HardcodedIVCNG qhelp and ql

Author: bdrodes

cpp/ql/src/Microsoft/Security/Cryptography/HardcodedIVCNG.qhelp

@@ -0,0 +1,23 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>An initialization vector (IV) is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom (randomized scheme), but sometimes an IV only needs to be unpredictable or unique (stateful scheme).</p>
+    <p>Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message.</p>
+  </overview>
+
+  <recommendation>
+    <p>All symmetric block ciphers must also be used with an appropriate initialization vector (IV) according to the mode of operation being used.</p>
+    <p>If using a randomized scheme such as CBC, it is recommended to use cryptographically secure pseudorandom number generator such as <code>BCryptGenRandom</code>.</p>
+  </recommendation>
+  
+  <references>
+    <li>
+      <a href="https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptencrypt">BCryptEncrypt function (bcrypt.h)</a>
+      <a href="https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom">BCryptGenRandom function (bcrypt.h)</a>
+      <a href="https://en.wikipedia.org/wiki/Initialization_vector">Initialization vector (Wikipedia)</a>
+    </li>
+  </references>
+
+</qhelp>

cpp/ql/src/Microsoft/Security/Cryptography/HardcodedIVCNG.ql

@@ -0,0 +1,58 @@
+/**
+ * @name Weak cryptography
+ * @description Finds usage of a static (hardcoded) IV. (CNG)
+ * @kind problem
+ * @id cpp/weak-crypto/cng/hardcoded-iv
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+
+/**
+ * Gets const element of `ArrayAggregateLiteral`.
+ */
+Expr getConstElement(ArrayAggregateLiteral lit) {
+  exists(int n |
+    result = lit.getElementExpr(n, _) and
+    result.isConstant()
+  )
+}
+
+/**
+ * Gets the last element in an `ArrayAggregateLiteral`.
+ */
+Expr getLastElement(ArrayAggregateLiteral lit) {
+  exists(int n |
+    result = lit.getElementExpr(n, _) and
+    not exists(lit.getElementExpr(n + 1, _))
+  )
+}
+
+module CngBCryptEncryptHardcodedIVConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(AggregateLiteral lit |
+      getLastElement(lit) = source.asDefinition() and
+      exists(getConstElement(lit))
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall call |
+      // BCryptEncrypt 5h argument specifies the IV
+      sink.asIndirectExpr() = call.getArgument(4) and
+      call.getTarget().hasGlobalName("BCryptEncrypt")
+    )
+  }
+}
+
+module Flow = DataFlow::Global<CngBCryptEncryptHardcodedIVConfiguration>;
+
+from DataFlow::Node sl, DataFlow::Node fc, AggregateLiteral lit
+where
+  Flow::flow(sl, fc) and
+  getLastElement(lit) = sl.asDefinition()
+select lit, "Calling BCryptEncrypt with a hard-coded IV on function "