KDF ql and qhelp

Author: bdrodes

cpp/ql/src/Microsoft/Security/Cryptography/WeakKDFBannedHashAlgorithm.qhelp

@@ -0,0 +1,14 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Use of KDF algorithm BCryptDeriveKeyPBKDF2 uses insecure hash from BCryptOpenAlgorithmProvider.</p>
+</overview>
+
+<recommendation>
+<p>Use SHA 256, 384, or 512.</p>
+</recommendation>
+
+</qhelp>

cpp/ql/src/Microsoft/Security/Cryptography/WeakKDFBannedHashAlgorithm.ql

@@ -0,0 +1,85 @@
+/**
+ * @name KDF may only use SHA256/384/512 in generating a key.
+ * @description KDF may only use SHA256/384/512 in generating a key.
+ * @kind problem
+ * @id cpp/kdf-insecure-hash
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+
+module BannedHashAlgorithmConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // Verify if algorithm is marked as banned.
+    not source.asExpr().getValue().toString().matches("SHA256") and
+    not source.asExpr().getValue().toString().matches("SHA384") and
+    not source.asExpr().getValue().toString().matches("SHA512")
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall call |
+      // Argument 1 (0-based) specified the algorithm ID.
+      // NTSTATUS BCryptOpenAlgorithmProvider(
+      //     [out] BCRYPT_ALG_HANDLE *phAlgorithm,
+      //     [in]  LPCWSTR           pszAlgId,
+      //     [in]  LPCWSTR           pszImplementation,
+      //     [in]  ULONG             dwFlags
+      //   );
+      sink.asExpr() = call.getArgument(1) and
+      call.getTarget().hasGlobalName("BCryptOpenAlgorithmProvider")
+    )
+  }
+}
+
+module BannedHashAlgorithmTrace = DataFlow::Global<BannedHashAlgorithmConfig>;
+
+module BCRYPT_ALG_HANDLE_Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(FunctionCall call |
+      // Argument 0 (0-based) specified the algorithm handle
+      // NTSTATUS BCryptOpenAlgorithmProvider(
+      //     [out] BCRYPT_ALG_HANDLE *phAlgorithm,
+      //     [in]  LPCWSTR           pszAlgId,
+      //     [in]  LPCWSTR           pszImplementation,
+      //     [in]  ULONG             dwFlags
+      //   );
+      source.asDefiningArgument() = call.getArgument(0) and
+      call.getTarget().hasGlobalName("BCryptOpenAlgorithmProvider")
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Algorithm handle is the 0th (0-based) argument of the call
+    //    NTSTATUS BCryptDeriveKeyPBKDF2(
+    //      [in]           BCRYPT_ALG_HANDLE hPrf,
+    //      [in, optional] PUCHAR            pbPassword,
+    //      [in]           ULONG             cbPassword,
+    //      [in, optional] PUCHAR            pbSalt,
+    //      [in]           ULONG             cbSalt,
+    //      [in]           ULONGLONG         cIterations,
+    //      [out]          PUCHAR            pbDerivedKey,
+    //      [in]           ULONG             cbDerivedKey,
+    //      [in]           ULONG             dwFlags
+    // );
+    exists(Call c | c.getTarget().getName() = "BCryptDeriveKeyPBKDF2" |
+      c.getArgument(0) = sink.asExpr()
+    )
+  }
+}
+
+module BCRYPT_ALG_HANDLE_Trace = DataFlow::Global<BCRYPT_ALG_HANDLE_Config>;
+
+from DataFlow::Node src1, DataFlow::Node src2, DataFlow::Node sink1, DataFlow::Node sink2
+where
+  BannedHashAlgorithmTrace::flow(src1, sink1) and
+  exists(Call c |
+    c.getAnArgument() = sink1.asExpr() and src2.asDefiningArgument() = c.getAnArgument()
+  |
+    BCRYPT_ALG_HANDLE_Trace::flow(src2, sink2)
+  )
+select sink2.asExpr(),
+  "BCRYPT_ALG_HANDLE is passed to this to KDF derived from insecure hashing function $@. Must use SHA256 or higher.",
+  src1.asExpr(), src1.asExpr().getValue()

cpp/ql/src/Microsoft/Security/Cryptography/WeakKDFLowIterationCount.qhelp

@@ -0,0 +1,14 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Use of KDF algorithm BCryptDeriveKeyPBKDF2 uses low iteration count (less than 100k).</p>
+</overview>
+
+<recommendation>
+<p>Use a minimum of 100,000 for iteration count.</p>
+</recommendation>
+
+</qhelp>

cpp/ql/src/Microsoft/Security/Cryptography/WeakKDFLowIterationCount.ql

@@ -0,0 +1,51 @@
+/**
+ * @name Use iteration count at least 100k to prevent brute force attacks
+ * @description When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k).
+ * This query traces constants of <100k to the iteration count parameter of CNG's BCryptDeriveKeyPBKDF2.
+ * This query traces constants of less than the min length to the target parameter.
+ * NOTE: if the constant is modified, or if a non-constant gets to the iteration count, this query will not flag these cases.
+ *      The rationale currently is that this query is meant to validate common uses of key derivation.
+ *      Non-common uses (modifying the iteration count somehow or getting the count from outside sources) are assumed to be intentional.
+ * @kind problem
+ * @id cpp/kdf-low-iteration-count
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+
+module IterationCountDataFlowConfig implements DataFlow::ConfigSig {
+  /**
+   * Defines the source for iteration count when it's coming from a fixed value
+   * Any expression that has an assigned value < 100000 could be a source.
+   */
+  predicate isSource(DataFlow::Node src) { src.asExpr().getValue().toInt() < 100000 }
+
+  predicate isSink(DataFlow::Node sink) {
+    // iterations count is the 5th (0-based) argument of the call
+    //    NTSTATUS BCryptDeriveKeyPBKDF2(
+    //      [in]           BCRYPT_ALG_HANDLE hPrf,
+    //      [in, optional] PUCHAR            pbPassword,
+    //      [in]           ULONG             cbPassword,
+    //      [in, optional] PUCHAR            pbSalt,
+    //      [in]           ULONG             cbSalt,
+    //      [in]           ULONGLONG         cIterations,
+    //      [out]          PUCHAR            pbDerivedKey,
+    //      [in]           ULONG             cbDerivedKey,
+    //      [in]           ULONG             dwFlags
+    // );
+    exists(Call c | c.getTarget().getName() = "BCryptDeriveKeyPBKDF2" |
+      c.getArgument(5) = sink.asExpr()
+    )
+  }
+}
+
+module IterationCountDataFlow = DataFlow::Global<IterationCountDataFlowConfig>;
+
+from DataFlow::Node src, DataFlow::Node sink
+where IterationCountDataFlow::flow(src, sink)
+select sink.asExpr(),
+  "Iteration count $@ is passed to this to KDF. Use at least 100000 iterations when deriving cryptographic key from password.",
+  src, src.asExpr().getValue()

cpp/ql/src/Microsoft/Security/Cryptography/WeakKDFSmallKeyLength.qhelp

@@ -0,0 +1,14 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Use of KDF algorithm BCryptDeriveKeyPBKDF2 uses small key size (less than 16 bytes).</p>
+</overview>
+
+<recommendation>
+<p>Use a minimum of 16 bytes for key size.</p>
+</recommendation>
+
+</qhelp>

cpp/ql/src/Microsoft/Security/Cryptography/WeakKDFSmallKeyLength.ql

@@ -0,0 +1,46 @@
+/**
+ * @name Small KDF derived key length.
+ * @description KDF derived keys should be a minimum of 128 bits (16 bytes).
+ * This query traces constants of less than the min length to the target parameter.
+ * NOTE: if the constant is modified, or if a non-constant gets to the target, this query will not flag these cases.
+ *      The rationale currently is that this query is meant to validate common uses of key derivation.
+ *      Non-common uses (modifying the values somehow or getting the count from outside sources) are assumed to be intentional.
+ * @kind problem
+ * @id cpp/kdf-small-key-size
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+
+module KeyLenConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr().getValue().toInt() < 16 }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Key length size is the 7th (0-based) argument of the call
+    //    NTSTATUS BCryptDeriveKeyPBKDF2(
+    //      [in]           BCRYPT_ALG_HANDLE hPrf,
+    //      [in, optional] PUCHAR            pbPassword,
+    //      [in]           ULONG             cbPassword,
+    //      [in, optional] PUCHAR            pbSalt,
+    //      [in]           ULONG             cbSalt,
+    //      [in]           ULONGLONG         cIterations,
+    //      [out]          PUCHAR            pbDerivedKey,
+    //      [in]           ULONG             cbDerivedKey,
+    //      [in]           ULONG             dwFlags
+    // );
+    exists(Call c | c.getTarget().getName() = "BCryptDeriveKeyPBKDF2" |
+      c.getArgument(7) = sink.asExpr()
+    )
+  }
+}
+
+module KeyLenTrace = DataFlow::Global<KeyLenConfig>;
+
+from DataFlow::Node src, DataFlow::Node sink
+where KeyLenTrace::flow(src, sink)
+select sink.asExpr(),
+  "Key size $@ is passed to this to KDF. Use at least 16 bytes for key length when deriving cryptographic key from password.",
+  src.asExpr(), src.asExpr().getValue()

cpp/ql/src/Microsoft/Security/Cryptography/WeakKDFSmallSaltSize.qhelp

@@ -0,0 +1,15 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Use of KDF algorithm BCryptDeriveKeyPBKDF2 uses small salt size (less than 16 bytes).</p>
+</overview>
+
+<recommendation>
+<p>Use a minimum of 16 bytes for salt size.</p>
+</recommendation>
+
+
+</qhelp>

cpp/ql/src/Microsoft/Security/Cryptography/WeakKDFSmallSaltSize.ql

@@ -0,0 +1,46 @@
+/**
+ * @name Small KDF salt length.
+ * @description KDF salts should be a minimum of 128 bits (16 bytes).
+ * This query traces constants of less than the min length to the target parameter.
+ * NOTE: if the constant is modified, or if a non-constant gets to the target, this query will not flag these cases.
+ *      The rationale currently is that this query is meant to validate common uses of key derivation.
+ *      Non-common uses (modifying the values somehow or getting the count from outside sources) are assumed to be intentional.
+ * @kind problem
+ * @id cpp/kdf-small-salt-size
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+
+module SaltLenConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr().getValue().toInt() < 16 }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Key length size is the 7th (0-based) argument of the call
+    //    NTSTATUS BCryptDeriveKeyPBKDF2(
+    //      [in]           BCRYPT_ALG_HANDLE hPrf,
+    //      [in, optional] PUCHAR            pbPassword,
+    //      [in]           ULONG             cbPassword,
+    //      [in, optional] PUCHAR            pbSalt,
+    //      [in]           ULONG             cbSalt,
+    //      [in]           ULONGLONG         cIterations,
+    //      [out]          PUCHAR            pbDerivedKey,
+    //      [in]           ULONG             cbDerivedKey,
+    //      [in]           ULONG             dwFlags
+    // );
+    exists(Call c | c.getTarget().getName() = "BCryptDeriveKeyPBKDF2" |
+      c.getArgument(4) = sink.asExpr()
+    )
+  }
+}
+
+module SaltLenTrace = DataFlow::Global<SaltLenConfig>;
+
+from DataFlow::Node src, DataFlow::Node sink
+where SaltLenTrace::flow(src, sink)
+select sink.asExpr(),
+  "Salt size $@ is passed to this to KDF. Use at least 16 bytes for salt size when deriving cryptographic key from password.",
+  src, src.asExpr().getValue()