github-learning-lab[bot]
commented
4 years ago :keyboard: Activity: Write a taint tracking query
- Edit the file
10_taint_tracking.qlwith the template below. Note the annotationpath-problemand the pattern used in theselectsection. This pattern allows CodeQL to interpret these results as a "path" through the code, and display the path in your IDE. - Copy and paste your definition of the
NetworkByteSwapclass from step 9. - Write the
isSourcepredicate. This should recognize an expression in an invocation ofntohl,ntohsorntohll.- You already described these expressions in the
NetworkByteSwapclass from step 9. Here we need to check that the source corresponds to a value that belongs to this class. - To check if a value belongs to CodeQL class, use the
<value> instanceof <myclass>construct. - Note that the
sourcevariable is of typeDataFlow::Node, while yourNetworkByteSwapclass is a subclass ofExpr, so we cannot just writesource instanceof NetworkByteSwap. (Try this and the compiler will give you an error.) Use auto-completion onsourceto discover the predicate that lets us view it as anExpr.
- You already described these expressions in the
- Write the
isSinkpredicate: The sink should be the size argument of calls tomemcpy.- Use auto-completion to find the predicate that returns the
nth argument of a function call. - Use the predicate you discovered when writing
isSourceto view thesinkas anExpr.
- Use auto-completion to find the predicate that returns the
- Run your query. Note that the first run will take a little longer than the previous queries, since data flow analysis is more complex.
Submit your query when you're happy with the results.
Tip: For a complete example, read this article.
/**
* @kind path-problem
*/
import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph
class NetworkByteSwap extends Expr {
// TODO: copy from previous step
}
class Config extends TaintTracking::Configuration {
Config() { this = "NetworkToMemFuncLength" }
override predicate isSource(DataFlow::Node source) {
// TODO
}
override predicate isSink(DataFlow::Node sink) {
// TODO
}
}
from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Network byte swap flows to memcpy"
Step 10: Data flow and taint tracking analysis
Great! You made it to the final step!
In step 9 we found expressions in the source code that are likely to have integers supplied from remote input, because they are being processed with invocations of
ntoh,ntohll, orntohs. These can be considered sources of remote input.In step 6 we found calls to
memcpy. These calls can be unsafe when their length arguments are controlled by a remote user. Their length arguments can be considered sinks: they should not receive user-controlled values without further validation.Combining these pieces of information, we know that code is vulnerable if tainted data flows from a network integer source to a sink in the length argument of a
memcpycall.However, how do we know whether data from a particular source might reach a particular sink? This is known as data flow or taint tracking analysis. Given the number of results (hundreds of
memcpycalls and a large number of macro invocations), it would be quite a lot of work to triage all these cases manually.To make our triaging job easier, we will have CodeQL do this analysis for us.
You will now write a query to track the flow of tainted data from network-controlled integers to the
memcpylength argument. As a result you will find 9 real vulnerabilities!To achieve this, we’ll use the CodeQL taint tracking library.This library allows you to describe sources and sinks, and its predicate
hasFlowPathholds true when tainted data from a given source flows to a sink.