Comments (2)
⌨️ Activity: Write a taint tracking query
- Edit the file
10_taint_tracking.ql
with the template below. Note the annotationpath-problem
and the pattern used in theselect
section. This pattern allows CodeQL to interpret these results as a "path" through the code, and display the path in your IDE. - Copy and paste your definition of the
NetworkByteSwap
class from step 9. - Write the
isSource
predicate. This should recognize an expression in an invocation ofntohl
,ntohs
orntohll
.- You already described these expressions in the
NetworkByteSwap
class from step 9. Here we need to check that the source corresponds to a value that belongs to this class. - To check if a value belongs to CodeQL class, use the
<value> instanceof <myclass>
construct. - Note that the
source
variable is of typeDataFlow::Node
, while yourNetworkByteSwap
class is a subclass ofExpr
, so we cannot just writesource instanceof NetworkByteSwap
. (Try this and the compiler will give you an error.) Use auto-completion onsource
to discover the predicate that lets us view it as anExpr
.
- You already described these expressions in the
- Write the
isSink
predicate: The sink should be the size argument of calls tomemcpy
.- Use auto-completion to find the predicate that returns the
n
th argument of a function call. - Use the predicate you discovered when writing
isSource
to view thesink
as anExpr
.
- Use auto-completion to find the predicate that returns the
- Run your query. Note that the first run will take a little longer than the previous queries, since data flow analysis is more complex.
Submit your query when you're happy with the results.
Tip: For a complete example, read this article.
/**
* @kind path-problem
*/
import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph
class NetworkByteSwap extends Expr {
// TODO: copy from previous step
}
class Config extends TaintTracking::Configuration {
Config() { this = "NetworkToMemFuncLength" }
override predicate isSource(DataFlow::Node source) {
// TODO
}
override predicate isSink(DataFlow::Node sink) {
// TODO
}
}
from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Network byte swap flows to memcpy"
from codeql-uboot.
Congratulations, you have finished the course! You can merge your last outstanding Pull Request if you have one. Don't hesitate to give us feedback, find us at https://securitylab.github.com/get-involved. And recommend this course to your friends if it was useful!
from codeql-uboot.
Related Issues (10)
- Step 1 - Welcome to the course! HOT 1
- Step 2 - Set up your IDE HOT 2
- Step 3 - Your first query HOT 3
- Step 4 - Anatomy of a query HOT 2
- Step 5 - Using different classes and their predicates HOT 2
- Step 6 - Relating two variables HOT 2
- Step 7 - Relating two variables, continued HOT 2
- Step 8 - Changing the selected output HOT 2
- Step 9 - Write your own class HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from codeql-uboot.