control flow taint propagation

[helloworldlong]

in gentrace.cpp:

if (!isBranch)
            tracker->taintPropagation(ti->delta);

so bap-pintraces does not log the control flow taint propagation.
then the code in strcmp function:

Dump of assembler code for function strcmp:
   0xb7ff5ea0 <+0>:	mov    ecx,DWORD PTR [esp+0x4]
   0xb7ff5ea4 <+4>:	mov    edx,DWORD PTR [esp+0x8]
   0xb7ff5ea8 <+8>:	mov    al,BYTE PTR [ecx]
   0xb7ff5eaa <+10>:	cmp    al,BYTE PTR [edx]
   0xb7ff5eac <+12>:	jne    0xb7ff5eb7 <strcmp+23>
   0xb7ff5eae <+14>:	inc    ecx
   0xb7ff5eaf <+15>:	inc    edx
   0xb7ff5eb0 <+16>:	test   al,al
   0xb7ff5eb2 <+18>:	jne    0xb7ff5ea8 <strcmp+8>
   0xb7ff5eb4 <+20>:	xor    eax,eax
   0xb7ff5eb6 <+22>:	ret    
   0xb7ff5eb7 <+23>:	mov    eax,0x1  //control
   0xb7ff5ebc <+28>:	mov    ecx,0xffffffff
   0xb7ff5ec1 <+33>:	cmovb  eax,ecx //“below” are used for unsigned integers
   0xb7ff5ec4 <+36>:	ret  

we can not log the taint instruction in the trace file, so we can not get the contrain.

[ivg]

Sorry, I can't really understand, what are you asking for?

[helloworldlong]

Sorry, my English is poor. I have seen your paper "All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution". There are some sentences about my question in this paper:
1) Informally, a statement s2 is control-dependent on statement s1 if s1 controls whether or not s2 will execute.
2) If you do not compute control dependencies, you cannot determine control-flow based taint, and the overall analysis may undertaint.
3) Unfortunately, pure dynamic taint analysis cannot compute control dependencies, thus cannot accurately determine control-flow-based taint. The reason is simple: reasoning about control
dependencies requires reasoning about multiple paths, and dynamic analysis executes on a
single path at a time.
So my question is whether bap can handle the control dependcies.

[helloworldlong]

There is a control dependency in "0xb7ff5eb7 <+23>: mov eax,0x1 //control" in the strcmp instruction, because it depends on "0xb7ff5eac <+12>: jne 0xb7ff5eb7 <strcmp+23>" instruction. If the ZF flag is tainted in the "0xb7ff5eac <+12>: jne 0xb7ff5eb7 <strcmp+23>" instruction, the eax register should be tainted in "0xb7ff5eb7 <+23>: mov eax,0x1 //control" instruction.