llvm-ir-taint: Taint tracking for LLVM IR

This crate provides static taint-tracking for LLVM IR.

Getting started

llvm-ir-taint is on crates.io, so you can simply add it as a dependency in your Cargo.toml, selecting the feature corresponding to the LLVM version you want:

[dependencies]
llvm-ir-taint = { version = "0.1.1", features = ["llvm-13"] }

Currently, the supported LLVM versions are llvm-8, llvm-9, llvm-10, llvm-11, llvm-12, and llvm-13. The corresponding LLVM library must be available on your system; see the llvm-sys README for more details and instructions.

You'll also need some LLVM IR to analyze, in the form of one or more llvm-ir Modules. This can be easily generated from an LLVM bitcode file; for more detailed instructions, see llvm-ir's README.

Once you have one or more Modules, you can call do_taint_analysis_on_function() to analyze a single function (and all functions it calls, including transitively), or do_taint_analysis_on_module() to analyze all the functions in an LLVM module.

let module = Module::from_bc_path(...)?;
let taint_result = do_taint_analysis_on_function(&[module], ...);

Either of these functions return a TaintResult, from which you can get information about the result of an analysis, such as which variables are tainted.

For more details, see the docs.