Today's Talk

• What is Static Code Analysis and CodeQL?
• Running CodeQL to do research
• Introduction to Query writing

Questions during presentation are welcome!

Static Code Analysis Basics

Poll Time

What is Static Code Analysis?

• An automated tool to analyse source code
  • "Asking and answering questions about the code"
• Static Application Security Testing (SAST)
• Looks at the code without running the code
• Discover security vulnerabilities
• Perform Taint Tracking Analysis

Why Static Code Analysis?

Taint Tracking Analysis

Track data through an application

• Sources (untrustworthy application inputs)
• Sinks (methods / assignments of interest)
• Sanitizers (secures the user data)
• Guards (conditional checks)
• Passthroughs / Taintsteps (understand what an expression does)

Example - Code Review

Example - Code Review

Example - Code Review

Example - Taint Tracking Analysis

Example - Code Review (2nd sink)

Researching Framework/Library

HTML Escaping / Jinja Templates

When returning HTML (the default response type in Flask), any user-provided values rendered in the output must be escaped to protect from injection attacks. HTML templates rendered with Jinja, introduced later, will do this automatically.

CodeQL

Disclaimer Time

What is CodeQL?

• Static Code Analysis Engine
• Extracts source code into data
• Stores data in a Database
• Queries run on the Database
• Domain-specific language called "QL"

CodeQL Pipeline

Code -> Database -> Queries -> Results

Getting Started

• VSCode CodeQL Starter
• Insecure Code

note: a little different for compiled languages

CodeQL Query Basics

Let's Answer Some Questions...

Question 1

How do we find the Source?

Python Code

CodeQL Query

Question 2

What is the Sink?

Python Code

Note: being lazy and looking for execute(...)

Question 3

Can we find a path from Source to Sink?

CodeQL Full - Complete

CodeQL Queries and Databases

• Pre-computed Databases
  • Databases for most Open Source applications
• Using built-in queries
  • There are hundreds of queries per-language
  • Fully extendable and customisable

Closing Words

• Powerful tool to find security vulnerabilities
• Does the heavy lifting for us
• SDL is complex to learn, but once you do !
• Find 0-day using CodeQL

Questions?

Happy Bug Hunting !

• Slides
• Code
• CodeQL Docs