Introduction to CodeQL

By Mathew Payne - @GeekMasher

Today's Talk

• What is Static Code Analysis and CodeQL?
• Running CodeQL to do research
• Introduction to Query writing

Questions during presentation are welcome!

Static Code Analysis Basics

Poll Time

What is Static Code Analysis?

• An automated tool to analyse source code
  • "Asking and answering questions about the code"
• Static Application Security Testing (SAST)
• Looks at the code without running the code
• Discover security vulnerabilities
• Perform Taint Tracking Analysis

Why Static Code Analysis?

Taint Tracking Analysis

Track data through an application

• Sources (untrustworthy application inputs)
• Sinks (methods / assignments of interest)
• Sanitizers (secures the user data)
• Guards (conditional checks)
• Passthroughs / Taintsteps (understand what an expression does)

Example - Code Review

from flask import Flask, request, render_template
# ...
@app.route("/search")
def search():
    search = request.args.get("search")
    results = lookup(search)
    return render_template(
        "search.html", results=results
    )

Example - Code Review

from flask import Flask, request, render_template
# ...
@app.route("/search")
def search():
    search = request.args.get("search")  # <- source, request parameter
    results = lookup(search)             # <- sink?
    return render_template(
        "search.html", results=results   # <- sink?
    )

Example - Code Review

from flask import Flask, request, render_template

def lookup(data):
    cursor = conn.cursor()
    query = f"SELECT * FROM metadata WHERE name='{data}' OR data='{data}'"
    
    cursor.execute(query)
    return cursor.fetchall()

@app.route("/search")
def search():
    search = request.args.get("search")
    results = lookup(search)
    # ...

Example - Taint Tracking Analysis

from flask import Flask, request, render_template

def lookup(data):   # <- 3. function definition
    cursor = conn.cursor()
    query = f"SELECT * FROM metadata WHERE name='{data}' OR data='{data}'"
    # ^ 4. string format, tainting query
    cursor.execute(query)    # <- 5. SINK!
    return cursor.fetchall()

@app.route("/search")
def search():
    search = request.args.get("search")  # <- 1. source, request parameter
    results = lookup(search)             # <- 2. function call
    # ...

Example - Code Review (2nd sink)

from flask import Flask, request, render_template
# ...
@app.route("/search")
def search():
    search = request.args.get("search")
    results = lookup(search)
    return render_template(
        "search.html", results=results   # <- sink?
    )

Researching Framework/Library

HTML Escaping / Jinja Templates

When returning HTML (the default response type in Flask), any user-provided values rendered in the output must be escaped to protect from injection attacks. HTML templates rendered with Jinja, introduced later, will do this automatically.

CodeQL

Disclaimer Time

What is CodeQL?

• Static Code Analysis Engine
• Extracts source code into data
• Stores data in a Database
• Queries run on the Database
• Domain-specific language called "QL"

CodeQL Pipeline

Code -> Database -> Queries -> Results

Getting Started

• VSCode CodeQL Starter
• Insecure Code

# vscode starter
git clone --depth=1 https://github.com/github/vscode-codeql-starter

# create database (codeql cli)
codeql database create --language python ./python-DC44131-workshop

note: a little different for compiled languages

CodeQL Query Basics

/** 
 * @name SQL Injection
 * @kind problem
 * ...
 */
import python
import DataFlow::PathGraph

// Predicates and Classes
class Sources extends DataFlow::Node { /* class  */ }

// Query Output / Results
from Call call
select call, "Calls in the code"

Let's Answer Some Questions...

Question 1

How do we find the Source?

Python Code

from flask import request

request.args.get("search")
# ^ Source!

CodeQL Query

import python
import semmle.python.Concepts
import semmle.python.ApiGraphs

/*
 * How do we find the source?
 */

from DataFlow::Node request, Attribute attr
where
  request = API::moduleImport("flask").getMember("request").getAValueReachableFromSource() and
  attr.getObject() = request.asExpr()
select attr, "Source"

Question 2

What is the Sink?

Python Code

import psycopg2

conn = psycopg2.connect("dbname=workshop user=postgres")

cursor = conn.cursor()
cursor.execute(query)
     # ^ Sink: execute(query)

import python
import semmle.python.Concepts
import semmle.python.ApiGraphs

/*
 * What is the sink?
 */

from CallNode call, DataFlow::Node sink
where
  // Find all functions called "execute"
  call.getFunction().(AttrNode).getName() in ["execute"] and
  // The first argument is what we are interested in
  sink.asCfgNode() = call.getArg(0)
select sink, "Sink"

Note: being lazy and looking for execute(...)

Question 3

Can we find a path from Source to Sink?

CodeQL Full - Complete

class SqlInjectionConfig extends TaintTracking::Configuration {
  SqlInjectionConfig() { this = "SqlInjectionConfig" }

  override predicate isSource(DataFlow::Node source) { source instanceof Sources }

  override predicate isSink(DataFlow::Node sink) { sink instanceof Sinks }
}

from SqlInjectionConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
  "a user-provided value"

CodeQL Queries and Databases

• Pre-computed Databases
  • Databases for most Open Source applications
• Using built-in queries
  • There are hundreds of queries per-language
  • Fully extendable and customisable

Closing Words

• Powerful tool to find security vulnerabilities
• Does the heavy lifting for us
• SDL is complex to learn, but once you do !
• Find 0-day using CodeQL

Questions?

Happy Bug Hunting !

• Slides
• Code
• CodeQL Docs