Merge pull request #19 from raulgarciamsft/16-detecting-private-key-usage-windows-cng-apis

16 detecting private key usage windows cng apis

Author: bdrodes

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll

@@ -0,0 +1,118 @@
+import cpp
+import DataFlow::PathGraph
+import semmle.code.cpp.dataflow.TaintTracking
+
+/**
+ * Base abstract class to be extended to allow indirect extensions of vulnerable sinks.
+ */
+abstract class BCryptOpenAlgorithmProviderSink extends DataFlow::Node { }
+
+/**
+ * Base abstract class to be extended to allow indirect extensions of vulnerable sources.
+ */
+abstract class BCryptOpenAlgorithmProviderSource extends DataFlow::Node { }
+
+// ------------------ Helper Predicates ----------------------
+/**
+ * Holds if there is a call with global name`funcGlobalName` with argument `arg` of that call
+ * at argument index `index`.
+ */
+predicate isCallArgument(string funcGlobalName, Expr arg, int index) {
+  exists(Call c | c.getArgument(index) = arg and c.getTarget().hasGlobalName(funcGlobalName))
+}
+
+/**
+ * Holdes if StringLiteral `lit` has a string value indicative of a post quantum crypto
+ * vulnerable algorithm identifier.
+ */
+predicate vulnProviderLiteral(StringLiteral lit) {
+  exists(string s | s = lit.getValue() |
+    s in ["DH", "DSA", "ECDSA", "ECDH"] or
+    s.matches("ECDH%") or
+    s.matches("RSA%")
+  )
+}
+
+// ------------------ Default SINKS ----------------------
+/**
+ * Argument at index 0 of call to NCryptSignHash:
+ *     [in]           NCRYPT_KEY_HANDLE hKey
+ */
+class NCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
+  int index;
+  string funcName;
+
+  NCryptSignHashArgumentSink() {
+    index = 0 and
+    funcName = "NCryptSignHash " and
+    isCallArgument(funcName, this.asExpr(), index)
+  }
+}
+
+/**
+ * Argument at index 0 of call to BCryptSignHash:
+ *     [in]           BCRYPT_KEY_HANDLE hKey,
+ */
+class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
+  int index;
+  string funcName;
+
+  BCryptSignHashArgumentSink() {
+    index = 0 and
+    funcName = "BCryptSignHash" and
+    isCallArgument(funcName, this.asExpr(), index)
+  }
+}
+
+/**
+ * Argument at index 0 of call to BCryptGenerateKeyPair:
+ *    [in, out] BCRYPT_ALG_HANDLE hAlgorithm,
+ */
+class BCryptGenerateKeyPair extends BCryptOpenAlgorithmProviderSink {
+  int index;
+  string funcName;
+
+  BCryptGenerateKeyPair() {
+    index = 0 and
+    funcName = "BCryptGenerateKeyPair" and
+    isCallArgument(funcName, this.asExpr(), index)
+  }
+}
+
+/**
+ * Argument at index 0 of call to BCryptEncrypt:
+ *     [in, out]           BCRYPT_KEY_HANDLE hKey,
+ */
+class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
+  int index;
+  string funcName;
+
+  BCryptEncryptArgumentSink() {
+    index = 0 and
+    funcName = "BCryptEncrypt" and
+    isCallArgument(funcName, this.asExpr(), index)
+  }
+}
+
+/**
+ * Argument at index 0 of call to NCryptEncrypt:
+ *     [in]           NCRYPT_KEY_HANDLE hKey,
+ */
+class NCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
+  int index;
+  string funcName;
+
+  NCryptEncryptArgumentSink() {
+    index = 0 and
+    funcName = "NCryptEncrypt" and
+    isCallArgument(funcName, this.asExpr(), index)
+  }
+}
+
+// ----------------- Default SOURCES -----------------------
+/**
+ * A string identifier of known PQC vulnerable algorithms.
+ */
+class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
+  BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() { vulnProviderLiteral(this.asExpr()) }
+}

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.ql

@@ -0,0 +1,22 @@
+/**
+ * @id cpp/nist-pqc/pqc-vulnerable-algorithms-cng
+ * @name Usage of PQC vulnerable algorithms
+ * @description Usage of PQC vulnerable algorithms.
+ * @microsoft.severity important
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @tags security
+ *       pqc
+ *       nist
+ */
+
+import cpp
+import DataFlow::PathGraph
+import WindowsCng
+import WindowsCngPQCVulnerableUsage
+
+from BCryptConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "PQC vulnerable algorithm $@ in use has been detected.",
+  source.getNode().asExpr(), source.getNode().asExpr().toString()

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll

@@ -0,0 +1,70 @@
+import cpp
+import WindowsCng
+
+/**
+ * Steps from input variable (argument 1) to output variable (argument 0)
+ * for CNG API BCryptOpenAlgorithmProvider.
+ * Argument 1 represents LPCWSTR (a string algorithm ID)
+ * Argument 0 represents BCRYPT_ALG_HANDLE
+ */
+predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(FunctionCall call |
+    // BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used
+    node1.asExpr() = call.getArgument(1) and
+    call.getTarget().hasGlobalName("BCryptOpenAlgorithmProvider") and
+    node2.asDefiningArgument() = call.getArgument(0)
+  )
+}
+
+/**
+ * Steps from input variable (argument 0) to output variable (argument 1)
+ * for CNG APIs BCryptImportKeyPair and BCryptGenerateKeyPair.
+ * BCryptGenerateKeyPair:
+ *      Argument 0 represents a BCRYPT_ALG_HANDLE.
+ *      Argument 1 represents a BCRYPT_KEY_HANDLE.
+ * BCryptImportKeyPair:
+ *      Argument 0 represents a BCRYPT_ALG_HANDLE.
+ *      Argument 3 represents a BCRYPT_KEY_HANDLE.
+ */
+predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(FunctionCall call |
+    node1.asExpr() = call.getArgument(0) and
+    exists(string name | call.getTarget().hasGlobalName(name) |
+      name = "BCryptImportKeyPair" and node2.asDefiningArgument() = call.getArgument(3)
+      or
+      name = "BCryptGenerateKeyPair" and node2.asDefiningArgument() = call.getArgument(1)
+    )
+  )
+}
+
+/**
+ * Additional DataFlow steps from input variables to output handle variables on CNG apis.
+ */
+predicate isWindowsCngAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  stepOpenAlgorithmProvider(node1, node2)
+  or
+  stepImportGenerateKeyPair(node1, node2)
+}
+
+/**
+ * CNG-specific DataFlow configuration
+ */
+class BCryptConfiguration extends DataFlow::Configuration {
+  BCryptConfiguration() { this = "BCryptConfiguration" }
+
+  /**
+   * Uses indirect extensions of BCryptOpenAlgorithmProviderSource
+   */
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof BCryptOpenAlgorithmProviderSource
+  }
+
+  /**
+   * Uses indirect extensions of BCryptOpenAlgorithmProviderSink
+   */
+  override predicate isSink(DataFlow::Node sink) { sink instanceof BCryptOpenAlgorithmProviderSink }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isWindowsCngAdditionalTaintStep(node1, node2)
+  }
+}

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WindowsCng.qll

@@ -0,0 +1 @@
+experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng.ql