Injects taints into a program based on a specification. It is possible to taint a value stored in a register, or a value pointed by a value stored in a register. The former is called a "register taint", the latter is called a "pointer taint". They're controlled, respectively, with --taint-reg=STRAIN and --taint-ptr=STRAIN command line arguments. The STRAIN value describes what definitions should be tainted. It can be either an address, a variable, a tid or a list of strains. If an address is passed then a definition is tainted if it corresponds to an instruction with the specified address. If a variable is passed, the the definition is tainted if it defines a variable with the given name. Finally, if tid is specified, then a definition must have the specified tid to be tainted. If several strains are specified, then all conditions must be satisfied. Consider the following examples,
--taint-reg=0xBAD
--taint-ptr=strcpy_dst
--taint-reg="(0xBAD malloc_return)"
The first example will taint a value stored in a register defined by an instruction at address 0xBAD. The second example will taint a value that is pointed by a variable strcpy_dst that is defined after each call to a strcpy. (Note: this functionality relies on API plugin, that is responsible for embedding this definitions at the call sites). The third example will taint values returned by a malloc only at the specified call site address. You can specify these options several times.
The full grammar specification of strain specification language follows:
strain ::= <tid>
| <var>
| <addr>
| (<strain1> <strain2> .. <strainK>)
tid ::= %<hex-digits>
var ::= <alpha> .. <alpha-num>
addr ::= 0x<hex-digits>
bap-plugin-propagate-taint(1), bap-plugin-map-terms(1)