Swift: Split encryption queries into three parts (trivial re-organization of existing code).

Author: geoffw0

swift/ql/lib/codeql/swift/security/ConstantPasswordExtensions.qll

@@ -0,0 +1,7 @@
+/**
+ * Provides classes and predicates for reasoning about constant password
+ * vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow

swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides a taint tracking configuration to find constant password
+ * vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSteps
+import codeql.swift.security.ConstantPasswordExtensions
+
+/**
+ * A constant password is created through either a byte array or string literals.
+ */
+class ConstantPasswordSource extends Expr {
+  ConstantPasswordSource() {
+    this = any(ArrayExpr arr | arr.getType().getName() = "Array<UInt8>") or
+    this instanceof StringLiteralExpr
+  }
+}
+
+/**
+ * A class for all ways to use a constant password.
+ */
+class ConstantPasswordSink extends Expr {
+  ConstantPasswordSink() {
+    // `password` arg in `init` is a sink
+    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
+      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel("password").getExpr() = this
+    )
+    or
+    // RNCryptor (labelled arguments)
+    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
+      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel(["password", "withPassword", "forPassword"]).getExpr() = this
+    )
+    or
+    // RNCryptor (unlabelled arguments)
+    exists(MethodDecl f, CallExpr call |
+      f.hasQualifiedName("RNCryptor", "keyForPassword(_:salt:settings:)") and
+      call.getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this
+    )
+  }
+}
+
+/**
+ * A taint configuration from the source of constants passwords to expressions that use
+ * them to initialize password-based encryption keys.
+ */
+module ConstantPasswordConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof ConstantPasswordSource }
+
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof ConstantPasswordSink }
+}
+
+module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;

swift/ql/lib/codeql/swift/security/ConstantSaltExtensions.qll

@@ -0,0 +1,7 @@
+/**
+ * Provides classes and predicates for reasoning about use of constant salts
+ * for password hashing.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow

swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll

@@ -0,0 +1,56 @@
+/**
+ * Provides a taint tracking configuration to find use of constant salts
+ * for password hashing.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSteps
+import codeql.swift.security.ConstantSaltExtensions
+
+/**
+ * A constant salt is created through either a byte array or string literals.
+ */
+class ConstantSaltSource extends Expr {
+  ConstantSaltSource() {
+    this = any(ArrayExpr arr | arr.getType().getName() = "Array<UInt8>") or
+    this instanceof StringLiteralExpr or
+    this instanceof NumberLiteralExpr
+  }
+}
+
+/**
+ * A class for all ways to use a constant salt.
+ */
+class ConstantSaltSink extends Expr {
+  ConstantSaltSink() {
+    // `salt` arg in `init` is a sink
+    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
+      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel("salt").getExpr() = this
+    )
+    or
+    // RNCryptor
+    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
+      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel(["salt", "encryptionSalt", "hmacSalt", "HMACSalt"]).getExpr() = this
+    )
+  }
+}
+
+/**
+ * A taint configuration from the source of constants salts to expressions that use
+ * them to initialize password-based encryption keys.
+ */
+module ConstantSaltConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof ConstantSaltSource }
+
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof ConstantSaltSink }
+}
+
+module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;

swift/ql/lib/codeql/swift/security/ECBEncryptionExtensions.qll

@@ -0,0 +1,7 @@
+/**
+ * Provides classes and predicates for reasoning about encryption using the
+ * ECB encrpytion mode.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow

swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll

@@ -0,0 +1,61 @@
+/**
+ * Provides a taint tracking configuration to find encryption using the
+ * ECB encrpytion mode.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.security.ECBEncryptionExtensions
+
+/**
+ * An `Expr` that is used to initialize the block mode of a cipher.
+ */
+abstract class BlockMode extends Expr { }
+
+/**
+ * An `Expr` that is used to form an `AES` cipher.
+ */
+class AES extends BlockMode {
+  AES() {
+    // `blockMode` arg in `AES.init` is a sink
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("AES", ["init(key:blockMode:)", "init(key:blockMode:padding:)"]) and
+      call.getArgument(1).getExpr() = this
+    )
+  }
+}
+
+/**
+ * An `Expr` that is used to form a `Blowfish` cipher.
+ */
+class Blowfish extends BlockMode {
+  Blowfish() {
+    // `blockMode` arg in `Blowfish.init` is a sink
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("Blowfish", "init(key:blockMode:padding:)") and
+      call.getArgument(1).getExpr() = this
+    )
+  }
+}
+
+/**
+ * A taint configuration from the constructor of ECB mode to expressions that use
+ * it to initialize a cipher.
+ */
+module EcbEncryptionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    exists(CallExpr call |
+      call.getStaticTarget().(MethodDecl).hasQualifiedName("ECB", "init()") and
+      node.asExpr() = call
+    )
+  }
+
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof BlockMode }
+}
+
+module EcbEncryptionFlow = DataFlow::Global<EcbEncryptionConfig>;

swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll

@@ -0,0 +1,7 @@
+/**
+ * Provides classes and predicates for reasoning about hard-coded encryption
+ * key vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow

swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll

@@ -0,0 +1,64 @@
+/**
+ * Provides a taint tracking configuration to find hard-coded encryption
+ * key vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.security.HardcodedEncryptionKeyExtensions
+
+/**
+ * An `Expr` that is used to initialize a key.
+ */
+abstract class KeySource extends Expr { }
+
+/**
+ * A literal byte array is a key source.
+ */
+class ByteArrayLiteralSource extends KeySource {
+  ByteArrayLiteralSource() { this = any(ArrayExpr arr | arr.getType().getName() = "Array<UInt8>") }
+}
+
+/**
+ * A string literal is a key source.
+ */
+class StringLiteralSource extends KeySource instanceof StringLiteralExpr { }
+
+/**
+ * A class for all ways to set a key.
+ */
+class EncryptionKeySink extends Expr {
+  EncryptionKeySink() {
+    // `key` arg in `init` is a sink
+    exists(CallExpr call, string fName |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName([
+              "AES", "HMAC", "ChaCha20", "CBCMAC", "CMAC", "Poly1305", "Blowfish", "Rabbit"
+            ], fName) and
+      fName.matches("init(key:%") and
+      call.getArgument(0).getExpr() = this
+    )
+    or
+    // RNCryptor
+    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
+      c.getFullName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel(["encryptionKey", "withEncryptionKey"]).getExpr() = this
+    )
+  }
+}
+
+/**
+ * A taint configuration from the key source to expressions that use
+ * it to initialize a cipher.
+ */
+module HardcodedKeyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof KeySource }
+
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof EncryptionKeySink }
+}
+
+module HardcodedKeyFlow = TaintTracking::Global<HardcodedKeyConfig>;

swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll

@@ -0,0 +1,7 @@
+/**
+ * Provides classes and predicates for reasoning about insecure TLS
+ * configurations.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow

swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll

@@ -0,0 +1,39 @@
+/**
+ * Provides a taint tracking configuration to find insecure TLS
+ * configurations.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSources
+import codeql.swift.security.InsecureTLSExtensions
+
+/**
+ * A taint config to detect insecure configuration of `NSURLSessionConfiguration`
+ */
+module InsecureTlsConfig implements DataFlow::ConfigSig {
+  /**
+   * Holds for enum values that represent an insecure version of TLS
+   */
+  predicate isSource(DataFlow::Node node) {
+    node.asExpr().(MethodLookupExpr).getMember().(EnumElementDecl).getName() =
+      ["TLSv10", "TLSv11", "tlsProtocol10", "tlsProtocol11"]
+  }
+
+  /**
+   * Holds for assignment of TLS-related properties of `NSURLSessionConfiguration`
+   */
+  predicate isSink(DataFlow::Node node) {
+    exists(AssignExpr assign |
+      assign.getSource() = node.asExpr() and
+      assign.getDest().(MemberRefExpr).getMember().(ConcreteVarDecl).getName() =
+        [
+          "tlsMinimumSupportedProtocolVersion", "tlsMinimumSupportedProtocol",
+          "tlsMaximumSupportedProtocolVersion", "tlsMaximumSupportedProtocol"
+        ]
+    )
+  }
+}
+
+module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;