Skip to content

C++: Prepare cpp/cleartext-transmission for IR-based use-use dataflow#10838

Merged
MathiasVP merged 3 commits intogithub:mathiasvp/replace-ast-with-ir-use-usedataflowfrom
MathiasVP:repair-cleartext-transmission-2
Oct 26, 2022
Merged

C++: Prepare cpp/cleartext-transmission for IR-based use-use dataflow#10838
MathiasVP merged 3 commits intogithub:mathiasvp/replace-ast-with-ir-use-usedataflowfrom
MathiasVP:repair-cleartext-transmission-2

Conversation

@MathiasVP
Copy link
Copy Markdown
Contributor

@MathiasVP MathiasVP commented Oct 14, 2022

This is a rather large change. Since we now have use-use flow we don't need to search backwards from a use of a variable with a name that implies that it's sensitive. Instead, we can just mark that variable use as a source, and dataflow will continue from there.

This means that it requires a bit more work to block taint if there's some evidence somewhere for the data being encrypted. To see why, consider this example:

char password1[256], password2[256];
encrypt_to_buffer(password1, password2); // proof that `password2` is in fact encrypted
char* x = password2;
send(val(), x, strlen(password2), val()); // GOOD: password is encrypted

We can now just mark the use of password2 on line 3 as a source, and dataflow will end up as an argument to x. However, since we now start on line 3, the encryption isn't actually part of the dataflow path anymore.

To fix this, I've added two additional taint-tracking configurations: One that checks the source (i.e., password2 on line 3 in the example above) flows to some encryption, and one that checks if encrypted data flows to the sink (i.e., the send argument on line 4).

There are a couple of new FPs/missing flows. I think we can tweak the source/sinks to fix these, but this fixes most of the regressions, though.

@MathiasVP MathiasVP requested a review from a team as a code owner October 14, 2022 12:49
@github-actions github-actions bot added the C++ label Oct 14, 2022
@MathiasVP MathiasVP added the no-change-note-required This PR does not need a change note label Oct 14, 2022
geoffw0
geoffw0 reviewed Oct 18, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a fair improvement, in addition to preparing for use-use flow. The three newly incorrect test results appear to come from taint being blocked by operations of the form buffer[255] = 0, which it probably shouldn't be.

Its nice to see three previously [NOT DETECTED] results are now detected.

@MathiasVP
Copy link
Copy Markdown
Contributor Author

MathiasVP commented Oct 24, 2022
edited
Loading

Looks like a fair improvement, in addition to preparing for use-use flow. The three newly incorrect test results appear to come from taint being blocked by operations of the form buffer[255] = 0, which it probably shouldn't be.

Indeed, I also noticed this. This seems like a new bug in dataflow that should be fixed. I've created https://github.com/github/codeql-c-team/issues/1294 for this. I don't think this should block this PR, however.

geoffw0
geoffw0 approved these changes Oct 26, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@MathiasVP MathiasVP merged commit 2ba94f7 into github:mathiasvp/replace-ast-with-ir-use-usedataflow Oct 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geoffw0 geoffw0 geoffw0 approved these changes

Assignees

No one assigned

Labels

C++ no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MathiasVP @geoffw0