from here, or alias of this implicitly becomes mark=
ed with [[tainted]]</span><span style=3D"color: rgb(0, 0, 0);" class=3D"sty=
led-by-prettify"><br></span><span style=3D"color: rgb(102, 102, 0);" class=
=3D"styled-by-prettify">[[</span><span style=3D"color: rgb(0, 0, 0);" class=
=3D"styled-by-prettify">tainted</span><span style=3D"color: rgb(102, 102, 0=
);" class=3D"styled-by-prettify">]]</span><span style=3D"color: rgb(0, 0, 0=
);" class=3D"styled-by-prettify"> size_t some_data_len </span><span style=
=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">=3D</span><span =
style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify"> read_length</s=
pan><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">(=
);</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify">=
<br></span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-pret=
tify">[[</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-pret=
tify">tainted</span><span style=3D"color: rgb(102, 102, 0);" class=3D"style=
d-by-prettify">]]</span><span style=3D"color: rgb(0, 0, 0);" class=3D"style=
d-by-prettify"> size_t index </span><span style=3D"color: rgb(102, 102, 0);=
" class=3D"styled-by-prettify">=3D</span><span style=3D"color: rgb(0, 0, 0)=
;" class=3D"styled-by-prettify"> read_index</span><span style=3D"color: rgb=
(102, 102, 0);" class=3D"styled-by-prettify">();</span><span style=3D"color=
: rgb(0, 0, 0);" class=3D"styled-by-prettify"><br></span><span style=3D"col=
or: rgb(0, 0, 136);" class=3D"styled-by-prettify">if</span><span style=3D"c=
olor: rgb(0, 0, 0);" class=3D"styled-by-prettify"> </span><span style=3D"co=
lor: rgb(102, 102, 0);" class=3D"styled-by-prettify">(</span><span style=3D=
"color: rgb(0, 0, 0);" class=3D"styled-by-prettify">index </span><span styl=
e=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify">&gt;=3D</span><=
span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettify"> some_data=
_len</span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-pret=
tify">)</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prett=
ify"> abort</span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-=
by-prettify">();</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled=
-by-prettify"></span><span style=3D"color: rgb(136, 0, 0);" class=3D"styled=
-by-prettify"></span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-b=
y-prettify"> <br></span><span style=3D"color: rgb(102, 102, 0);" class=3D"s=
tyled-by-prettify"></span><span style=3D"color: rgb(0, 0, 0);" class=3D"sty=
led-by-prettify"></span><span style=3D"color: rgb(0, 0, 0);" class=3D"style=
d-by-prettify"></span><span style=3D"color: rgb(102, 102, 0);" class=3D"sty=
led-by-prettify"></span><span style=3D"color: rgb(0, 0, 0);" class=3D"style=
d-by-prettify"></span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-=
by-prettify">do_something</span><span style=3D"color: rgb(102, 102, 0);" cl=
ass=3D"styled-by-prettify">(</span><span style=3D"color: rgb(0, 0, 0);" cla=
ss=3D"styled-by-prettify">std</span><span style=3D"color: rgb(102, 102, 0);=
" class=3D"styled-by-prettify">::</span><span style=3D"color: rgb(0, 0, 0);=
" class=3D"styled-by-prettify">kill_taint</span><span style=3D"color: rgb(1=
02, 102, 0);" class=3D"styled-by-prettify">(</span><span style=3D"color: rg=
b(0, 0, 0);" class=3D"styled-by-prettify">some_data</span><span style=3D"co=
lor: rgb(102, 102, 0);" class=3D"styled-by-prettify">[</span><span style=3D=
"color: rgb(0, 0, 0);" class=3D"styled-by-prettify">std::kill_taint(index)<=
/span><span style=3D"color: rgb(102, 102, 0);" class=3D"styled-by-prettify"=
>]));</span><span style=3D"color: rgb(0, 0, 0);" class=3D"styled-by-prettif=
y"> </span><span style=3D"color: rgb(136, 0, 0);" class=3D"styled-by-pretti=
fy">// like std::kill_dependency, removes the [[taint]]</span></font><span =
style=3D"color: #000;" class=3D"styled-by-prettify"><br></span></div></code=
></div><br><font size=3D"4">Explination</font><br>Lets rundown the attribut=
es:<br><br><i>[[tainted_sink]]</i> is used to specify that any read from th=
e array or pointer stored to anything becomes tainted.<br><br>So in other w=
ords if I do:<br><br><div class=3D"prettyprint" style=3D"background-color: =
rgb(250, 250, 250); border-color: rgb(187, 187, 187); border-style: solid; =
border-width: 1px; word-wrap: break-word;"><code class=3D"prettyprint"><div=
 class=3D"subprettyprint"><span style=3D"color: #660;" class=3D"styled-by-p=
rettify">[[</span><span style=3D"color: #000;" class=3D"styled-by-prettify"=
>tainted_sink</span><span style=3D"color: #660;" class=3D"styled-by-prettif=
y">]]</span><span style=3D"color: #000;" class=3D"styled-by-prettify"> </sp=
an><span style=3D"color: #008;" class=3D"styled-by-prettify">int</span><spa=
n style=3D"color: #000;" class=3D"styled-by-prettify"> data</span><span sty=
le=3D"color: #660;" class=3D"styled-by-prettify">[</span><span style=3D"col=
or: #066;" class=3D"styled-by-prettify">100</span><span style=3D"color: #66=
0;" class=3D"styled-by-prettify">];</span><span style=3D"color: #000;" clas=
s=3D"styled-by-prettify"><br></span><span style=3D"color: #008;" class=3D"s=
tyled-by-prettify">int</span><span style=3D"color: #000;" class=3D"styled-b=
y-prettify"> x </span><span style=3D"color: #660;" class=3D"styled-by-prett=
ify">=3D</span><span style=3D"color: #000;" class=3D"styled-by-prettify"> d=
ata</span><span style=3D"color: #660;" class=3D"styled-by-prettify">[</span=
><span style=3D"color: #066;" class=3D"styled-by-prettify">0</span><span st=
yle=3D"color: #660;" class=3D"styled-by-prettify">];</span><span style=3D"c=
olor: #000;" class=3D"styled-by-prettify"> </span><span style=3D"color: #80=
0;" class=3D"styled-by-prettify">// this becomes [[tainted]] int x =3D data=
[0]</span><span style=3D"color: #000;" class=3D"styled-by-prettify"><br></s=
pan></div></code></div><br><i>[[tained]]</i> is used to specify that the re=
sult stored in a variable is tainted (not to be trusted). When a tainted va=
riable is referenced somewhere that [[tainted]] attribute propagates until =
it's directly used somewhere.<br>When directly used somewhere that is not a=
lso marked [[tainted]] then the compiler emits a warning.<br><br>So in othe=
r words if I do:<br><div class=3D"prettyprint" style=3D"background-color: r=
gb(250, 250, 250); border-color: rgb(187, 187, 187); border-style: solid; b=
order-width: 1px; word-wrap: break-word;"><code class=3D"prettyprint"><div =
class=3D"subprettyprint"><span style=3D"color: #606;" class=3D"styled-by-pr=
ettify">[[tainted]] int x =3D read_int();<br>use(x); // warning: `x' is tai=
nted<br></span><span style=3D"color: #000;" class=3D"styled-by-prettify"></=
span><span style=3D"color: #660;" class=3D"styled-by-prettify"></span></div=
></code></div><br>std::kill_taint is used to remove the [[taint]] on someth=
ing that may be tainted directly or indirectly (propagated from another [[t=
ainted]] variable or from a [[tainted_sink]])<br><br>So in other words if I=
 do:<br><font size=3D"4"><br></font><div class=3D"prettyprint" style=3D"bac=
kground-color: rgb(250, 250, 250); border-color: rgb(187, 187, 187); border=
-style: solid; border-width: 1px; word-wrap: break-word;"><code class=3D"pr=
ettyprint"><div class=3D"subprettyprint"><font size=3D"4"><span style=3D"co=
lor: rgb(102, 0, 102);" class=3D"styled-by-prettify"></span></font><span st=
yle=3D"color: #660;" class=3D"styled-by-prettify"><font size=3D"4">[[tainte=
d] int x =3D read_int();<br>use(std::kill_taint(x)); // no warning emitted<=
/font><br></span></div></code></div><br>This enforces people to be more cau=
tious and to verify their data before using it possibly unsafely.<br><br><f=
ont size=3D"4">Implementation<br><i><font size=3D"2">[[tainted]]</font></i>=
<font size=3D"2"> and <i>[[tainted_sink]]</i></font> <font size=3D"2">would=
 have to be implemented as part of the compiler.<br><br>The following would=
 be added to <b>&lt;type_traits&gt;</b><code></code><br><div class=3D"prett=
yprint" style=3D"background-color: rgb(250, 250, 250); border-color: rgb(18=
7, 187, 187); border-style: solid; border-width: 1px; word-wrap: break-word=
;"><code class=3D"prettyprint"><div class=3D"subprettyprint"><span style=3D=
"color: #606;" class=3D"styled-by-prettify"></span><span style=3D"color: #6=
60;" class=3D"styled-by-prettify"><font size=3D"4">template &lt;typename T&=
gt;<br>struct is_tainted : false_type {};<br><br>template &lt;typename T&gt=
;<br>struct is_tainted&lt;[[tainted]] T&gt; : true_type {};<br><br>template=
 &lt;typename T&gt;<br>struct is_tainted&lt;[[tainted_sink]] T&gt; : true_t=
ype {};</font><br></span></div></code></div><br>While the following would b=
e added to <b>&lt;utility&gt;<br><div class=3D"prettyprint" style=3D"backgr=
ound-color: rgb(250, 250, 250); border-color: rgb(187, 187, 187); border-st=
yle: solid; border-width: 1px; word-wrap: break-word;"><code class=3D"prett=
yprint"><div class=3D"subprettyprint"><span style=3D"color: #606;" class=3D=
"styled-by-prettify"></span><span style=3D"color: #660;" class=3D"styled-by=
-prettify"><span style=3D"font-weight: normal;"><font size=3D"4">template &=
lt;typename T&gt;<br>struct kill_taint { typedef T type; };<br><br>template=
 &lt;typename T&gt;<br>struct kill_taint&lt;[[tainted]] T&gt; { typedef T t=
ype; };<br><br>template &lt;typename T&gt;<br>struct kill_taint&lt;[[tainte=
d_sink]] T&gt; { typedef T type; };</font></span><br></span></div></code></=
div><br><br><br><br></b><br></font></font></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups &=
quot;ISO C++ Standard - Future Proposals&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:std-proposals+unsubscribe@isocpp.org">std-proposa=
ls+unsubscribe@isocpp.org</a>.<br />
To post to this group, send email to <a href=3D"mailto:std-proposals@isocpp=
..org">std-proposals@isocpp.org</a>.<br />
Visit this group at <a href=3D"http://groups.google.com/a/isocpp.org/group/=
std-proposals/">http://groups.google.com/a/isocpp.org/group/std-proposals/<=
/a>.<br />

------=_Part_3137_590088038.1419307257429--
------=_Part_3136_1439016536.1419307257429--

.

Author: Dale Weiler <weilercdale@gmail.com>
Date: Mon, 22 Dec 2014 20:28:13 -0800 (PST) Raw View

------=_Part_3081_840107751.1419308893470
Content-Type: multipart/alternative;
 boundary="----=_Part_3082_2133475679.1419308893470"

------=_Part_3082_2133475679.1419308893470
Content-Type: text/plain; charset=UTF-8

Need to make a minor modification since that is not how kill_taint would be
implemented.

The following would go in *<type_traits>* as well


*template <typename T>struct *remove

*_taint { typedef T type; };template <typename T>*




*struct remove_taint { typedef T type; };template <typename T>struct
remove_taint<[[tainted]] T> { typedef T type; };*

Then this would go in








*<utility>template <typename T>typename remove_taint<T>::type
&kill_taint(const T &data) {    return
static_cast<remove_taint<T>::type&>(data);}*

--

---
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+unsubscribe@isocpp.org.
To post to this group, send email to std-proposals@isocpp.org.
Visit this group at http://groups.google.com/a/isocpp.org/group/std-proposals/.

------=_Part_3082_2133475679.1419308893470
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Need to make a minor modification since that is not how ki=
ll_taint would be implemented.<br><br>The following would go in <b>&lt;type=
_traits&gt;</b> as well<br><br><div class=3D"prettyprint" style=3D"backgrou=
nd-color: rgb(250, 250, 250); border-color: rgb(187, 187, 187); border-styl=
e: solid; border-width: 1px; word-wrap: break-word;"><code class=3D"prettyp=
rint"><div class=3D"subprettyprint"><font size=3D"4"><font size=3D"2"><b><c=
ode><span style=3D"color:#660"><span style=3D"font-weight:normal"><font siz=
e=3D"4"><span style=3D"color: #008;" class=3D"styled-by-prettify">template<=
/span><span style=3D"color: #000;" class=3D"styled-by-prettify"> </span><sp=
an style=3D"color: #660;" class=3D"styled-by-prettify">&lt;</span><span sty=
le=3D"color: #008;" class=3D"styled-by-prettify">typename</span><span style=
=3D"color: #000;" class=3D"styled-by-prettify"> T</span><span style=3D"colo=
r: #660;" class=3D"styled-by-prettify">&gt;</span><span style=3D"color: #00=
0;" class=3D"styled-by-prettify"><br></span><span style=3D"color: #008;" cl=
ass=3D"styled-by-prettify">struct</span><span style=3D"color: #000;" class=
=3D"styled-by-prettify"> </span></font></span></span></code></b><code><span=
 style=3D"color:#660"><span style=3D"font-weight:normal"><font size=3D"4"><=
span style=3D"color: #000;" class=3D"styled-by-prettify">remove</span></fon=
t></span></span></code><b><code><span style=3D"color:#660"><span style=3D"f=
ont-weight:normal"><font size=3D"4"><span style=3D"color: #000;" class=3D"s=
tyled-by-prettify">_taint </span><span style=3D"color: #660;" class=3D"styl=
ed-by-prettify">{</span><span style=3D"color: #000;" class=3D"styled-by-pre=
ttify"> </span><span style=3D"color: #008;" class=3D"styled-by-prettify">ty=
pedef</span><span style=3D"color: #000;" class=3D"styled-by-prettify"> T ty=
pe</span><span style=3D"color: #660;" class=3D"styled-by-prettify">;</span>=
<span style=3D"color: #000;" class=3D"styled-by-prettify"> </span><span sty=
le=3D"color: #660;" class=3D"styled-by-prettify">};</span><span style=3D"co=
lor: #000;" class=3D"styled-by-prettify"><br><br></span><span style=3D"colo=
r: #008;" class=3D"styled-by-prettify">template</span><span style=3D"color:=
 #000;" class=3D"styled-by-prettify"> </span><span style=3D"color: #660;" c=
lass=3D"styled-by-prettify">&lt;</span><span style=3D"color: #008;" class=
=3D"styled-by-prettify">typename</span><span style=3D"color: #000;" class=
=3D"styled-by-prettify"> T</span><span style=3D"color: #660;" class=3D"styl=
ed-by-prettify">&gt;</span></font></span></span></code></b></font></font><f=
ont size=3D"4"><font size=3D"2"><b><code><span style=3D"color:#660"><span s=
tyle=3D"font-weight:normal"><font size=3D"4"><font size=3D"4"><font size=3D=
"2"><b><code><span style=3D"color:#660"><span style=3D"font-weight:normal">=
<font size=3D"4"><span style=3D"color: #000;" class=3D"styled-by-prettify">=
<br></span><span style=3D"color: #008;" class=3D"styled-by-prettify">struct=
</span><span style=3D"color: #000;" class=3D"styled-by-prettify"> </span></=
font></span></span></code></b><code><span style=3D"color:#660"><span style=
=3D"font-weight:normal"><font size=3D"4"><span style=3D"color: #000;" class=
=3D"styled-by-prettify">remove</span></font></span></span></code><b><code><=
span style=3D"color:#660"><span style=3D"font-weight:normal"><font size=3D"=
4"><span style=3D"color: #000;" class=3D"styled-by-prettify">_taint </span>=
<span style=3D"color: #660;" class=3D"styled-by-prettify">{</span><span sty=
le=3D"color: #000;" class=3D"styled-by-prettify"> </span><span style=3D"col=
or: #008;" class=3D"styled-by-prettify">typedef</span><span style=3D"color:=
 #000;" class=3D"styled-by-prettify"> T type</span><span style=3D"color: #6=
60;" class=3D"styled-by-prettify">;</span><span style=3D"color: #000;" clas=
s=3D"styled-by-prettify"> </span><span style=3D"color: #660;" class=3D"styl=
ed-by-prettify">};</span><span style=3D"color: #000;" class=3D"styled-by-pr=
ettify"><br><br></span><span style=3D"color: #008;" class=3D"styled-by-pret=
tify">template</span><span style=3D"color: #000;" class=3D"styled-by-pretti=
fy"> </span><span style=3D"color: #660;" class=3D"styled-by-prettify">&lt;<=
/span><span style=3D"color: #008;" class=3D"styled-by-prettify">typename</s=
pan><span style=3D"color: #000;" class=3D"styled-by-prettify"> T</span><spa=
n style=3D"color: #660;" class=3D"styled-by-prettify">&gt;</span><span styl=
e=3D"color: #000;" class=3D"styled-by-prettify"><br></span><span style=3D"c=
olor: #008;" class=3D"styled-by-prettify">struct</span><span style=3D"color=
: #000;" class=3D"styled-by-prettify"> remove_taint</span><span style=3D"co=
lor: #660;" class=3D"styled-by-prettify">&lt;[[</span><span style=3D"color:=
 #000;" class=3D"styled-by-prettify">tainted</span><span style=3D"color: #6=
60;" class=3D"styled-by-prettify">]]</span><span style=3D"color: #000;" cla=
ss=3D"styled-by-prettify"> T</span><span style=3D"color: #660;" class=3D"st=
yled-by-prettify">&gt;</span><span style=3D"color: #000;" class=3D"styled-b=
y-prettify"> </span><span style=3D"color: #660;" class=3D"styled-by-prettif=
y">{</span><span style=3D"color: #000;" class=3D"styled-by-prettify"> </spa=
n><span style=3D"color: #008;" class=3D"styled-by-prettify">typedef</span><=
span style=3D"color: #000;" class=3D"styled-by-prettify"> T type</span><spa=
n style=3D"color: #660;" class=3D"styled-by-prettify">;</span><span style=
=3D"color: #000;" class=3D"styled-by-prettify"> </span><span style=3D"color=
: #660;" class=3D"styled-by-prettify">};</span><span style=3D"color: #000;"=
 class=3D"styled-by-prettify"><br></span></font></span></span></code></b></=
font></font></font></span></span></code></b></font></font></div></code></di=
v><br>Then this would go in <b>&lt;utility&gt;<br><br><div class=3D"prettyp=
rint" style=3D"background-color: rgb(250, 250, 250); border-color: rgb(187,=
 187, 187); border-style: solid; border-width: 1px; word-wrap: break-word;"=
><code class=3D"prettyprint"><div class=3D"subprettyprint"><span style=3D"c=
olor: #008;" class=3D"styled-by-prettify">template</span><span style=3D"col=
or: #000;" class=3D"styled-by-prettify"> </span><span style=3D"color: #660;=
" class=3D"styled-by-prettify">&lt;</span><span style=3D"color: #008;" clas=
s=3D"styled-by-prettify">typename</span><span style=3D"color: #000;" class=
=3D"styled-by-prettify"> T</span><span style=3D"color: #660;" class=3D"styl=
ed-by-prettify">&gt;</span><span style=3D"color: #000;" class=3D"styled-by-=
prettify"><br></span><span style=3D"color: #008;" class=3D"styled-by-pretti=
fy">typename</span><span style=3D"color: #000;" class=3D"styled-by-prettify=
"> remove_taint</span><span style=3D"color: #660;" class=3D"styled-by-prett=
ify">&lt;</span><span style=3D"color: #000;" class=3D"styled-by-prettify">T=
</span><span style=3D"color: #660;" class=3D"styled-by-prettify">&gt;::</sp=
an><span style=3D"color: #000;" class=3D"styled-by-prettify">type </span><s=
pan style=3D"color: #660;" class=3D"styled-by-prettify">&amp;</span><span s=
tyle=3D"color: #000;" class=3D"styled-by-prettify">kill_taint</span><span s=
tyle=3D"color: #660;" class=3D"styled-by-prettify">(</span><span style=3D"c=
olor: #008;" class=3D"styled-by-prettify">const</span><span style=3D"color:=
 #000;" class=3D"styled-by-prettify"> T </span><span style=3D"color: #660;"=
 class=3D"styled-by-prettify">&amp;</span><span style=3D"color: #000;" clas=
s=3D"styled-by-prettify">data</span><span style=3D"color: #660;" class=3D"s=
tyled-by-prettify">)</span><span style=3D"color: #000;" class=3D"styled-by-=
prettify"> </span><span style=3D"color: #660;" class=3D"styled-by-prettify"=
>{</span><span style=3D"color: #000;" class=3D"styled-by-prettify"><br>&nbs=
p; &nbsp; </span><span style=3D"color: #008;" class=3D"styled-by-prettify">=
return</span><span style=3D"color: #000;" class=3D"styled-by-prettify"> </s=
pan><span style=3D"color: #008;" class=3D"styled-by-prettify">static_cast</=
span><span style=3D"color: #660;" class=3D"styled-by-prettify">&lt;</span><=
span style=3D"color: #000;" class=3D"styled-by-prettify">remove_taint</span=
><span style=3D"color: #660;" class=3D"styled-by-prettify">&lt;</span><span=
 style=3D"color: #000;" class=3D"styled-by-prettify">T</span><span style=3D=
"color: #660;" class=3D"styled-by-prettify">&gt;::</span><span style=3D"col=
or: #000;" class=3D"styled-by-prettify">type</span><span style=3D"color: #6=
60;" class=3D"styled-by-prettify">&amp;&gt;(</span><span style=3D"color: #0=
00;" class=3D"styled-by-prettify">data</span><span style=3D"color: #660;" c=
lass=3D"styled-by-prettify">);</span><span style=3D"color: #000;" class=3D"=
styled-by-prettify"><br></span><span style=3D"color: #660;" class=3D"styled=
-by-prettify">}</span><span style=3D"color: #000;" class=3D"styled-by-prett=
ify"><br></span></div></code></div><br><br><br></b><br></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups &=
quot;ISO C++ Standard - Future Proposals&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:std-proposals+unsubscribe@isocpp.org">std-proposa=
ls+unsubscribe@isocpp.org</a>.<br />
To post to this group, send email to <a href=3D"mailto:std-proposals@isocpp=
..org">std-proposals@isocpp.org</a>.<br />
Visit this group at <a href=3D"http://groups.google.com/a/isocpp.org/group/=
std-proposals/">http://groups.google.com/a/isocpp.org/group/std-proposals/<=
/a>.<br />

------=_Part_3082_2133475679.1419308893470--
------=_Part_3081_840107751.1419308893470--

.

Author: Dale Weiler <weilercdale@gmail.com>
Date: Mon, 22 Dec 2014 20:29:16 -0800 (PST) Raw View

------=_Part_3196_592883207.1419308956706
Content-Type: multipart/alternative;
 boundary="----=_Part_3197_263937969.1419308956706"

------=_Part_3197_263937969.1419308956706
Content-Type: text/plain; charset=UTF-8

Need to make a minor modification since that is not how kill_taint would be
implemented.

The following would go in *<type_traits>* as well


*template <typename T>struct *remove

*_taint { typedef T type; };template <typename T>*




*struct remove_taint<[[tainted]] T> { typedef T type; };template <typename
T>struct remove_taint<[[tainted_sink]] T> { typedef T type; };*

Then this would go in

*<utility>*




*template <typename T>typename remove_taint<T>::type &kill_taint(const T
&data) {    return static_cast<remove_taint<T>::type&>(data);}*

--

---
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+unsubscribe@isocpp.org.
To post to this group, send email to std-proposals@isocpp.org.
Visit this group at http://groups.google.com/a/isocpp.org/group/std-proposals/.

------=_Part_3197_263937969.1419308956706
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Need to make a minor modification since that is not how ki=
ll_taint would be implemented.<br><br>The following would go in <b>&lt;type=
_traits&gt;</b> as well<br><br><div style=3D"background-color:rgb(250,250,2=
50);border-color:rgb(187,187,187);border-style:solid;border-width:1px;word-=
wrap:break-word"><code><div><font size=3D"4"><font size=3D"2"><b><code><spa=
n style=3D"color:#660"><span style=3D"font-weight:normal"><font size=3D"4">=
<span style=3D"color:#008">template</span><span style=3D"color:#000"> </spa=
n><span style=3D"color:#660">&lt;</span><span style=3D"color:#008">typename=
</span><span style=3D"color:#000"> T</span><span style=3D"color:#660">&gt;<=
/span><span style=3D"color:#000"><br></span><span style=3D"color:#008">stru=
ct</span><span style=3D"color:#000"> </span></font></span></span></code></b=
><code><span style=3D"color:#660"><span style=3D"font-weight:normal"><font =
size=3D"4"><span style=3D"color:#000">remove</span></font></span></span></c=
ode><b><code><span style=3D"color:#660"><span style=3D"font-weight:normal">=
<font size=3D"4"><span style=3D"color:#000">_taint </span><span style=3D"co=
lor:#660">{</span><span style=3D"color:#000"> </span><span style=3D"color:#=
008">typedef</span><span style=3D"color:#000"> T type</span><span style=3D"=
color:#660">;</span><span style=3D"color:#000"> </span><span style=3D"color=
:#660">};</span><span style=3D"color:#000"><br><br></span><span style=3D"co=
lor:#008">template</span><span style=3D"color:#000"> </span><span style=3D"=
color:#660">&lt;</span><span style=3D"color:#008">typename</span><span styl=
e=3D"color:#000"> T</span><span style=3D"color:#660">&gt;</span></font></sp=
an></span></code></b></font></font><font size=3D"4"><font size=3D"2"><b><co=
de><span style=3D"color:#660"><span style=3D"font-weight:normal"><font size=
=3D"4"><font size=3D"4"><font size=3D"2"><b><code><span style=3D"color:#660=
"><span style=3D"font-weight:normal"><font size=3D"4"><span style=3D"color:=
#000"><br></span><span style=3D"color:#008">struct</span><span style=3D"col=
or:#000"> </span></font></span></span></code></b><code><span style=3D"color=
:#660"><span style=3D"font-weight:normal"><font size=3D"4"><span style=3D"c=
olor:#000">remove</span></font></span></span></code><b><code><span style=3D=
"color:#660"><span style=3D"font-weight:normal"><font size=3D"4"><span styl=
e=3D"color:#000">_taint&lt;[[tainted]] T&gt; </span><span style=3D"color:#6=
60">{</span><span style=3D"color:#000"> </span><span style=3D"color:#008">t=
ypedef</span><span style=3D"color:#000"> T type</span><span style=3D"color:=
#660">;</span><span style=3D"color:#000"> </span><span style=3D"color:#660"=
>};</span><span style=3D"color:#000"><br><br></span><span style=3D"color:#0=
08">template</span><span style=3D"color:#000"> </span><span style=3D"color:=
#660">&lt;</span><span style=3D"color:#008">typename</span><span style=3D"c=
olor:#000"> T</span><span style=3D"color:#660">&gt;</span><span style=3D"co=
lor:#000"><br></span><span style=3D"color:#008">struct</span><span style=3D=
"color:#000"> remove_taint</span><span style=3D"color:#660">&lt;[[</span><s=
pan style=3D"color:#000">tainted_sink</span><span style=3D"color:#660">]]</=
span><span style=3D"color:#000"> T</span><span style=3D"color:#660">&gt;</s=
pan><span style=3D"color:#000"> </span><span style=3D"color:#660">{</span><=
span style=3D"color:#000"> </span><span style=3D"color:#008">typedef</span>=
<span style=3D"color:#000"> T type</span><span style=3D"color:#660">;</span=
><span style=3D"color:#000"> </span><span style=3D"color:#660">};</span><sp=
an style=3D"color:#000"><br></span></font></span></span></code></b></font><=
/font></font></span></span></code></b></font></font></div></code></div><br>=
Then this would go in <b>&lt;utility&gt;<br><br></b><b><div style=3D"backgr=
ound-color:rgb(250,250,250);border-color:rgb(187,187,187);border-style:soli=
d;border-width:1px;word-wrap:break-word"><code><div><span style=3D"font-wei=
ght: normal;"><span style=3D"color:#008">template</span><span style=3D"colo=
r:#000"> </span><span style=3D"color:#660">&lt;</span><span style=3D"color:=
#008">typename</span><span style=3D"color:#000"> T</span><span style=3D"col=
or:#660">&gt;</span><span style=3D"color:#000"><br></span><span style=3D"co=
lor:#008">typename</span><span style=3D"color:#000"> remove_taint</span><sp=
an style=3D"color:#660">&lt;</span><span style=3D"color:#000">T</span><span=
 style=3D"color:#660">&gt;::</span><span style=3D"color:#000">type </span><=
span style=3D"color:#660">&amp;</span><span style=3D"color:#000">kill_taint=
</span><span style=3D"color:#660">(</span><span style=3D"color:#008">const<=
/span><span style=3D"color:#000"> T </span><span style=3D"color:#660">&amp;=
</span><span style=3D"color:#000">data</span><span style=3D"color:#660">)</=
span><span style=3D"color:#000"> </span><span style=3D"color:#660">{</span>=
<span style=3D"color:#000"><br>&nbsp; &nbsp; </span><span style=3D"color:#0=
08">return</span><span style=3D"color:#000"> </span><span style=3D"color:#0=
08">static_cast</span><span style=3D"color:#660">&lt;</span><span style=3D"=
color:#000">remove_taint</span><span style=3D"color:#660">&lt;</span><span =
style=3D"color:#000">T</span><span style=3D"color:#660">&gt;::</span><span =
style=3D"color:#000">t<wbr>ype</span><span style=3D"color:#660">&amp;&gt;(<=
/span><span style=3D"color:#000">data</span><span style=3D"color:#660">);</=
span><span style=3D"color:#000"><br></span><span style=3D"color:#660">}</sp=
an></span><span style=3D"color:#000"><br></span></div></code></div></b></di=
v>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups &=
quot;ISO C++ Standard - Future Proposals&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:std-proposals+unsubscribe@isocpp.org">std-proposa=
ls+unsubscribe@isocpp.org</a>.<br />
To post to this group, send email to <a href=3D"mailto:std-proposals@isocpp=
..org">std-proposals@isocpp.org</a>.<br />
Visit this group at <a href=3D"http://groups.google.com/a/isocpp.org/group/=
std-proposals/">http://groups.google.com/a/isocpp.org/group/std-proposals/<=
/a>.<br />

------=_Part_3197_263937969.1419308956706--
------=_Part_3196_592883207.1419308956706--

.

Author: Douglas Boffey <douglas.boffey@gmail.com>
Date: Tue, 23 Dec 2014 07:05:13 +0000 Raw View

There is no concept of warnings in the standard.

On 12/23/14, Dale Weiler <weilercdale@gmail.com> wrote:
> When working with outside data (mmap or read from file, network, shared
> memory, etc) it's often advised that you verify the bounds and range of all
>
> of it to prevent possible attack vectors for outside data to exploit.
>
> I'd like to propose *[[tained]]* and *[[tainted_sink]]* which do two
> different things, as well as *std::kill_taint *and *std::is_tainted* which
> I'll describe below, but first an example.
>
> Example
> // all data is loaded from a file
> void do_something(uint8_t value) { ... }
> uint8_t *some_data = read_data();
> size_t some_data_length = read_length();
> size_t index = read_index();
> do_something(some_data[index]);
>
> In the example we make the assumption that all local variable values can be
>
> trusted, when in fact they can't. There is no way for the compiler to
> produce a diagnostic about this either. This is where the attributes help.
>
> Annotated
> void do_something(uint8_t value) { }
> [[tainted_sink]] uint8_t *some_data = read_data(); // Any read from here,
> or alias of this implicitly becomes marked with [[tainted]]
> [[tainted]] size_t some_data_len = read_length();
> [[tainted]] size_t index = read_index();
> if (index >= some_data_len) abort();
> do_something(std::kill_taint(some_data[std::kill_taint(index)])); // like
> std::kill_dependency, removes the [[taint]]
>
> Explination
> Lets rundown the attributes:
>
> *[[tainted_sink]]* is used to specify that any read from the array or
> pointer stored to anything becomes tainted.
>
> So in other words if I do:
>
> [[tainted_sink]] int data[100];
> int x = data[0]; // this becomes [[tainted]] int x = data[0]
>
> *[[tained]]* is used to specify that the result stored in a variable is
> tainted (not to be trusted). When a tainted variable is referenced
> somewhere that [[tainted]] attribute propagates until it's directly used
> somewhere.
> When directly used somewhere that is not also marked [[tainted]] then the
> compiler emits a warning.
>
> So in other words if I do:
> [[tainted]] int x = read_int();
> use(x); // warning: `x' is tainted
>
> std::kill_taint is used to remove the [[taint]] on something that may be
> tainted directly or indirectly (propagated from another [[tainted]]
> variable or from a [[tainted_sink]])
>
> So in other words if I do:
>
> [[tainted] int x = read_int();
> use(std::kill_taint(x)); // no warning emitted
>
> This enforces people to be more cautious and to verify their data before
> using it possibly unsafely.
>
> Implementation
> *[[tainted]]* and *[[tainted_sink]]* would have to be implemented as part
> of the compiler.
>
> The following would be added to *<type_traits>*
> template <typename T>
> struct is_tainted : false_type {};
>
> template <typename T>
> struct is_tainted<[[tainted]] T> : true_type {};
>
> template <typename T>
> struct is_tainted<[[tainted_sink]] T> : true_type {};
>
> While the following would be added to
>
>
>
>
>
>
>
>
>
>
>
>
> *<utility>template <typename T>struct kill_taint { typedef T type;
> };template <typename T>struct kill_taint<[[tainted]] T> { typedef T type;
> };template <typename T>struct kill_taint<[[tainted_sink]] T> { typedef T
> type; };*
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ISO C++ Standard - Future Proposals" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to std-proposals+unsubscribe@isocpp.org.
> To post to this group, send email to std-proposals@isocpp.org.
> Visit this group at
> http://groups.google.com/a/isocpp.org/group/std-proposals/.
>

--

---
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+unsubscribe@isocpp.org.
To post to this group, send email to std-proposals@isocpp.org.
Visit this group at http://groups.google.com/a/isocpp.org/group/std-proposals/.

.

Author: Dale Weiler <weilercdale@gmail.com>
Date: Mon, 22 Dec 2014 23:45:10 -0800 (PST) Raw View

------=_Part_3141_1392705009.1419320710914
Content-Type: multipart/alternative;
 boundary="----=_Part_3142_1768817610.1419320710914"

------=_Part_3142_1768817610.1419320710914
Content-Type: text/plain; charset=UTF-8

Was using the term "warning" as an example. It's just semantics, but fine,
the compiler would produce a *diagnostic* for it.

On Tuesday, December 23, 2014 2:05:15 AM UTC-5, Douglas Boffey wrote:
>
> There is no concept of warnings in the standard.
>
> On 12/23/14, Dale Weiler <weile...@gmail.com <javascript:>> wrote:
> > When working with outside data (mmap or read from file, network, shared
> > memory, etc) it's often advised that you verify the bounds and range of
> all
> >
> > of it to prevent possible attack vectors for outside data to exploit.
> >
> > I'd like to propose *[[tained]]* and *[[tainted_sink]]* which do two
> > different things, as well as *std::kill_taint *and *std::is_tainted*
> which
> > I'll describe below, but first an example.
> >
> > Example
> > // all data is loaded from a file
> > void do_something(uint8_t value) { ... }
> > uint8_t *some_data = read_data();
> > size_t some_data_length = read_length();
> > size_t index = read_index();
> > do_something(some_data[index]);
> >
> > In the example we make the assumption that all local variable values can
> be
> >
> > trusted, when in fact they can't. There is no way for the compiler to
> > produce a diagnostic about this either. This is where the attributes
> help.
> >
> > Annotated
> > void do_something(uint8_t value) { }
> > [[tainted_sink]] uint8_t *some_data = read_data(); // Any read from
> here,
> > or alias of this implicitly becomes marked with [[tainted]]
> > [[tainted]] size_t some_data_len = read_length();
> > [[tainted]] size_t index = read_index();
> > if (index >= some_data_len) abort();
> > do_something(std::kill_taint(some_data[std::kill_taint(index)])); //
> like
> > std::kill_dependency, removes the [[taint]]
> >
> > Explination
> > Lets rundown the attributes:
> >
> > *[[tainted_sink]]* is used to specify that any read from the array or
> > pointer stored to anything becomes tainted.
> >
> > So in other words if I do:
> >
> > [[tainted_sink]] int data[100];
> > int x = data[0]; // this becomes [[tainted]] int x = data[0]
> >
> > *[[tained]]* is used to specify that the result stored in a variable is
> > tainted (not to be trusted). When a tainted variable is referenced
> > somewhere that [[tainted]] attribute propagates until it's directly used
> > somewhere.
> > When directly used somewhere that is not also marked [[tainted]] then
> the
> > compiler emits a warning.
> >
> > So in other words if I do:
> > [[tainted]] int x = read_int();
> > use(x); // warning: `x' is tainted
> >
> > std::kill_taint is used to remove the [[taint]] on something that may be
> > tainted directly or indirectly (propagated from another [[tainted]]
> > variable or from a [[tainted_sink]])
> >
> > So in other words if I do:
> >
> > [[tainted] int x = read_int();
> > use(std::kill_taint(x)); // no warning emitted
> >
> > This enforces people to be more cautious and to verify their data before
> > using it possibly unsafely.
> >
> > Implementation
> > *[[tainted]]* and *[[tainted_sink]]* would have to be implemented as
> part
> > of the compiler.
> >
> > The following would be added to *<type_traits>*
> > template <typename T>
> > struct is_tainted : false_type {};
> >
> > template <typename T>
> > struct is_tainted<[[tainted]] T> : true_type {};
> >
> > template <typename T>
> > struct is_tainted<[[tainted_sink]] T> : true_type {};
> >
> > While the following would be added to
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *<utility>template <typename T>struct kill_taint { typedef T type;
> > };template <typename T>struct kill_taint<[[tainted]] T> { typedef T
> type;
> > };template <typename T>struct kill_taint<[[tainted_sink]] T> { typedef T
> > type; };*
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ISO C++ Standard - Future Proposals" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to std-proposal...@isocpp.org <javascript:>.
> > To post to this group, send email to std-pr...@isocpp.org <javascript:>.
>
> > Visit this group at
> > http://groups.google.com/a/isocpp.org/group/std-proposals/.
> >
>

--

---
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+unsubscribe@isocpp.org.
To post to this group, send email to std-proposals@isocpp.org.
Visit this group at http://groups.google.com/a/isocpp.org/group/std-proposals/.

------=_Part_3142_1768817610.1419320710914
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Was using the term "warning" as an example. It's just sema=
ntics, but fine, the compiler would produce a <i>diagnostic</i> for it.<br>=
<br>On Tuesday, December 23, 2014 2:05:15 AM UTC-5, Douglas Boffey wrote:<b=
lockquote class=3D"gmail_quote" style=3D"margin: 0;margin-left: 0.8ex;borde=
r-left: 1px #ccc solid;padding-left: 1ex;">There is no concept of warnings =
in the standard.
<br>
<br>On 12/23/14, Dale Weiler &lt;<a href=3D"javascript:" target=3D"_blank" =
gdf-obfuscated-mailto=3D"j1iYRzvPPDQJ" onmousedown=3D"this.href=3D'javascri=
pt:';return true;" onclick=3D"this.href=3D'javascript:';return true;">weile=
....@gmail.com</a>&gt; wrote:
<br>&gt; When working with outside data (mmap or read from file, network, s=
hared
<br>&gt; memory, etc) it's often advised that you verify the bounds and ran=
ge of all
<br>&gt;
<br>&gt; of it to prevent possible attack vectors for outside data to explo=
it.
<br>&gt;
<br>&gt; I'd like to propose *[[tained]]* and *[[tainted_sink]]* which do t=
wo
<br>&gt; different things, as well as *std::kill_taint *and *std::is_tainte=
d* which
<br>&gt; I'll describe below, but first an example.
<br>&gt;
<br>&gt; Example
<br>&gt; // all data is loaded from a file
<br>&gt; void do_something(uint8_t value) { ... }
<br>&gt; uint8_t *some_data =3D read_data();
<br>&gt; size_t some_data_length =3D read_length();
<br>&gt; size_t index =3D read_index();
<br>&gt; do_something(some_data[index])<wbr>;
<br>&gt;
<br>&gt; In the example we make the assumption that all local variable valu=
es can be
<br>&gt;
<br>&gt; trusted, when in fact they can't. There is no way for the compiler=
 to
<br>&gt; produce a diagnostic about this either. This is where the attribut=
es help.
<br>&gt;
<br>&gt; Annotated
<br>&gt; void do_something(uint8_t value) { }
<br>&gt; [[tainted_sink]] uint8_t *some_data =3D read_data(); // Any read f=
rom here,
<br>&gt; or alias of this implicitly becomes marked with [[tainted]]
<br>&gt; [[tainted]] size_t some_data_len =3D read_length();
<br>&gt; [[tainted]] size_t index =3D read_index();
<br>&gt; if (index &gt;=3D some_data_len) abort();
<br>&gt; do_something(std::kill_taint(<wbr>some_data[std::kill_taint(<wbr>i=
ndex)])); // like
<br>&gt; std::kill_dependency, removes the [[taint]]
<br>&gt;
<br>&gt; Explination
<br>&gt; Lets rundown the attributes:
<br>&gt;
<br>&gt; *[[tainted_sink]]* is used to specify that any read from the array=
 or
<br>&gt; pointer stored to anything becomes tainted.
<br>&gt;
<br>&gt; So in other words if I do:
<br>&gt;
<br>&gt; [[tainted_sink]] int data[100];
<br>&gt; int x =3D data[0]; // this becomes [[tainted]] int x =3D data[0]
<br>&gt;
<br>&gt; *[[tained]]* is used to specify that the result stored in a variab=
le is
<br>&gt; tainted (not to be trusted). When a tainted variable is referenced
<br>&gt; somewhere that [[tainted]] attribute propagates until it's directl=
y used
<br>&gt; somewhere.
<br>&gt; When directly used somewhere that is not also marked [[tainted]] t=
hen the
<br>&gt; compiler emits a warning.
<br>&gt;
<br>&gt; So in other words if I do:
<br>&gt; [[tainted]] int x =3D read_int();
<br>&gt; use(x); // warning: `x' is tainted
<br>&gt;
<br>&gt; std::kill_taint is used to remove the [[taint]] on something that =
may be
<br>&gt; tainted directly or indirectly (propagated from another [[tainted]=
]
<br>&gt; variable or from a [[tainted_sink]])
<br>&gt;
<br>&gt; So in other words if I do:
<br>&gt;
<br>&gt; [[tainted] int x =3D read_int();
<br>&gt; use(std::kill_taint(x)); // no warning emitted
<br>&gt;
<br>&gt; This enforces people to be more cautious and to verify their data =
before
<br>&gt; using it possibly unsafely.
<br>&gt;
<br>&gt; Implementation
<br>&gt; *[[tainted]]* and *[[tainted_sink]]* would have to be implemented =
as part
<br>&gt; of the compiler.
<br>&gt;
<br>&gt; The following would be added to *&lt;type_traits&gt;*
<br>&gt; template &lt;typename T&gt;
<br>&gt; struct is_tainted : false_type {};
<br>&gt;
<br>&gt; template &lt;typename T&gt;
<br>&gt; struct is_tainted&lt;[[tainted]] T&gt; : true_type {};
<br>&gt;
<br>&gt; template &lt;typename T&gt;
<br>&gt; struct is_tainted&lt;[[tainted_sink]] T&gt; : true_type {};
<br>&gt;
<br>&gt; While the following would be added to
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt;
<br>&gt; *&lt;utility&gt;template &lt;typename T&gt;struct kill_taint { typ=
edef T type;
<br>&gt; };template &lt;typename T&gt;struct kill_taint&lt;[[tainted]] T&gt=
; { typedef T type;
<br>&gt; };template &lt;typename T&gt;struct kill_taint&lt;[[tainted_sink]]=
 T&gt; { typedef T
<br>&gt; type; };*
<br>&gt;
<br>&gt; --
<br>&gt;
<br>&gt; ---
<br>&gt; You received this message because you are subscribed to the Google=
 Groups
<br>&gt; "ISO C++ Standard - Future Proposals" group.
<br>&gt; To unsubscribe from this group and stop receiving emails from it, =
send an
<br>&gt; email to <a href=3D"javascript:" target=3D"_blank" gdf-obfuscated-=
mailto=3D"j1iYRzvPPDQJ" onmousedown=3D"this.href=3D'javascript:';return tru=
e;" onclick=3D"this.href=3D'javascript:';return true;">std-proposal...@<wbr=
>isocpp.org</a>.
<br>&gt; To post to this group, send email to <a href=3D"javascript:" targe=
t=3D"_blank" gdf-obfuscated-mailto=3D"j1iYRzvPPDQJ" onmousedown=3D"this.hre=
f=3D'javascript:';return true;" onclick=3D"this.href=3D'javascript:';return=
 true;">std-pr...@isocpp.org</a>.
<br>&gt; Visit this group at
<br>&gt; <a href=3D"http://groups.google.com/a/isocpp.org/group/std-proposa=
ls/" target=3D"_blank" onmousedown=3D"this.href=3D'http://groups.google.com=
/a/isocpp.org/group/std-proposals/';return true;" onclick=3D"this.href=3D'h=
ttp://groups.google.com/a/isocpp.org/group/std-proposals/';return true;">ht=
tp://groups.google.com/a/<wbr>isocpp.org/group/std-<wbr>proposals/</a>.
<br>&gt;
<br></blockquote></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups &=
quot;ISO C++ Standard - Future Proposals&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:std-proposals+unsubscribe@isocpp.org">std-proposa=
ls+unsubscribe@isocpp.org</a>.<br />
To post to this group, send email to <a href=3D"mailto:std-proposals@isocpp=
..org">std-proposals@isocpp.org</a>.<br />
Visit this group at <a href=3D"http://groups.google.com/a/isocpp.org/group/=
std-proposals/">http://groups.google.com/a/isocpp.org/group/std-proposals/<=
/a>.<br />

------=_Part_3142_1768817610.1419320710914--
------=_Part_3141_1392705009.1419320710914--

.

Author: Thiago Macieira <thiago@macieira.org>
Date: Tue, 23 Dec 2014 09:56:28 -0200 Raw View

On Monday 22 December 2014 20:00:57 Dale Weiler wrote:
> *[[tainted_sink]]* is used to specify that any read from the array or
> pointer stored to anything becomes tainted.

That sounds more like "taint_source" than "taint_sink". I'd expect a "sink" to
be something you write to, not read from.

> std::kill_taint is used to remove the [[taint]] on something that may be
> tainted directly or indirectly (propagated from another [[tainted]]
> variable or from a [[tainted_sink]])

I'd prefer std::remove_taint. Just because we have std::kill_dependency
doesn't mean we have to use "kill_xxx" for all attributes.

> So in other words if I do:
>
> [[tainted] int x = read_int();
> use(std::kill_taint(x)); // no warning emitted
>
> This enforces people to be more cautious and to verify their data before
> using it possibly unsafely.
>
> Implementation
> *[[tainted]]* and *[[tainted_sink]]* would have to be implemented as part
> of the compiler.

Optionally.

The program must continue to compile if the compiler does not implement them.
That in turn means:

> The following would be added to *<type_traits>*
> template <typename T>
> struct is_tainted : false_type {};
>
> template <typename T>
> struct is_tainted<[[tainted]] T> : true_type {};
>
> template <typename T>
> struct is_tainted<[[tainted_sink]] T> : true_type {};

This is not possible. You cannot overload / partially specialise on
attributes.

> *template <typename T>typename remove_taint<T>::type &kill_taint(const T
> &data) {    return static_cast<remove_taint<T>::type&>(data);}*

Actually, this is much simpler. Based on kill_dependency, this function would
be:

 template <class T> T kill_dependency(T y) noexcept
 { return y; }

--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

--

---
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+unsubscribe@isocpp.org.
To post to this group, send email to std-proposals@isocpp.org.
Visit this group at http://groups.google.com/a/isocpp.org/group/std-proposals/.

.

Author: Pablo Oliva <pabloliva87@gmail.com>
Date: Tue, 23 Dec 2014 14:57:51 -0300 Raw View

--047d7b2e127fe676d0050ae5e9af
Content-Type: text/plain; charset=UTF-8

What happens when tainted values are used to control flow?

Consider:

[[tainted]] int x = read_int();
if (x)
{
     int y;     // Is y tainted?
     ...
}




2014-12-23 8:56 GMT-03:00 Thiago Macieira <thiago@macieira.org>:

> On Monday 22 December 2014 20:00:57 Dale Weiler wrote:
> > *[[tainted_sink]]* is used to specify that any read from the array or
> > pointer stored to anything becomes tainted.
>
> That sounds more like "taint_source" than "taint_sink". I'd expect a
> "sink" to
> be something you write to, not read from.
>
> > std::kill_taint is used to remove the [[taint]] on something that may be
> > tainted directly or indirectly (propagated from another [[tainted]]
> > variable or from a [[tainted_sink]])
>
> I'd prefer std::remove_taint. Just because we have std::kill_dependency
> doesn't mean we have to use "kill_xxx" for all attributes.
>
> > So in other words if I do:
> >
> > [[tainted] int x = read_int();
> > use(std::kill_taint(x)); // no warning emitted
> >
> > This enforces people to be more cautious and to verify their data before
> > using it possibly unsafely.
> >
> > Implementation
> > *[[tainted]]* and *[[tainted_sink]]* would have to be implemented as part
> > of the compiler.
>
> Optionally.
>
> The program must continue to compile if the compiler does not implement
> them.
> That in turn means:
>
> > The following would be added to *<type_traits>*
> > template <typename T>
> > struct is_tainted : false_type {};
> >
> > template <typename T>
> > struct is_tainted<[[tainted]] T> : true_type {};
> >
> > template <typename T>
> > struct is_tainted<[[tainted_sink]] T> : true_type {};
>
> This is not possible. You cannot overload / partially specialise on
> attributes.
>
> > *template <typename T>typename remove_taint<T>::type &kill_taint(const T
> > &data) {    return static_cast<remove_taint<T>::type&>(data);}*
>
> Actually, this is much simpler. Based on kill_dependency, this function
> would
> be:
>
>  template <class T> T kill_dependency(T y) noexcept
>  { return y; }
>
> --
> Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
>    Software Architect - Intel Open Source Technology Center
>       PGP/GPG: 0x6EF45358; fingerprint:
>       E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ISO C++ Standard - Future Proposals" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to std-proposals+unsubscribe@isocpp.org.
> To post to this group, send email to std-proposals@isocpp.org.
> Visit this group at
> http://groups.google.com/a/isocpp.org/group/std-proposals/.
>

--

---
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+unsubscribe@isocpp.org.
To post to this group, send email to std-proposals@isocpp.org.
Visit this group at http://groups.google.com/a/isocpp.org/group/std-proposals/.

--047d7b2e127fe676d0050ae5e9af
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">What happens when tainted values are used to control flow?=
<div><br></div><div>Consider:<br><div><br></div><div><span style=3D"color:r=
gb(102,102,0);font-family:monospace;font-size:large;background-color:rgb(25=
0,250,250)">[[tainted]] int x =3D read_int();</span><br></div></div><div><s=
pan style=3D"color:rgb(102,102,0);font-family:monospace;font-size:large;bac=
kground-color:rgb(250,250,250)">if (x)</span></div><div><font color=3D"#666=
600" face=3D"monospace" size=3D"4"><span style=3D"background-color:rgb(250,=
250,250)">{</span></font></div><div><font color=3D"#666600" face=3D"monospa=
ce" size=3D"4"><span style=3D"background-color:rgb(250,250,250)">=C2=A0 =C2=
=A0 =C2=A0int y; =C2=A0 =C2=A0 // Is y tainted?</span></font></div><div><fo=
nt color=3D"#666600" face=3D"monospace" size=3D"4"><span style=3D"backgroun=
d-color:rgb(250,250,250)">=C2=A0 =C2=A0 =C2=A0...</span></font></div><div><=
font color=3D"#666600" face=3D"monospace" size=3D"4"><span style=3D"backgro=
und-color:rgb(250,250,250)">}</span></font></div><div><font color=3D"#66660=
0" face=3D"monospace" size=3D"4"><span style=3D"background-color:rgb(250,25=
0,250)"><br></span></font></div><div><font color=3D"#666600" face=3D"monosp=
ace" size=3D"4"><span style=3D"background-color:rgb(250,250,250)"><br></spa=
n></font></div><div><font color=3D"#666600" face=3D"monospace" size=3D"4"><=
span style=3D"background-color:rgb(250,250,250)"><br></span></font></div></=
div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">2014-12-23 8:=
56 GMT-03:00 Thiago Macieira <span dir=3D"ltr">&lt;<a href=3D"mailto:thiago=
@macieira.org" target=3D"_blank">thiago@macieira.org</a>&gt;</span>:<br><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex">On Monday 22 December 2014 20:00:57 Dale Weiler=
 wrote:<br>
&gt; *[[tainted_sink]]* is used to specify that any read from the array or<=
br>
<span class=3D"">&gt; pointer stored to anything becomes tainted.<br>
<br>
</span>That sounds more like &quot;taint_source&quot; than &quot;taint_sink=
&quot;. I&#39;d expect a &quot;sink&quot; to<br>
be something you write to, not read from.<br>
<span class=3D""><br>
&gt; std::kill_taint is used to remove the [[taint]] on something that may =
be<br>
&gt; tainted directly or indirectly (propagated from another [[tainted]]<br=
>
&gt; variable or from a [[tainted_sink]])<br>
<br>
</span>I&#39;d prefer std::remove_taint. Just because we have std::kill_dep=
endency<br>
doesn&#39;t mean we have to use &quot;kill_xxx&quot; for all attributes.<br=
>
<span class=3D""><br>
&gt; So in other words if I do:<br>
&gt;<br>
&gt; [[tainted] int x =3D read_int();<br>
&gt; use(std::kill_taint(x)); // no warning emitted<br>
&gt;<br>
&gt; This enforces people to be more cautious and to verify their data befo=
re<br>
&gt; using it possibly unsafely.<br>
&gt;<br>
&gt; Implementation<br>
</span>&gt; *[[tainted]]* and *[[tainted_sink]]* would have to be implement=
ed as part<br>
&gt; of the compiler.<br>
<br>
Optionally.<br>
<br>
The program must continue to compile if the compiler does not implement the=
m.<br>
That in turn means:<br>
<br>
&gt; The following would be added to *&lt;type_traits&gt;*<br>
<span class=3D"">&gt; template &lt;typename T&gt;<br>
&gt; struct is_tainted : false_type {};<br>
&gt;<br>
&gt; template &lt;typename T&gt;<br>
&gt; struct is_tainted&lt;[[tainted]] T&gt; : true_type {};<br>
&gt;<br>
&gt; template &lt;typename T&gt;<br>
&gt; struct is_tainted&lt;[[tainted_sink]] T&gt; : true_type {};<br>
<br>
</span>This is not possible. You cannot overload / partially specialise on<=
br>
attributes.<br>
<br>
&gt; *template &lt;typename T&gt;typename remove_taint&lt;T&gt;::type &amp;=
kill_taint(const T<br>
&gt; &amp;data) {=C2=A0 =C2=A0 return static_cast&lt;remove_taint&lt;T&gt;:=
:type&amp;&gt;(data);}*<br>
<br>
Actually, this is much simpler. Based on kill_dependency, this function wou=
ld<br>
be:<br>
<br>
=C2=A0template &lt;class T&gt; T kill_dependency(T y) noexcept<br>
=C2=A0{ return y; }<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
Thiago Macieira - thiago (AT) <a href=3D"http://macieira.info" target=3D"_b=
lank">macieira.info</a> - thiago (AT) <a href=3D"http://kde.org" target=3D"=
_blank">kde.org</a><br>
=C2=A0 =C2=A0Software Architect - Intel Open Source Technology Center<br>
=C2=A0 =C2=A0 =C2=A0 PGP/GPG: 0x6EF45358; fingerprint:<br>
=C2=A0 =C2=A0 =C2=A0 E067 918B B660 DBD1 105C=C2=A0 966C 33F5 F005 6EF4 535=
8<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
--<br>
<br>
---<br>
You received this message because you are subscribed to the Google Groups &=
quot;ISO C++ Standard - Future Proposals&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:std-proposals%2Bunsubscribe@isocpp.org">std-propo=
sals+unsubscribe@isocpp.org</a>.<br>
To post to this group, send email to <a href=3D"mailto:std-proposals@isocpp=
..org">std-proposals@isocpp.org</a>.<br>
Visit this group at <a href=3D"http://groups.google.com/a/isocpp.org/group/=
std-proposals/" target=3D"_blank">http://groups.google.com/a/isocpp.org/gro=
up/std-proposals/</a>.<br>
</div></div></blockquote></div><br></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups &=
quot;ISO C++ Standard - Future Proposals&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:std-proposals+unsubscribe@isocpp.org">std-proposa=
ls+unsubscribe@isocpp.org</a>.<br />
To post to this group, send email to <a href=3D"mailto:std-proposals@isocpp=
..org">std-proposals@isocpp.org</a>.<br />
Visit this group at <a href=3D"http://groups.google.com/a/isocpp.org/group/=
std-proposals/">http://groups.google.com/a/isocpp.org/group/std-proposals/<=
/a>.<br />

--047d7b2e127fe676d0050ae5e9af--

.

Author: Thiago Macieira <thiago@macieira.org>
Date: Tue, 23 Dec 2014 16:24:42 -0200 Raw View

On Tuesday 23 December 2014 14:57:51 Pablo Oliva wrote:
> What happens when tainted values are used to control flow?
>
> Consider:
>
> [[tainted]] int x = read_int();
> if (x)
> {
>      int y;     // Is y tainted?
>      ...
> }

This is the same as Dale's original example:

[[tainted]] size_t index = read_index();
if (index >= some_data_len)
 abort();

Which he didn't explain, so I assume that the tests are allowed to continue
without warnings.

Dale, please clarify what you want the compiler to do.

--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

--

---
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+unsubscribe@isocpp.org.
To post to this group, send email to std-proposals@isocpp.org.
Visit this group at http://groups.google.com/a/isocpp.org/group/std-proposals/.

.

Author: Dale Weiler <weilercdale@gmail.com>
Date: Thu, 25 Dec 2014 06:37:22 -0800 (PST) Raw View

------=_Part_4846_1796064207.1419518242600
Content-Type: multipart/alternative;
 boundary="----=_Part_4847_1420984817.1419518242600"

------=_Part_4847_1420984817.1419518242600
Content-Type: text/plain; charset=UTF-8

When a tainted read occurs in any context, any local variables of that
context, arguably cannot themselves become tainted. It's common to do
bounds checking and other verification on the tainted data. If you
propagate the taintedness across conditionals then it could lead to a
variety of false-positives and people will just throw *std::remove_taint*
all over the place to silent them which would hinder the point of the
attribute. A tainted read shouldn't produce a diagnostic in the context of
these situations, for example, if (tainted_value) { } shouldn't trigger a
diagnostic, only when transferring the result of a tainted read to
something else should a diagnostic occur. Most of the time when working
with tainted data you're directly using the result in a non-conditional
context, like for a call to new to allocate storage, or piecing together
data from an external source to build something, in these contexts it's
very rare to see branching on those values in question, except maybe in the
context of a for loop (processing a list of data from a file, i.e pixels in
an image, records in a database.)

--

---
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+unsubscribe@isocpp.org.
To post to this group, send email to std-proposals@isocpp.org.
Visit this group at http://groups.google.com/a/isocpp.org/group/std-proposals/.

------=_Part_4847_1420984817.1419518242600
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">When a tainted read occurs in any context, any local varia=
bles of that context, arguably cannot themselves become tainted. It's commo=
n to do bounds checking and other verification on the tainted data. If you =
propagate the taintedness across conditionals then it could lead to a varie=
ty of false-positives and people will just throw <i>std::remove_taint</i> a=
ll over the place to silent them which would hinder the point of the attrib=
ute. A tainted read shouldn't produce a diagnostic in the context of these =
situations, for example, if (tainted_value) { } shouldn't trigger a diagnos=
tic, only when transferring the result of a tainted read to something else =
should a diagnostic occur. Most of the time when working with tainted data =
you're directly using the result in a non-conditional context, like for a c=
all to new to allocate storage, or piecing together data from an external s=
ource to build something, in these contexts it's very rare to see branching=
 on those values in question, except maybe in the context of a for loop (pr=
ocessing a list of data from a file, i.e pixels in an image, records in a d=
atabase.)<br></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups &=
quot;ISO C++ Standard - Future Proposals&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:std-proposals+unsubscribe@isocpp.org">std-proposa=
ls+unsubscribe@isocpp.org</a>.<br />
To post to this group, send email to <a href=3D"mailto:std-proposals@isocpp=
..org">std-proposals@isocpp.org</a>.<br />
Visit this group at <a href=3D"http://groups.google.com/a/isocpp.org/group/=
std-proposals/">http://groups.google.com/a/isocpp.org/group/std-proposals/<=
/a>.<br />

------=_Part_4847_1420984817.1419518242600--
------=_Part_4846_1796064207.1419518242600--

.