Security Analysis Explorer
Trace taint propagation through code, explore the taint lattice, and discover vulnerabilities. Select a program to see how tainted data flows from sources to sinks — and how sanitizers break the chain.
Taint Lattice
4-element flat lattice: Bot < {Untainted, Tainted} < Top. Tracks whether data is user-controlled (tainted) or safe (untainted).
Click an element in the diagram above
Key Property
join(Untainted, Tainted) = Top — if data might be tainted OR untainted, we must treat it as potentially tainted (conservative/sound). This is why merge points after branches can increase taint levels.
Taint Lattice
4-element flat lattice: Bot < {Untainted, Tainted} < Top. Tracks whether data is user-controlled (tainted) or safe (untainted).
Click an element in the diagram above
Key Property
join(Untainted, Tainted) = Top — if data might be tainted OR untainted, we must treat it as potentially tainted (conservative/sound). This is why merge points after branches can increase taint levels.