Adding BannedEncryption qhelp, ql, cap and cng qll, cryptofilters qll and misc. crypto example files

Author: bdrodes

cpp/ql/src/Microsoft/Security/Cryptography/BannedEncryption.qhelp

@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+<p> 
+    Finds explicit uses of symmetric encryption algorithms that are weak, obsolete, or otherwise unapproved.
+</p>
+<p>
+    Encryption algorithms such as DES, (uses keys of 56 bits only), RC2 (uses keys of 128 bits only), and TripleDES (provides at most 112 bits of security) are considered to be weak.
+</p>
+<p>
+    These cryptographic algorithms do not provide as much security assurance as more modern counterparts.
+</p>
+</overview>
+
+<recommendation>
+<p>
+    For Microsoft internal security standards:
+</p>
+<p>
+    For WinCrypt, switch to ALG_SID_AES, ALG_SID_AES_128, ALG_SID_AES_192, or ALG_SID_AES_256.
+</p>
+<p>
+    For BCrypt, switch to AES or any algorithm other than RC2, RC4, DES, DESX, 3DES, 3DES_112. AES_GMAC and AES_CMAC require crypto board review.
+</p>
+</recommendation>
+
+<example>
+<p>Violations:</p>
+
+<sample src="examples/WeakEncryption/WeakEncryption1.cpp" />
+<sample src="examples/WeakEncryption/WeakEncryption3.cpp" />
+
+<p>Solutions:</p>
+
+<sample src="examples/WeakEncryption/WeakEncryption2.cpp" />
+<sample src="examples/WeakEncryption/WeakEncryption4.cpp" />
+</example>
+
+<references>
+<li>Microsoft Docs: <a href="https://learn.microsoft.com/en-us/security/engineering/cryptographic-recommendations">Microsoft SDL Cryptographic Recommendations</a>.</li>
+</references>
+
+</qhelp>

cpp/ql/src/Microsoft/Security/Cryptography/BannedEncryption.ql

@@ -0,0 +1,58 @@
+/**
+ * @name Weak cryptography
+ * @description Finds explicit uses of symmetric encryption algorithms that are weak, obsolete, or otherwise unapproved.
+ * @kind problem
+ * @id cpp/weak-crypto/banned-encryption-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import cpp
+import CryptoFilters
+import CryptoDataflowCapi
+import CryptoDataflowCng
+import experimental.cryptography.Concepts
+
+predicate isCapiOrCNGBannedAlg(Expr e, string msg) {
+  exists(FunctionCall fc |
+    CapiCryptCreateEncryptionBanned::flow(DataFlow::exprNode(e),
+      DataFlow::exprNode(fc.getArgument(1)))
+    or
+    BCryptOpenAlgorithmProviderBannedEncryption::flow(DataFlow::exprNode(e),
+      DataFlow::exprNode(fc.getArgument(1)))
+  ) and
+  msg =
+    "Call to a cryptographic function with a banned symmetric encryption algorithm: " +
+      e.getValueText()
+}
+
+predicate isGeneralBannedAlg(SymmetricEncryptionAlgorithm alg, Expr confSink, string msg) {
+  // Handle unknown cases in a separate query
+  not alg.getEncryptionName() = unknownAlgorithm() and
+  exists(string resMsg |
+    (
+      not alg.getEncryptionName().matches("AES%") and
+      resMsg = "Use of banned symmetric encryption algorithm: " + alg.getEncryptionName() + "."
+    ) and
+    (
+      if alg.hasConfigurationSink() and alg.configurationSink() != alg
+      then (
+        confSink = alg.configurationSink() and msg = resMsg + " Algorithm used at sink: $@."
+      ) else (
+        confSink = alg and msg = resMsg
+      )
+    )
+  )
+}
+
+from Expr sink, Expr confSink, string msg
+where
+  (
+    isCapiOrCNGBannedAlg(sink, msg) and confSink = sink
+    or
+    isGeneralBannedAlg(sink, confSink, msg)
+  ) and
+  not isSrcSinkFiltered(sink, confSink)
+select sink, msg, confSink, confSink.toString()

cpp/ql/src/Microsoft/Security/Cryptography/CryptoDataflowCapi.qll

@@ -0,0 +1,97 @@
+/**
+ * Provides classes and predicates for identifying expressions that are use Crypto API (CAPI).
+ */
+
+import cpp
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/**
+ * Dataflow that detects a call to CryptSetKeyParam dwParam = KP_MODE (CAPI)
+ */
+module CapiCryptCryptSetKeyParamtoKPMODEConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().getValue().toInt() = 4 // KP_MODE
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall call |
+      // CryptSetKeyParam 2nd argument specifies the key parameter to set
+      sink.asExpr() = call.getArgument(1) and
+      call.getTarget().hasGlobalName("CryptSetKeyParam")
+    )
+  }
+}
+
+module CapiCryptCryptSetKeyParamtoKPMODE =
+  DataFlow::Global<CapiCryptCryptSetKeyParamtoKPMODEConfiguration>;
+
+/**
+ * A function call to CryptSetKeyParam with dwParam = KP_MODE (CAPI)
+ */
+class CapiCryptCryptSetKeyParamtoKPMODE extends FunctionCall {
+  CapiCryptCryptSetKeyParamtoKPMODE() {
+    exists(Expr var |
+      CapiCryptCryptSetKeyParamtoKPMODE::flow(DataFlow::exprNode(var),
+        DataFlow::exprNode(this.getArgument(1)))
+    )
+  }
+}
+
+// CAPI-specific DataFlow configuration
+module CapiCryptCreateHashBannedConfiguration implements DataFlow::ConfigSig {
+  // This mechnism will verify for approved set of values to call, rejecting anythign that is not in the list.
+  // NOTE: This mechanism is not guaranteed to work with CSPs that do not use the same algorithms defined in Wincrypt.h
+  //
+  predicate isSource(DataFlow::Node source) {
+    // Verify if source matched the mask for CAPI ALG_CLASS_HASH == 32768
+    source.asExpr().getValue().toInt().bitShiftRight(13) = 4 and
+    // The following hash algorithms are safe to use, anything else is considered banned
+    not (
+      source.asExpr().getValue().toInt().bitXor(32768) = 12 or // ALG_SID_SHA_256
+      source.asExpr().getValue().toInt().bitXor(32768) = 13 or // ALG_SID_SHA_384
+      source.asExpr().getValue().toInt().bitXor(32768) = 14 // ALG_SID_SHA_512
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall call |
+      // CryptCreateHash 2nd argument specifies the hash algorithm to be used.
+      sink.asExpr() = call.getArgument(1) and
+      call.getTarget().hasGlobalName("CryptCreateHash")
+    )
+  }
+}
+
+module CapiCryptCreateHashBanned = DataFlow::Global<CapiCryptCreateHashBannedConfiguration>;
+
+// CAPI-specific DataFlow configuration
+module CapiCryptCreateEncryptionBannedConfiguration implements DataFlow::ConfigSig {
+  // This mechanism will verify for approved set of values to call, rejecting anything that is not in the list.
+  // NOTE: This mechanism is not guaranteed to work with CSPs that do not use the same algorithms defined in Wincrypt.h
+  //
+  predicate isSource(DataFlow::Node source) {
+    // Verify if source matched the mask for CAPI ALG_CLASS_DATA_ENCRYPT == 24576
+    source.asExpr().getValue().toInt().bitShiftRight(13) = 3 and
+    // The following algorithms are safe to use, anything else is considered banned
+    not (
+      source.asExpr().getValue().toInt().bitXor(26112) = 14 or // ALG_SID_AES_128
+      source.asExpr().getValue().toInt().bitXor(26112) = 15 or // ALG_SID_AES_192
+      source.asExpr().getValue().toInt().bitXor(26112) = 16 or // ALG_SID_AES_256
+      source.asExpr().getValue().toInt().bitXor(26112) = 17 // ALG_SID_AES
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall call |
+      // CryptGenKey or CryptDeriveKey 2nd argument specifies the hash algorithm to be used.
+      sink.asExpr() = call.getArgument(1) and
+      (
+        call.getTarget().hasGlobalName("CryptGenKey") or
+        call.getTarget().hasGlobalName("CryptDeriveKey")
+      )
+    )
+  }
+}
+
+module CapiCryptCreateEncryptionBanned =
+  DataFlow::Global<CapiCryptCreateEncryptionBannedConfiguration>;

cpp/ql/src/Microsoft/Security/Cryptography/CryptoDataflowCng.qll

@@ -0,0 +1,137 @@
+/**
+ * Provides classes and predicates for identifying expressions that are use crypto API Next Generation (CNG).
+ */
+
+import cpp
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/**
+ * Dataflow that detects a call to BCryptSetProperty pszProperty = ChainingMode (CNG)
+ */
+module CngBCryptSetPropertyParamtoKChainingModeConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().getValue().toString().matches("ChainingMode")
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall call |
+      // BCryptSetProperty 2nd argument specifies the key parameter to set
+      sink.asExpr() = call.getArgument(1) and
+      call.getTarget().hasGlobalName("BCryptSetProperty")
+    )
+  }
+}
+
+module CngBCryptSetPropertyParamtoKChainingMode =
+  DataFlow::Global<CngBCryptSetPropertyParamtoKChainingModeConfiguration>;
+
+/**
+ * A function call to BCryptSetProperty pszProperty = ChainingMode (CNG)
+ */
+class CngBCryptSetPropertyParamtoKChainingMode extends FunctionCall {
+  CngBCryptSetPropertyParamtoKChainingMode() {
+    exists(Expr var |
+      CngBCryptSetPropertyParamtoKChainingMode::flow(DataFlow::exprNode(var),
+        DataFlow::exprNode(this.getArgument(1)))
+    )
+  }
+}
+
+predicate isChaniningModeCbc(DataFlow::Node source) {
+  // Verify if algorithm is in the approved list.
+  exists(string s | s = source.asExpr().getValue().toString() |
+    s.regexpMatch("ChainingMode[A-Za-z0-9/]+") and
+    // Property Strings
+    // BCRYPT_CHAIN_MODE_NA    L"ChainingModeN/A"  - The algorithm does not support chaining
+    // BCRYPT_CHAIN_MODE_CBC   L"ChainingModeCBC"  - Microsoft-Only: Only mode allowed by Crypto Board from this list (CBC-MAC)
+    // BCRYPT_CHAIN_MODE_ECB   L"ChainingModeECB"  - Generally not recommended for usage in cryptographic protocols at all
+    // BCRYPT_CHAIN_MODE_CFB   L"ChainingModeCFB"  - Microsoft-Only: Banned, usage requires Crypto Board review
+    // BCRYPT_CHAIN_MODE_CCM   L"ChainingModeCCM"  - Microsoft-Only: Banned, usage requires Crypto Board review
+    // BCRYPT_CHAIN_MODE_GCM   L"ChainingModeGCM"  - Microsoft-Only: Only for TLS, other usage requires Crypto Board review
+    not s.matches("ChainingModeCBC")
+  )
+}
+
+module CngBCryptSetPropertyChainingBannedModeConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { isChaniningModeCbc(source) }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(CngBCryptSetPropertyParamtoKChainingMode call |
+      // BCryptOpenAlgorithmProvider 3rd argument sets the chaining mode value
+      sink.asExpr() = call.getArgument(2)
+    )
+  }
+}
+
+module CngBCryptSetPropertyChainingBannedMode =
+  DataFlow::Global<CngBCryptSetPropertyChainingBannedModeConfiguration>;
+
+module CngBCryptSetPropertyChainingBannedModeIndirectParameterConfiguration implements
+  DataFlow::ConfigSig
+{
+  predicate isSource(DataFlow::Node source) { isChaniningModeCbc(source) }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(CngBCryptSetPropertyParamtoKChainingMode call |
+      // CryptSetKeyParam 3rd argument specifies the mode (KP_MODE)
+      sink.asIndirectExpr() = call.getArgument(2)
+    )
+  }
+}
+
+module CngBCryptSetPropertyChainingBannedModeIndirectParameter =
+  DataFlow::Global<CngBCryptSetPropertyChainingBannedModeIndirectParameterConfiguration>;
+
+// CNG-specific DataFlow configuration
+module BCryptOpenAlgorithmProviderBannedHashConfiguration implements DataFlow::ConfigSig {
+  // NOTE: Unlike the CAPI scenario, CNG will use this method to load and initialize
+  //       a cryptographic provider for any type of algorithm,not only hash.
+  //       Therefore, we have to take a banned-list instead of approved list approach.
+  //
+  predicate isSource(DataFlow::Node source) {
+    // Verify if algorithm is marked as banned.
+    source.asExpr().getValue().toString().matches("MD_")
+    or
+    source.asExpr().getValue().toString().matches("SHA1")
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall call |
+      // BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used
+      sink.asExpr() = call.getArgument(1) and
+      call.getTarget().hasGlobalName("BCryptOpenAlgorithmProvider")
+    )
+  }
+}
+
+module BCryptOpenAlgorithmProviderBannedHash =
+  DataFlow::Global<BCryptOpenAlgorithmProviderBannedHashConfiguration>;
+
+// CNG-specific DataFlow configuration
+module BCryptOpenAlgorithmProviderBannedEncryptionConfiguration implements DataFlow::ConfigSig {
+  // NOTE: Unlike the CAPI scenario, CNG will use this method to load and initialize
+  //       a cryptographic provider for any type of algorithm,not only encryption.
+  //       Therefore, we have to take a banned-list instead of approved list approach.
+  //
+  predicate isSource(DataFlow::Node source) {
+    // Verify if algorithm is marked as banned.
+    source.asExpr().getValue().toString().matches("RC_") or
+    source.asExpr().getValue().toString().matches("DES") or
+    source.asExpr().getValue().toString().matches("DESX") or
+    source.asExpr().getValue().toString().matches("3DES") or
+    source.asExpr().getValue().toString().matches("3DES_112") or
+    source.asExpr().getValue().toString().matches("AES_GMAC") or // Microsoft Only: Requires Cryptoboard review
+    source.asExpr().getValue().toString().matches("AES_CMAC") // Microsoft Only: Requires Cryptoboard review
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall call |
+      // BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used
+      sink.asExpr() = call.getArgument(1) and
+      call.getTarget().hasGlobalName("BCryptOpenAlgorithmProvider")
+    )
+  }
+}
+
+module BCryptOpenAlgorithmProviderBannedEncryption =
+  DataFlow::Global<BCryptOpenAlgorithmProviderBannedEncryptionConfiguration>;

cpp/ql/src/Microsoft/Security/Cryptography/CryptoFilters.qll

@@ -0,0 +1,45 @@
+import cpp
+
+/**
+ * Determines if an element should be filtered (ignored)
+ * from any result set.
+ *
+ * The current strategy is to determine if the element
+ * resides in a path that appears to be a library (in particular openssl).
+ *
+ * It is therefore important that the element being examined represents
+ * a use or configuration of cryptography in the user code.
+ * E.g., if a global variable were defined in an OpenSSL library
+ * representing a bad/vuln algorithm, and this global were assessed
+ * it would appear to be ignorable, as it exists in a a filtered library.
+ * The use of that global must be examined with this filter.
+ *
+ * ASSUMPTION/CAVEAT: note if an openssl library wraps a dangerous crypo use
+ *    this filter approach will ignore the wrapper call, unless it is also flagged
+ *    as dangerous. e.g., SomeWraper(){ ... <md5 use> ...}
+ *    The wrapper if defined in openssl would result in ignoring
+ *    the use of MD5 internally, since it's use is entirely in openssl.
+ *
+ *    TODO: these caveats need to be reassessed in the future.
+ */
+predicate isUseFiltered(Element e) {
+  e.getFile().getAbsolutePath().toLowerCase().matches("%openssl%")
+}
+
+/**
+ * Filtered only if both src and sink are considered filtered.
+ *
+ * This approach is meant to partially address some of the implications of
+ * `isUseFiltered`. Specifically, if an algorithm is specified by a user
+ * and some how passes to a user inside openssl, then this filter
+ * would not ignore that the user was specifying the use of something dangerous.
+ *
+ * e.g., if a wrapper in openssl existed of the form SomeWrapper(string alg, ...){ ... <operation using alg> ...}
+ * and the user did something like SomeWrapper("MD5", ...), this would not be ignored.
+ *
+ * The source in the above example would the algorithm, and the sink is the configuration sink
+ * of the algorithm.
+ */
+predicate isSrcSinkFiltered(Element src, Element sink) {
+  isUseFiltered(src) and isUseFiltered(sink)
+}