Merge pull request github#9722 from ahmed-farid-dev/timing-attack-py

Author: tausbn

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.qhelp

@@ -0,0 +1,4 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<include src="TimingAttackAgainstHash.qhelp" />
+</qhelp>

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql

@@ -0,0 +1,37 @@
+/**
+ * @name Timing attack against Hash
+ * @description When checking a Hash over a message, a constant-time algorithm should be used.
+ *              Otherwise, an attacker may be able to forge a valid Hash for an arbitrary message
+ *              by running a timing attack if they can send to the validation procedure.
+ *              A successful attack can result in authentication bypass.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision low
+ * @id py/possible-timing-attack-against-hash
+ * @tags security
+ *       external/cwe/cwe-208
+ *       experimental
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import experimental.semmle.python.security.TimingAttack
+import DataFlow::PathGraph
+
+/**
+ * A configuration that tracks data flow from cryptographic operations
+ * to equality test
+ */
+class PossibleTimingAttackAgainstHash extends TaintTracking::Configuration {
+  PossibleTimingAttackAgainstHash() { this = "PossibleTimingAttackAgainstHash" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+}
+
+from PossibleTimingAttackAgainstHash config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Possible Timing attack against $@ validation.",
+  source.getNode().(ProduceCryptoCall).getResultType(), "message"

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/SafeComparisonOfHash.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+
+"""
+@Desc   ：preventing timing attack Against Hash
+"""
+import hmac
+import hashlib
+
+key = "e179017a-62b0-4996-8a38-e91aa9f1"
+msg = "Test"
+
+def sign(pre_key, imsg, alg):
+    return hmac.new(pre_key, imsg, alg).digest()
+
+def verify(msg, sig):
+    return hmac.compare_digest(sig, sign(key, msg, hashlib.sha256)) #good

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qhelp

@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+  Timing Attack is based on the leakage of information by studying how long it takes the system to respond to different inputs. 
+  it can be circumvented by using a constant-time algorithm for checking the value of Hash, 
+more precisely, the comparison time should not depend on the content of the input. Otherwise the attacker gains
+information that is indirectly leaked by the application. This information may then be used for malicious purposes.
+</p>
+</overview>
+
+
+<recommendation>
+<p>
+ Two types of countermeasures can be applied against timing attacks. The first one consists 
+in eliminating timing variations whereas the second renders these variations useless for an attacker.
+The only absolute way to prevent timing attacks is to make the computation strictly constant time,
+independent of the input.
+
+ Use <code>hmac.compare_digest()</code> method to securely check the value of Hash.
+If this method is used, then the calculation time depends only on the length of input byte arrays,
+and does not depend on the contents of the arrays. 
+ Unlike <code>==</code> is a fail fast check, If the first byte is not equal, it will return immediately.
+</p>
+</recommendation>
+<example>
+<p>
+  The following example uses <code>==</code> which is a fail fast check for validating a Hash.
+</p>
+<sample src="UnSafeComparisonOfHash.py" />
+
+<p> 
+  The next example use a safe constant-time algorithm for validating a Hash:
+</p>
+<sample src="SafeComparisonOfHash.py" />
+</example>
+
+<references>
+<li>
+  Wikipedia:
+  <a href="https://en.wikipedia.org/wiki/Timing_attack">Timing attack</a>.
+</li>
+
+<li>
+  <a href="https://docs.python.org/3/library/hmac.html#hmac.compare_digest">hmac.compare_digest() method</a>
+</li>
+
+<li>
+  HMAC:
+  <a href="https://datatracker.ietf.org/doc/html/rfc2104.html">RFC 2104</a>
+</li>
+</references>
+
+</qhelp>

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Timing attack against Hash
+ * @description When checking a Hash over a message, a constant-time algorithm should be used.
+ *              Otherwise, an attacker may be able to forge a valid Hash for an arbitrary message
+ *              by running a timing attack if they can send to the validation procedure.
+ *              A successful attack can result in authentication bypass.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision low
+ * @id py/timing-attack-against-hash
+ * @tags security
+ *       external/cwe/cwe-208
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import experimental.semmle.python.security.TimingAttack
+import DataFlow::PathGraph
+
+/**
+ * A configuration that tracks data flow from cryptographic operations
+ * to Equality test.
+ */
+class TimingAttackAgainsthash extends TaintTracking::Configuration {
+  TimingAttackAgainsthash() { this = "TimingAttackAgainsthash" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+}
+
+from TimingAttackAgainsthash config, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  config.hasFlowPath(source, sink) and
+  sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()
+select sink.getNode(), source, sink, "Timing attack against $@ validation.",
+  source.getNode().(ProduceCryptoCall).getResultType(), "message"

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/UnSafeComparisonOfHash.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+
+"""
+@Desc   ：timing attack Against Hash
+"""
+import hmac
+import hashlib
+
+key = "e179017a-62b0-4996-8a38-e91aa9f1"
+msg = "Test"
+
+def sign(pre_key, imsg, alg):
+    return hmac.new(pre_key, imsg, alg).digest()
+
+def verify(msg, sig):
+    return sig == sign(key, msg, hashlib.sha256) #bad

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/SafeComparisonOfHeaderValue.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+
+"""
+@Desc   ：preventing timing attack against header value
+"""
+
+from flask import Flask
+from flask import request
+import hmac
+
+@app.route('/good')
+def good():
+    secret = request.headers.get('X-Auth-Token')    
+    if not hmac.compare_digest(secret, "token"):
+        raise Exception('bad token')
+    return 'good'
+
+if __name__ == '__main__':
+    app.debug = True
+    app.run() 

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.qhelp

@@ -0,0 +1,50 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+  A constant-time algorithm should be used for checking the value of sensitive headers.
+In other words, the comparison time should not depend on the content of the input. 
+Otherwise timing information could be used to infer the header's expected, secret value.
+</p>
+</overview>
+
+
+<recommendation>
+<p>
+ Two types of countermeasures can be applied against timing attacks. The first one consists 
+in eliminating timing variations whereas the second renders these variations useless for an attacker.
+The only absolute way to prevent timing attacks is to make the computation strictly constant time,
+independent of the input.
+
+ Use <code>hmac.compare_digest()</code> method to securely check the secret value.
+If this method is used, then the calculation time depends only on the length of input byte arrays,
+and does not depend on the contents of the arrays. 
+ Unlike <code>==</code> is a fail fast check, If the first byte is not equal, it will return immediately.
+</p>
+</recommendation>
+<example>
+<p>
+  The following example uses <code>==</code> which is a fail fast check for validating the value of sensitive headers.
+</p>
+<sample src="UnsafeComparisonOfHeaderValue.py" />
+
+<p> 
+  The next example use a safe constant-time algorithm for validating the value of sensitive headers:
+</p>
+<sample src="SafeComparisonOfHeaderValue.py" />
+</example>
+
+<references>
+<li>
+  Wikipedia:
+  <a href="https://en.wikipedia.org/wiki/Timing_attack">Timing attack</a>.
+</li>
+
+<li>
+  <a href="https://docs.python.org/3/library/hmac.html#hmac.compare_digest">hmac.compare_digest() method</a>
+</li>
+
+</references>
+
+</qhelp>

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql

@@ -0,0 +1,34 @@
+/**
+ * @name Timing attack against header value
+ * @description Use of a non-constant-time verification routine to check the value of an HTTP header,
+ *              possibly allowing a timing attack to infer the header's expected value.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id py/timing-attack-against-header-value
+ * @tags security
+ *       external/cwe/cwe-208
+ *       experimental
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import experimental.semmle.python.security.TimingAttack
+import DataFlow::PathGraph
+
+/**
+ * A configuration tracing flow from  a client Secret obtained by an HTTP header to a unsafe Comparison.
+ */
+class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
+  ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink }
+}
+
+from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink) and not sink.getNode().(CompareSink).flowtolen()
+select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
+  "client-supplied token"

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/UnsafeComparisonOfHeaderValue.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+
+"""
+@Desc   ：preventing timing attack against header value
+"""
+
+from flask import Flask
+from flask import request
+
+@app.route('/bad')
+def bad():
+    secret = request.headers.get('X-Auth-Token')    
+    if secret == "token":
+        raise Exception('bad token')
+    return 'bad'
+
+if __name__ == '__main__':
+    app.debug = True
+    app.run()