CQual performs an interprocedural program analysis to determine where sensitive data might flow from the initial set of sensitive variables annotated by the programmer. If CQual detects an assignment from a sensitive variable to an ``unconstrained'' variable, the unconstrained variable will be considered sensitive. Thus, CQual determines where the $sensitive qualifier spreads throughout the program. After CQual has finished, we know that all remaining unconstrained variables only contain insensitive data, since they never receive any assignments from sensitive variables. Conversely, if CQual determines that a variable is sensitive, it may contain sensitive information during the execution of the program, since there is a possible assignment to it from a known sensitive variable. The question of whether data may be sensitive is analogous to the question of whether it may be tainted, so we can use the same analysis as in Shankar et al. [14].
As an alternative to annotating specific data at the point it enters the program, the programmer may choose to use a pre-annotated header file that marks as sensitive all data returned by functions like read and recv. At the cost of unnecessarily marking some values as sensitive, this option makes it easy to denote user data as sensitive without the need to enter program-specific annotations. We take this approach in our evaluation experiments.
The CQual stage outputs the original program with attributes added to each variable describing its sensitivity. These annotations allow later stages of Scrash to determine whether a variable should reside in the secure or insecure region of memory.