Skip to content

Commit b15a5a9

Browse files
bdrodesbdrodes
committed
Comments and reorg.
1 parent 5f2a42b commit b15a5a9

File tree

3 files changed

+46
-13
lines changed

3 files changed

+46
-13
lines changed

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll

Lines changed: 28 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -6,29 +6,47 @@ abstract class BCryptOpenAlgorithmProviderSink extends DataFlow::Node { }
66

77
abstract class BCryptOpenAlgorithmProviderSource extends DataFlow::Node { }
88

9+
// ------------------ Helper Predicates ----------------------
10+
/**
11+
* Holds if there is a call with global name`funcGlobalName` with argument `arg` of that call
12+
* at argument index `index`.
13+
*/
914
predicate isCallArgument(string funcGlobalName, Expr arg, int index) {
1015
exists(Call c | c.getArgument(index) = arg and c.getTarget().hasGlobalName(funcGlobalName))
1116
}
1217

18+
/**
19+
* Holdes if StringLiteral `lit` has a string value indicative of a post quantum crypto
20+
* vulnerable algorithm identifier.
21+
*/
22+
predicate vulnProviderLiteral(StringLiteral lit) {
23+
exists(string s | s = lit.getValue() |
24+
s in ["DH", "DSA", "ECDSA", "ECDH"] or
25+
s.matches("ECDH%") or
26+
s.matches("RSA%")
27+
)
28+
}
29+
1330
//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
14-
// ------------------ SINKS ----------------------
31+
// ------------------ Default SINKS ----------------------
32+
/**
33+
* Argument at index 0 of call to BCryptSignHash
34+
*/
1535
class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
1636
BCryptSignHashArgumentSink() { isCallArgument("BCryptSignHash", this.asExpr(), 0) }
1737
}
1838

39+
/**
40+
* Argument at index 0 of call to BCryptEncrypt
41+
*/
1942
class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
2043
BCryptEncryptArgumentSink() { isCallArgument("BCryptEncrypt", this.asExpr(), 0) }
2144
}
2245

23-
// ----------------- SOURCES -----------------------
24-
predicate vulnProviderLiteral(StringLiteral lit) {
25-
exists(string s | s = lit.getValue() |
26-
s in ["DH", "DSA", "ECDSA", "ECDH"] or
27-
s.matches("ECDH%") or
28-
s.matches("RSA%")
29-
)
30-
}
31-
46+
// ----------------- Default SOURCES -----------------------
47+
/**
48+
* A string identifier of known PQC vulnerable algorithms.
49+
*/
3250
class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
3351
BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() { vulnProviderLiteral(this.asExpr()) }
3452
}

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.ql

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,6 @@ import DataFlow::PathGraph
1616
import WindowsCng
1717
import WindowsCngPQCVulnerableUsage
1818

19-
2019
from BCryptConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
2120
where config.hasFlowPath(source, sink)
2221
select sink.getNode(), source, sink, "PQC vulnerable algorithm $@ in use has been detected.",

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,12 @@
11
import cpp
22
import WindowsCng
33

4+
/**
5+
* Steps from input variable (argument 1) to output variable (argument 0)
6+
* for CNG API BCryptOpenAlgorithmProvider.
7+
* Argument 1 represents LPCWSTR (a string algorithm ID)
8+
* Argument 0 represents BCRYPT_ALG_HANDLE
9+
*/
410
predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2) {
511
exists(FunctionCall call |
612
// BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used
@@ -10,6 +16,12 @@ predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2)
1016
)
1117
}
1218

19+
/**
20+
* Steps from input variable (argument 0) to output variable (argument 1)
21+
* for CNG APIs BCryptImportKeyPair and BCryptGenerateKeyPair.
22+
* Argument 0 represents a BCRYPT_ALG_HANDLE.
23+
* Argument 1 represents a BCRYPT_KEY_HANDLE.
24+
*/
1325
predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2) {
1426
exists(FunctionCall call |
1527
node1.asExpr() = call.getArgument(0) and
@@ -21,14 +33,18 @@ predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2)
2133
)
2234
}
2335

36+
/**
37+
* Additional DataFlow steps from input variables to output handle variables on CNG apis.
38+
*/
2439
predicate isWindowsCngAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
2540
stepOpenAlgorithmProvider(node1, node2)
2641
or
2742
stepImportGenerateKeyPair(node1, node2)
2843
}
2944

30-
31-
// CNG-specific DataFlow configuration
45+
/**
46+
* CNG-specific DataFlow configuration
47+
*/
3248
class BCryptConfiguration extends DataFlow::Configuration {
3349
BCryptConfiguration() { this = "BCryptConfiguration" }
3450

0 commit comments

Comments
 (0)