Codeql Variant Analysis
463 views
31 slides
Aug 28, 2021
Slide 1 of 31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
About This Presentation
Variant analysis is the process of using a known vulnerability as a seed to find similar problems in your code. Security engineers typically perform variant analysis to identify possible vulnerabilities and to ensure that these threats are properly fixed across multiple code bases.
Slide Content
CodeQL Variant Analysis
Hamid Rezaei
Sadjad University of Technology
Hamid Rezaei
Sadjad University of Technology
Outline
Dynamic Memory Allocation
Introduction to CodeQL
Writing Queries
U-Boot Loader
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 2 / 25
Dynamic Memory Allocation
Introduction to CodeQL
Writing Queries
U-Boot Loader
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 2 / 25
Dynamic Memory Allocation
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 3 / 25
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 3 / 25
HEAP
Dynamic Memory Allocation
C :malloc() / free()
C++ :new() / delete()
C :malloc() / free()
Win32 API :HeapAlloc() / HeapFree()
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 4 / 25
Dynamic Memory Allocation
C :malloc() / free()
C++ :new() / delete()
C :malloc() / free()
Win32 API :HeapAlloc() / HeapFree()
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 4 / 25
HEAP
How does it work?
First allocate a pool of memory
malloc(): Use some of the pool as a chunk
free(): Give it back
Freed chunks are generally reused for eciency
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 5 / 25
How does it work?
First allocate a pool of memory
malloc(): Use some of the pool as a chunk
free(): Give it back
Freed chunks are generally reused for eciency
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 5 / 25
HEAP
How the memory is managed
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 6 / 25
How the memory is managed
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 6 / 25
Introduction to CodeQL
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 7 / 25
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 7 / 25
Introduction
CodeQL Consists of:
QL:the programming language for CodeQL code analysis
platform.
CLI:run queries
Libraries:QL libraries
Databases:contains all the things needed to run the queries
Used for "Variant Analysis"
Supported languages and compilers :
C/C++, Python, Golang, Java, C#, TypeScript, JavaScript
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 8 / 25
CodeQL Consists of:
QL:the programming language for CodeQL code analysis
platform.
CLI:run queries
Libraries:QL libraries
Databases:contains all the things needed to run the queries
Used for "Variant Analysis"
Supported languages and compilers :
C/C++, Python, Golang, Java, C#, TypeScript, JavaScript
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 8 / 25
Introduction
So what is variant analysis?
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 9 / 25
So what is variant analysis?
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 9 / 25
Introduction
DevSecOps SAST Workow
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 10 / 25
DevSecOps SAST Workow
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 10 / 25
Introduction
Common Techniques :
Control ow analysis (CFA)
Data ow analysis (DFA)
Taint tracking
Range analysis
Semantic code search
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 11 / 25
Common Techniques :
Control ow analysis (CFA)
Data ow analysis (DFA)
Taint tracking
Range analysis
Semantic code search
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 11 / 25
Analysis Overview
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 12 / 25
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 12 / 25
Writing Queries
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 13 / 25
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 13 / 25
Writing Queries
How does a query look like?
Basic Syntax
from variable declarations
where logical formulas
selectexpressions (element, string)
Example
from Filef,Fileother,intpercent
where similarFiles(f, other, percent)
select f, "This le is similar to another le."
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 14 / 25
How does a query look like?
Basic Syntax
from variable declarations
where logical formulas
selectexpressions (element, string)
Example
from Filef,Fileother,intpercent
where similarFiles(f, other, percent)
select f, "This le is similar to another le."
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 14 / 25
Writing Queries
Building blocks of a query
1
1
https://lgtm.com/query/8211569248445906488/
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 15 / 25
Building blocks of a query
1
1
https://lgtm.com/query/8211569248445906488/
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 15 / 25
Writing Queries
Using a Predicate
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 16 / 25
Using a Predicate
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 16 / 25
Writing Queries
Using a Class
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 17 / 25
Using a Class
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 17 / 25
Writing Queries
Information Flow
Sink & Source
Some examples:
SQL injection: sources are user-input, sinks are SQL queries
Reected XSS: sources are HTTP requests, sinks are HTTP
responses
We can solve such problems using the data ow and taint
tracking libraries.
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 18 / 25
Information Flow
Sink & Source
Some examples:
SQL injection: sources are user-input, sinks are SQL queries
Reected XSS: sources are HTTP requests, sinks are HTTP
responses
We can solve such problems using the data ow and taint
tracking libraries.
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 18 / 25
Writing Queries
Taint Tracking
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 19 / 25
Taint Tracking
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 19 / 25
Writing Queries
Global Taint Tracking
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 20 / 25
Global Taint Tracking
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 20 / 25
U-Boot Loader
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 21 / 25
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 21 / 25
U-Boot Loader
Goal
Find Remote-Code-Execution (RCE) vulnerabilities in U-Boot
Use the network for fetching the next stage boot resources
Attacker in the same network could gain code execution
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 22 / 25
Goal
Find Remote-Code-Execution (RCE) vulnerabilities in U-Boot
Use the network for fetching the next stage boot resources
Attacker in the same network could gain code execution
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 22 / 25
U-Boot Loader
RCE in U-Boot Loader
The vulnerability were plain Heap overows (memcpy)
Overow with an attacker-controlled size coming from the
network packet
Find memcpy function that read from the network such as
ntohl, ntohs functions
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 23 / 25
RCE in U-Boot Loader
The vulnerability were plain Heap overows (memcpy)
Overow with an attacker-controlled size coming from the
network packet
Find memcpy function that read from the network such as
ntohl, ntohs functions
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 23 / 25
U-Boot Loader
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
U-Boot Loader
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
U-Boot Loader
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
U-Boot Loader
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
U-Boot Loader
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
U-Boot Loader
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
U-Boot Loader
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
Steps:
1Find all functions named memcpy2Find all ntoh* macros3Find all the calls to memcpy4Find all the invocations of ntoh* macros5Find the expressions that correspond to macro invocations6Write your own NetworkByteSwap class7Write a taint tracking query
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 24 / 25
The End
Thanks for your attention!
Any Question!?
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 25 / 25
Thanks for your attention!
Any Question!?
Hamid Rezaei Secure Software Development CodeQL Variant Analysis 25 / 25
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 463
- Slides 31
- Age 1557 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
20 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views