|
| 1 | +/** |
| 2 | + * ContradictoryEndpointCharacteristics.ql |
| 3 | + * |
| 4 | + * This tests surfaces endpoints that have a set of characteristics are logically incompatible with one another (e.g one |
| 5 | + * high-confidence characteristic that implies a non-sink and another that implies a sink). If the test surfaces any |
| 6 | + * such endpoints, this is a hint that some of our endpoint characteristics may be need to be adjusted. |
| 7 | + */ |
| 8 | + |
| 9 | +import javascript |
| 10 | +private import experimental.adaptivethreatmodeling.EndpointCharacteristics as EndpointCharacteristics |
| 11 | +private import experimental.adaptivethreatmodeling.EndpointTypes as EndpointTypes |
| 12 | + |
| 13 | +/** |
| 14 | + * Holds if `characteristic1` and `characteristic2` are among the several pairs of currently known high-confidence |
| 15 | + * negative characteristics that apply to some known sinks. |
| 16 | + * |
| 17 | + * TODO: Experiment with lowering the confidence of `"FileSystemAccess"`, `"DOM"`, `"DatabaseAccess"`, and |
| 18 | + * `"JQueryArgument"`. |
| 19 | + */ |
| 20 | +private predicate knownContradictoryCharacteristics( |
| 21 | + EndpointCharacteristics::EndpointCharacteristic characteristic1, |
| 22 | + EndpointCharacteristics::EndpointCharacteristic characteristic2 |
| 23 | +) { |
| 24 | + characteristic1 != characteristic2 and |
| 25 | + ( |
| 26 | + characteristic1 = ["TaintedPathSink", "FileSystemAccess"] and |
| 27 | + characteristic2 = ["TaintedPathSink", "FileSystemAccess"] |
| 28 | + or |
| 29 | + characteristic1 = ["DomBasedXssSink", "DOM"] and |
| 30 | + characteristic2 = ["DomBasedXssSink", "DOM"] |
| 31 | + or |
| 32 | + characteristic1 = ["DomBasedXssSink", "JQueryArgument"] and |
| 33 | + characteristic2 = ["DomBasedXssSink", "JQueryArgument"] |
| 34 | + or |
| 35 | + characteristic1 = ["NosqlInjectionSink", "DatabaseAccess"] and |
| 36 | + characteristic2 = ["NosqlInjectionSink", "DatabaseAccess"] |
| 37 | + or |
| 38 | + characteristic1 = ["SqlInjectionSink", "DatabaseAccess"] and |
| 39 | + characteristic2 = ["SqlInjectionSink", "DatabaseAccess"] |
| 40 | + ) |
| 41 | +} |
| 42 | + |
| 43 | +/** |
| 44 | + * Holds if the given endpoint has a self-contradictory combination of characteristics. Detects errors in our endpoint |
| 45 | + * characteristics. Lists the problematic characterisitics and their implications for all such endpoints, together with |
| 46 | + * an error message indicating why this combination is problematic. |
| 47 | + */ |
| 48 | +query predicate erroneousEndpoints( |
| 49 | + DataFlow::Node endpoint, EndpointCharacteristics::EndpointCharacteristic characteristic, |
| 50 | + EndpointTypes::EndpointType endpointClass, float confidence, string errorMessage |
| 51 | +) { |
| 52 | + // An endpoint's characteristics should not include positive indicators with medium/high confidence for more than one |
| 53 | + // class. |
| 54 | + exists( |
| 55 | + EndpointCharacteristics::EndpointCharacteristic characteristic2, |
| 56 | + EndpointTypes::EndpointType endpointClass2, float confidence2 |
| 57 | + | |
| 58 | + endpointClass.getEncoding() != endpointClass2.getEncoding() and |
| 59 | + characteristic.appliesToEndpoint(endpoint) and |
| 60 | + characteristic2.appliesToEndpoint(endpoint) and |
| 61 | + characteristic.hasImplications(endpointClass, true, confidence) and |
| 62 | + characteristic2.hasImplications(endpointClass2, true, confidence2) and |
| 63 | + confidence > characteristic.mediumConfidence() and |
| 64 | + confidence2 > characteristic2.mediumConfidence() and |
| 65 | + // We currently know of several high-confidence negative characteristics that apply to some known sinks. |
| 66 | + not knownContradictoryCharacteristics(characteristic, characteristic2) |
| 67 | + ) and |
| 68 | + errorMessage = "Endpoint has high-confidence positive indicators for multiple classes" |
| 69 | + or |
| 70 | + // An enpoint's characteristics should not include positive indicators with medium/high confidence for some class and |
| 71 | + // also include negative indicators with medium/high confidence for this same class. |
| 72 | + exists(EndpointCharacteristics::EndpointCharacteristic characteristic2, float confidence2 | |
| 73 | + characteristic.appliesToEndpoint(endpoint) and |
| 74 | + characteristic2.appliesToEndpoint(endpoint) and |
| 75 | + characteristic.hasImplications(endpointClass, true, confidence) and |
| 76 | + characteristic2.hasImplications(endpointClass, false, confidence2) and |
| 77 | + confidence > characteristic.mediumConfidence() and |
| 78 | + confidence2 > characteristic2.mediumConfidence() |
| 79 | + ) and |
| 80 | + errorMessage = "Endpoint has high-confidence positive and negative indicators for the same class" |
| 81 | +} |
| 82 | + |
| 83 | +query predicate erroneousConfidences( |
| 84 | + EndpointCharacteristics::EndpointCharacteristic characteristic, float confidence, |
| 85 | + string errorMessage |
| 86 | +) { |
| 87 | + characteristic.hasImplications(_, _, confidence) and |
| 88 | + (confidence < 0 or confidence > 1) and |
| 89 | + errorMessage = "Characteristic has an indicator with confidence outside of [0, 1]" |
| 90 | +} |
0 commit comments