Adding example alerts

Author: bdrodes

cpp/ql/src/experimental/crypto/example_alerts/UnknownAsymmetricKeyGen.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Unknown key generation key size
+ * @description 
+ * @id cpp/unknown-asymmetric-key-gen-size
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-326
+ */
+import cpp
+
+import experimental.crypto.Concepts
+
+from AsymmetricKeyGeneration op, AsymmetricAlgorithm alg
+where 
+    alg = op.getAlgorithm() and
+    not alg instanceof EllipticCurveAlgorithm and
+    not exists(op.getKeySizeInBits(alg))
+select op, "Use of unknown asymmetric key size for algorithm $@", alg, alg.getName().toString()
+

cpp/ql/src/experimental/crypto/example_alerts/WeakAsymmetricKeyGen.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Weak asymmetric key generation key size (< 2048 bits)
+ * @description 
+ * @id cpp/weak-asymmetric-key-gen-size
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *     external/cwe/cwe-326
+ */
+import cpp
+
+import experimental.crypto.Concepts
+
+from AsymmetricKeyGeneration op, AsymmetricAlgorithm alg, Expr configSrc, int size
+where 
+    alg = op.getAlgorithm() and
+    not alg instanceof EllipticCurveAlgorithm and
+    configSrc = op.getKeyConfigurationSource(alg) and 
+    size = configSrc.getValue().toInt() and
+    size < 2048
+select op, "Use of weak asymmetric key size (in bits) " + size + " configured at $@ for algorithm $@", configSrc, configSrc.toString(), alg, alg.getName().toString()

cpp/ql/src/experimental/crypto/example_alerts/WeakBlockMode.ql

@@ -0,0 +1,32 @@
+/** 
+* @name Weak block mode
+* @description Finds uses of symmetric encryption block modes that are weak, obsolete, or otherwise unaccepted.
+* @id cpp/weak-block-mode
+* @kind problem
+* @problem.severity error
+* @precision high
+* @tags security
+*       external/cwe/cwe-327
+*/
+import cpp
+import experimental.crypto.Concepts
+
+from BlockModeAlgorithm alg, string name, string msg, Expr confSink
+where
+exists(string tmpMsg | 
+    (
+        (name = alg.getBlockModeName() and name = unknownAlgorithm() and tmpMsg = "Use of unrecognized block mode algorithm.")
+        or
+        (
+                name != unknownAlgorithm() and
+                name = alg.getBlockModeName() and
+                not name =  ["CBC","CTS","XTS"] and
+                tmpMsg = "Use of weak block mode algorithm " + name + "."
+        )
+    )
+    and
+    if alg.hasConfigurationSink() and alg.configurationSink() != alg
+    then (confSink = alg.configurationSink() and msg = tmpMsg + " Algorithm used at sink: $@.")
+    else (confSink = alg and  msg = tmpMsg)
+)
+select alg, msg, confSink, confSink.toString()

cpp/ql/src/experimental/crypto/example_alerts/WeakEllipticCurve.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Weak elliptic curve
+ * @description Finds uses of weak, unknown, or otherwise unaccepted elliptic curve algorithms.
+ * @id cpp/weak-elliptic-curve
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+import cpp
+import experimental.crypto.Concepts
+
+from EllipticCurveAlgorithm alg, string name, string msg, Expr confSink
+where
+exists(string tmpMsg | 
+    (
+        (name = alg.getCurveName() and name = unknownAlgorithm() and tmpMsg = "Use of unrecognized curve algorithm.")
+        or
+        (
+                name != unknownAlgorithm() and
+                name = alg.getCurveName() and
+                not name = ["SECP256R1", "PRIME256V1",//P-256 
+                    "SECP384R1",       //P-384
+                    "SECP521R1",       //P-521
+                    "NUMSP256T1",
+                    "NUMSP384T1",
+                    "NUMSP512T1",
+                    "ED25519", "X25519"] and
+                    tmpMsg = "Use of weak curve algorithm " + name + "."
+        )
+    )
+    and 
+    if alg.hasConfigurationSink() and alg.configurationSink() != alg
+    then (confSink = alg.configurationSink() and msg = tmpMsg + " Algorithm used at sink: $@.")
+    else (confSink = alg and  msg = tmpMsg)
+)
+select alg, msg, confSink, confSink.toString()

cpp/ql/src/experimental/crypto/example_alerts/WeakEncryption.ql

@@ -0,0 +1,35 @@
+/**
+ * @name Weak cryptography
+ * @description Finds explicit uses of symmetric encryption algorithms that are weak, unknown, or otherwise unaccepted.
+ * @kind problem
+ * @id cpp/weak-crypto/banned-encryption-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import cpp
+import experimental.crypto.Concepts
+
+
+from SymmetricEncryptionAlgorithm alg, Expr confSink, string msg
+where 
+exists (string resMsg |
+  (
+    if alg.getEncryptionName() = unknownAlgorithm()
+    then (
+      alg instanceof Literal and resMsg = "Use of unrecognized symmetric encryption algorithm: " + alg.(Literal).getValueText().toString() + "."
+      or
+      not alg instanceof Literal and resMsg = "Use of unrecognized symmetric encryption algorithm."
+    )
+    else (not alg.getEncryptionName().matches("AES%") and  resMsg = "Use of banned symmetric encryption algorithm: " + alg.getEncryptionName() + ".")
+  )
+  and 
+  (
+    if alg.hasConfigurationSink() and alg.configurationSink() != alg
+    then (confSink = alg.configurationSink() and msg = resMsg + " Algorithm used at sink: $@.")
+    else (confSink = alg and  msg = resMsg)
+  )
+)
+select alg, msg, confSink, confSink.toString()

cpp/ql/src/experimental/crypto/example_alerts/WeakHashes.ql

@@ -0,0 +1,36 @@
+/**
+ * @name Weak cryptography
+ * @description Finds explicit uses of cryptographic hash algorithms that are weak and obsolete. 
+ * @kind problem
+ * @id cpp/weak-crypto/banned-hash-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.DataFlow as ASTDataFlow
+import experimental.crypto.Concepts
+  
+from HashAlgorithm alg, Expr confSink, string msg
+where 
+exists(string name, string msgTmp | name = alg.getHashName() |
+		not name = ["SHA256", "SHA384", "SHA512"] and
+		(
+			if name = unknownAlgorithm()
+			then 
+			(
+				not alg instanceof Literal and msgTmp = "Use of unrecognized hash algorithm." 
+				or
+				alg instanceof Literal and msgTmp = "Use of unrecognized hash algorithm: " + alg.(Literal).getValueText().toString() + "."
+
+			)
+			else msgTmp = "Use of banned hash algorithm " + name + "."
+		)
+		and
+		if alg.hasConfigurationSink() and alg.configurationSink() != alg
+		then (confSink = alg.configurationSink() and msg = msgTmp + " Algorithm used at sink: $@.")
+		else (confSink = alg and  msg = msgTmp)
+	)
+select alg, msg, confSink, confSink.toString()