Merge pull request #10335 from github/redsun82/swift-weak-hashing-phase-1

Swift: first version of query targeting weak hashing

Author: MathiasVP

swift/ql/lib/codeql/swift/elements/AstNode.qll

@@ -1,17 +1,30 @@
 private import codeql.swift.generated.AstNode
 private import codeql.swift.elements.decl.AbstractFunctionDecl
+private import codeql.swift.elements.decl.Decl
 private import codeql.swift.generated.ParentChild
 
-private Element getEnclosingFunctionStep(Element e) {
-  not e instanceof AbstractFunctionDecl and
-  result = getImmediateParent(e)
-}
+private module Cached {
+  private Element getEnclosingDeclStep(Element e) {
+    not e instanceof Decl and
+    result = getImmediateParent(e)
+  }
+
+  cached
+  Decl getEnclosingDecl(AstNode ast) { result = getEnclosingDeclStep*(getImmediateParent(ast)) }
 
-cached
-private AbstractFunctionDecl getEnclosingFunctionCached(AstNode ast) {
-  result = getEnclosingFunctionStep*(getImmediateParent(ast))
+  private Element getEnclosingFunctionStep(Element e) {
+    not e instanceof AbstractFunctionDecl and
+    result = getEnclosingDecl(e)
+  }
+
+  cached
+  AbstractFunctionDecl getEnclosingFunction(AstNode ast) {
+    result = getEnclosingFunctionStep*(getEnclosingDecl(ast))
+  }
 }
 
 class AstNode extends AstNodeBase {
-  final AbstractFunctionDecl getEnclosingFunction() { result = getEnclosingFunctionCached(this) }
+  final AbstractFunctionDecl getEnclosingFunction() { result = Cached::getEnclosingFunction(this) }
+
+  final Decl getEnclosingDecl() { result = Cached::getEnclosingDecl(this) }
 }

swift/ql/lib/codeql/swift/security/SensitiveExprs.qll

@@ -121,20 +121,24 @@ class SensitiveExpr extends Expr {
   SensitiveDataType sensitiveType;
 
   SensitiveExpr() {
-    // variable reference
-    this.(DeclRefExpr).getDecl().(SensitiveVarDecl).hasInfo(label, sensitiveType)
-    or
-    // member variable reference
-    this.(MemberRefExpr).getMember().(SensitiveVarDecl).hasInfo(label, sensitiveType)
-    or
-    // function call
-    this.(ApplyExpr).getStaticTarget().(SensitiveFunctionDecl).hasInfo(label, sensitiveType)
-    or
-    // sensitive argument
-    exists(SensitiveArgument a |
-      a.hasInfo(label, sensitiveType) and
-      a.getExpr() = this
-    )
+    (
+      // variable reference
+      this.(DeclRefExpr).getDecl().(SensitiveVarDecl).hasInfo(label, sensitiveType)
+      or
+      // member variable reference
+      this.(MemberRefExpr).getMember().(SensitiveVarDecl).hasInfo(label, sensitiveType)
+      or
+      // function call
+      this.(ApplyExpr).getStaticTarget().(SensitiveFunctionDecl).hasInfo(label, sensitiveType)
+      or
+      // sensitive argument
+      exists(SensitiveArgument a |
+        a.hasInfo(label, sensitiveType) and
+        a.getExpr() = this
+      )
+    ) and
+    // do not mark as sensitive it if it is probably safe
+    not label.toLowerCase().regexpMatch(regexpProbablySafe())
   }
 
   /**
@@ -146,13 +150,6 @@ class SensitiveExpr extends Expr {
    * Gets the type of sensitive expression this is.
    */
   SensitiveDataType getSensitiveType() { result = sensitiveType }
-
-  /**
-   * Holds if this sensitive expression might be safe because it contains
-   * hashed or encrypted data, or is only a reference to data that is stored
-   * elsewhere.
-   */
-  predicate isProbablySafe() { label.toLowerCase().regexpMatch(regexpProbablySafe()) }
 }
 
 /**

swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql

@@ -70,12 +70,7 @@ class RealmStore extends Stored {
 class CleartextStorageConfig extends TaintTracking::Configuration {
   CleartextStorageConfig() { this = "CleartextStorageConfig" }
 
-  override predicate isSource(DataFlow::Node node) {
-    exists(SensitiveExpr e |
-      node.asExpr() = e and
-      not e.isProbablySafe()
-    )
-  }
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
 
   override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Stored }
 

swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql

@@ -63,12 +63,7 @@ class URL extends Transmitted {
 class CleartextTransmissionConfig extends TaintTracking::Configuration {
   CleartextTransmissionConfig() { this = "CleartextTransmissionConfig" }
 
-  override predicate isSource(DataFlow::Node node) {
-    exists(SensitiveExpr e |
-      node.asExpr() = e and
-      not e.isProbablySafe()
-    )
-  }
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
 
   override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Transmitted }
 

swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.qhelp

@@ -0,0 +1,84 @@
+<!DOCTYPE qhelp PUBLIC
+        "-//Semmle//qhelp//EN"
+        "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            Using a broken or weak cryptographic hash function can leave data
+            vulnerable, and should not be used in security related code.
+        </p>
+
+        <p>
+            A strong cryptographic hash function should be resistant to:
+        </p>
+        <ul>
+            <li>
+                <b>Pre-image attacks</b>. If you know a hash value <code>h(x)</code>,
+                you should not be able to easily find the input <code>x</code>.
+            </li>
+            <li>
+                <b>Collision attacks</b>. If you know a hash value <code>h(x)</code>,
+                you should not be able to easily find a different input
+                <code>y</code>
+                with the same hash value <code>h(x) = h(y)</code>.
+            </li>
+        </ul>
+
+        <p>
+            As an example, both MD5 and SHA-1 are known to be vulnerable to collision attacks.
+        </p>
+
+        <p>
+            Since it's OK to use a weak cryptographic hash function in a non-security
+            context, this query only alerts when these are used to hash sensitive
+            data (such as passwords, certificates, usernames).
+        </p>
+
+    </overview>
+    <recommendation>
+
+        <p>
+            Ensure that you use a strong, modern cryptographic hash function, such as:
+        </p>
+
+        <ul>
+            <li>
+                Argon2, scrypt, bcrypt, or PBKDF2 for passwords and other data with limited input space where
+                a dictionary-like attack is feasible.
+            </li>
+            <li>
+                SHA-2, or SHA-3 in other cases.
+            </li>
+        </ul>
+
+    </recommendation>
+    <example>
+
+        <p>
+            The following examples show a function for checking whether the hash
+            of a certificate matches a known value -- to prevent tampering.
+
+            In the first case the MD5 hashing algorithm is used that is known to be vulnerable to collision attacks.
+        </p>
+        <sample src="WeakSensitiveDataHashingBad.swift"/>
+        <p>
+
+            Here is the same function using SHA-512, which is a strong cryptographic hashing function.
+        </p>
+        <sample src="WeakSensitiveDataHashingGood.swift"/>
+
+    </example>
+    <references>
+        <li>
+            OWASP:
+            <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">Password Storage
+                Cheat Sheet
+            </a>
+            and
+            <a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html#use-strong-cryptographic-hashing-algorithms">
+                Transport Layer Protection Cheat Sheet
+            </a>
+        </li>
+    </references>
+
+</qhelp>

swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql

@@ -0,0 +1,63 @@
+/**
+ * @name Use of a broken or weak cryptographic hashing algorithm on sensitive data
+ * @description Using broken or weak cryptographic hashing algorithms can compromise security.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id swift/weak-sensitive-data-hashing
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-328
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+class WeakHashingConfig extends TaintTracking::Configuration {
+  WeakHashingConfig() { this = "WeakHashingConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node instanceof WeakHashingConfig::Source }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof WeakHashingConfig::Sink }
+}
+
+module WeakHashingConfig {
+  class Source extends DataFlow::Node {
+    Source() { this.asExpr() instanceof SensitiveExpr }
+  }
+
+  abstract class Sink extends DataFlow::Node {
+    abstract string getAlgorithm();
+  }
+
+  class CryptoHash extends Sink {
+    string algorithm;
+
+    CryptoHash() {
+      exists(ApplyExpr call, FuncDecl func |
+        call.getAnArgument().getExpr() = this.asExpr() and
+        call.getStaticTarget() = func and
+        func.getName().matches(["hash(%", "update(%"]) and
+        algorithm = func.getEnclosingDecl().(StructDecl).getName() and
+        algorithm = ["MD5", "SHA1"]
+      )
+    }
+
+    override string getAlgorithm() { result = algorithm }
+  }
+}
+
+from
+  WeakHashingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink, string algorithm,
+  SensitiveExpr expr
+where
+  config.hasFlowPath(source, sink) and
+  algorithm = sink.getNode().(WeakHashingConfig::Sink).getAlgorithm() and
+  expr = source.getNode().asExpr()
+select sink.getNode(), source, sink,
+  "Insecure hashing algorithm (" + algorithm + ") depends on $@.", source.getNode(),
+  "sensitive data (" + expr.getSensitiveType() + " " + expr.getLabel() + ")"

swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingBad.swift

@@ -0,0 +1,5 @@
+typealias Hasher = Crypto.Insecure.MD5
+
+func checkCertificate(cert: Array[UInt8], hash: Array[UInt8]) -> Bool
+  return Hasher.hash(data: cert) == hash  // BAD
+}

swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingGood.swift

@@ -0,0 +1,4 @@
+typealias Hasher = Crypto.SHA512
+
+func checkCertificate(cert: Array[UInt8], hash: Array[UInt8]) -> Bool
+  return Hasher.hash(data: cert) == hash  // GOOD

swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected

@@ -1,13 +1,8 @@
 | testCoreData.swift:48:15:48:15 | password | label:password, type:credential |
-| testCoreData.swift:49:15:49:15 | password_hash | isProbablySafe, label:password_hash, type:credential |
 | testCoreData.swift:51:24:51:24 | password | label:password, type:credential |
-| testCoreData.swift:52:24:52:24 | password_hash | isProbablySafe, label:password_hash, type:credential |
 | testCoreData.swift:58:15:58:15 | password | label:password, type:credential |
-| testCoreData.swift:59:15:59:15 | password_file | isProbablySafe, label:password_file, type:credential |
 | testCoreData.swift:61:25:61:25 | password | label:password, type:credential |
-| testCoreData.swift:62:25:62:25 | password_file | isProbablySafe, label:password_file, type:credential |
 | testCoreData.swift:64:16:64:16 | password | label:password, type:credential |
-| testCoreData.swift:65:16:65:16 | password_file | isProbablySafe, label:password_file, type:credential |
 | testCoreData.swift:77:2:77:25 | call to doSomething(password:) | label:doSomething(password:), type:credential |
 | testCoreData.swift:77:24:77:24 | x | label:password, type:credential |
 | testCoreData.swift:80:10:80:22 | call to getPassword() | label:getPassword(), type:credential |
@@ -16,22 +11,16 @@
 | testCoreData.swift:92:10:92:10 | passwd | label:passwd, type:credential |
 | testCoreData.swift:93:10:93:10 | passwd | label:passwd, type:credential |
 | testRealm.swift:34:11:34:11 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:38:11:38:11 | myHashedPassword | isProbablySafe, label:myHashedPassword, type:credential |
 | testRealm.swift:42:11:42:11 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:46:11:46:11 | myHashedPassword | isProbablySafe, label:myHashedPassword, type:credential |
 | testRealm.swift:52:12:52:12 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:55:12:55:12 | myHashedPassword | isProbablySafe, label:myHashedPassword, type:credential |
 | testSend.swift:29:19:29:19 | passwordPlain | label:passwordPlain, type:credential |
-| testSend.swift:30:19:30:19 | passwordHash | isProbablySafe, label:passwordHash, type:credential |
 | testSend.swift:33:19:33:19 | passwordPlain | label:passwordPlain, type:credential |
-| testSend.swift:34:19:34:19 | passwordHash | isProbablySafe, label:passwordHash, type:credential |
 | testSend.swift:45:13:45:13 | password | label:password, type:credential |
 | testSend.swift:46:13:46:13 | password | label:password, type:credential |
 | testSend.swift:47:17:47:17 | password | label:password, type:credential |
 | testSend.swift:48:23:48:23 | password | label:password, type:credential |
 | testSend.swift:49:27:49:27 | password | label:password, type:credential |
 | testSend.swift:50:27:50:27 | password | label:password, type:credential |
 | testURL.swift:13:54:13:54 | passwd | label:passwd, type:credential |
-| testURL.swift:14:54:14:54 | encrypted_passwd | isProbablySafe, label:encrypted_passwd, type:credential |
 | testURL.swift:16:55:16:55 | credit_card_no | label:credit_card_no, type:private information |
 | testURL.swift:20:22:20:22 | passwd | label:passwd, type:credential |

swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.ql

@@ -5,8 +5,6 @@ string describe(SensitiveExpr e) {
   result = "label:" + e.getLabel()
   or
   result = "type:" + e.getSensitiveType().toString()
-  or
-  e.isProbablySafe() and result = "isProbablySafe"
 }
 
 from SensitiveExpr e