Step 10 - Data flow and taint tracking analysis about codeql-uboot HOT 2 CLOSED

⌨️ Activity: Write a taint tracking query

1. Edit the file 10_taint_tracking.ql with the template below. Note the annotation path-problem and the pattern used in the select section. This pattern allows CodeQL to interpret these results as a "path" through the code, and display the path in your IDE.
2. Copy and paste your definition of the NetworkByteSwap class from step 9.
3. Write the isSource predicate. This should recognize an expression in an invocation of ntohl, ntohs or ntohll.
   • You already described these expressions in the NetworkByteSwap class from step 9. Here we need to check that the source corresponds to a value that belongs to this class.
   • To check if a value belongs to CodeQL class, use the <value> instanceof <myclass> construct.
   • Note that the source variable is of type DataFlow::Node, while your NetworkByteSwap class is a subclass of Expr, so we cannot just write source instanceof NetworkByteSwap. (Try this and the compiler will give you an error.) Use auto-completion on source to discover the predicate that lets us view it as an Expr.
4. Write the isSink predicate: The sink should be the size argument of calls to memcpy.
   • Use auto-completion to find the predicate that returns the nth argument of a function call.
   • Use the predicate you discovered when writing isSource to view the sink as an Expr.
5. Run your query. Note that the first run will take a little longer than the previous queries, since data flow analysis is more complex.

Submit your query when you're happy with the results.

Tip: For a complete example, read this article.

/**
* @kind path-problem
*/

import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph
 
class NetworkByteSwap extends Expr {
  // TODO: copy from previous step 
}
 
class Config extends TaintTracking::Configuration {
  Config() { this = "NetworkToMemFuncLength" }

  override predicate isSource(DataFlow::Node source) {
    // TODO
  }
  override predicate isSink(DataFlow::Node sink) {
    // TODO
  }
}

from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Network byte swap flows to memcpy"

from codeql-uboot.

Congratulations, you have finished the course! You can merge your last outstanding Pull Request if you have one. Don't hesitate to give us feedback, find us at https://securitylab.github.com/get-involved. And recommend this course to your friends if it was useful!

from codeql-uboot.