Taint analysis using Maat

[howtheturntables]

From my testing, Maat's python interface has proven quite capable of performing many of the functions one would want from a dynamic symbolic execution framework. The tutorials are really helpful in detailing how to use Maat for symbolic execution; however, I haven't found any documentation on how to use Maat for the purposes of taint analysis. As such, does anyone have working a POC (proof-of-concept) or example of how to utilize Maat's python API for taint analysis? If not a POC, is there a suggested algorithm that one would need to implement using Maat for successful taint analysis?

From examining Maat's C# API, and I've seen some mention of taint, but I've been unable to determine if taint analysis is possible through Maat's C# interface as of yet. Although I'd prefer a POC with the python API, if Maat's C# interface is currently the only viable option, I'd be grateful for an example of taint analysis in this format at well.

Since taint analysis may be considered an abstract term, I've provided a basic definition below which highlights what I'm hoping Maat is capable of.

Taint Analysis: A technique that tracks the flow of specific "tainted" information throughout a program's execution. Not only does it follow the "tainted" information, but it also tracks any and all variables affected by the "tainted" information. Unlike data flow analysis, taint analysis continues tracking data even if the variable itself isn't preserved, since the tainted data can be propagated through another (potentially insecure) variable.

Any and all help is much appreciated, thanks!

[Boyan-MILANOV]

Hey! Maat used to have a taint analysis engine but it's not being used at the moment. I agree that we should revive it and make it available through the API. I'm very busy on another project at the moment, but wanted to let you know that I did see that question and will give a more thorough answer / implement it once I get a little bit of free time :)