Add rule that checks for using the insecure ECB block mode for encryption

Author: karimhamdanali

swift/ql/src/queries/Security/ECB-Encryption/ECBEncryption.qhelp

@@ -0,0 +1,20 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>ECB should not be used as a mode for encryption. It has dangerous weaknesses. Data is encrypted the same way every time 
+meaning the same plaintext input will always produce the same ciphertext. This behaviour makes encrypted messages vulnerable 
+to replay attacks.</p>
+
+</overview>
+<recommendation>
+<p>Use a different cipher mode such as CBC.</p>
+
+</recommendation>
+<references>
+
+  <li>Wikipedia, block cipher modes of operation, <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_.28ECB.29">Electronic codebook (ECB)</a>.</li>
+
+</references>
+</qhelp>

swift/ql/src/queries/Security/ECB-Encryption/ECBEncryption.ql

@@ -0,0 +1,81 @@
+/**
+ * @name Encryption using ECB
+ * @description Highlights uses of the encryption mode 'ECB'. This mode should normally not be used because it is vulnerable to replay attacks.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id swift/ecb-encryption
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+/**
+ * An `Expr` that is used to initialize the block mode of a cipher.
+ */
+abstract class BlockMode extends Expr { }
+
+/**
+ * An `Expr` that is used to form an `AES` cipher.
+ */
+class AES extends BlockMode {
+  AES() {
+    // `blockMode` arg in `AES.init` is a sink
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "AES" and
+      c.getAMember() = f and
+      f.getName() = ["init(key:blockMode:)", "init(key:blockMode:padding:)"] and
+      call.getStaticTarget() = f and
+      call.getArgument(1).getExpr() = this
+    )
+  }
+}
+
+/**
+ * An `Expr` that is used to form a `Blowfish` cipher.
+ */
+class Blowfish extends BlockMode {
+  Blowfish() {
+    // `blockMode` arg in `Blowfish.init` is a sink
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "Blowfish" and
+      c.getAMember() = f and
+      f.getName() = "init(key:blockMode:padding:)" and
+      call.getStaticTarget() = f and
+      call.getArgument(1).getExpr() = this
+    )
+  }
+}
+
+/**
+ * A taint configuration from the constructor of ECB mode to expressions that use
+ * it to initialize a cipher.
+ */
+class ECBEncryptionConfig extends TaintTracking::Configuration {
+  ECBEncryptionConfig() { this = "ECBEncryptionConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    exists(StructDecl s, AbstractFunctionDecl f, CallExpr call |
+      s.getName() = "ECB" and
+      s.getAMember() = f and
+      f.getName() = "init()" and
+      call.getStaticTarget() = f and
+      node.asExpr() = call
+    )
+  }
+
+  override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof BlockMode }
+}
+
+// The query itself
+from ECBEncryptionConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
+where config.hasFlowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode,
+  "The initialization of the cipher '" + sinkNode.getNode().toString() +
+    "' uses the insecure ECB block mode from $@", sourceNode,
+  sourceNode.getNode().toString()

swift/ql/src/queries/Security/ECB-Encryption/ECBEncryption.swift

@@ -0,0 +1,18 @@
+
+func encrypt(key : Key, padding : Padding) {
+	// ...
+
+	// BAD: ECB is used for block mode
+	let blockMode = ECB()
+	_ = try AES(key: key, blockMode: blockMode, padding: padding)
+	_ = try AES(key: key, blockMode: blockMode)
+	_ = try Blowfish(key: key, blockMode: blockMode, padding: padding)
+
+	// GOOD: ECB is not used for block mode
+	let blockMode = CBC()
+	_ = try AES(key: key, blockMode: blockMode, padding: padding)
+	_ = try AES(key: key, blockMode: blockMode)
+	_ = try Blowfish(key: key, blockMode: blockMode, padding: padding)
+
+	// ...
+}

swift/ql/test/query-tests/Security/ECB-Encryption/ECBEncryption.expected

@@ -0,0 +1,21 @@
+edges
+| testAES.swift:32:12:32:16 | call to init() :  | testAES.swift:36:36:36:36 | ecb |
+| testAES.swift:32:12:32:16 | call to init() :  | testAES.swift:37:36:37:36 | ecb |
+| testBlowfish.swift:32:12:32:16 | call to init() :  | testBlowfish.swift:36:41:36:41 | ecb |
+nodes
+| testAES.swift:32:12:32:16 | call to init() :  | semmle.label | call to init() :  |
+| testAES.swift:36:36:36:36 | ecb | semmle.label | ecb |
+| testAES.swift:37:36:37:36 | ecb | semmle.label | ecb |
+| testAES.swift:38:36:38:40 | call to init() | semmle.label | call to init() |
+| testAES.swift:39:36:39:40 | call to init() | semmle.label | call to init() |
+| testBlowfish.swift:32:12:32:16 | call to init() :  | semmle.label | call to init() :  |
+| testBlowfish.swift:36:41:36:41 | ecb | semmle.label | ecb |
+| testBlowfish.swift:37:41:37:45 | call to init() | semmle.label | call to init() |
+subpaths
+#select
+| testAES.swift:36:36:36:36 | ecb | testAES.swift:32:12:32:16 | call to init() :  | testAES.swift:36:36:36:36 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@ | testAES.swift:32:12:32:16 | call to init() :  | call to init() |
+| testAES.swift:37:36:37:36 | ecb | testAES.swift:32:12:32:16 | call to init() :  | testAES.swift:37:36:37:36 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@ | testAES.swift:32:12:32:16 | call to init() :  | call to init() |
+| testAES.swift:38:36:38:40 | call to init() | testAES.swift:38:36:38:40 | call to init() | testAES.swift:38:36:38:40 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@ | testAES.swift:38:36:38:40 | call to init() | call to init() |
+| testAES.swift:39:36:39:40 | call to init() | testAES.swift:39:36:39:40 | call to init() | testAES.swift:39:36:39:40 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@ | testAES.swift:39:36:39:40 | call to init() | call to init() |
+| testBlowfish.swift:36:41:36:41 | ecb | testBlowfish.swift:32:12:32:16 | call to init() :  | testBlowfish.swift:36:41:36:41 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@ | testBlowfish.swift:32:12:32:16 | call to init() :  | call to init() |
+| testBlowfish.swift:37:41:37:45 | call to init() | testBlowfish.swift:37:41:37:45 | call to init() | testBlowfish.swift:37:41:37:45 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@ | testBlowfish.swift:37:41:37:45 | call to init() | call to init() |

swift/ql/test/query-tests/Security/ECB-Encryption/ECBEncryption.qlref

@@ -0,0 +1 @@
+queries/Security/ECB-Encryption/ECBEncryption.ql

swift/ql/test/query-tests/Security/ECB-Encryption/testAES.swift

@@ -0,0 +1,45 @@
+
+// --- stubs ---
+
+// These stubs roughly follows the same structure as classes from CryptoSwift
+class AES
+{
+	init(key: Array<UInt8>, blockMode: BlockMode, padding: Padding) { }
+	init(key: Array<UInt8>, blockMode: BlockMode) { }
+}
+
+protocol BlockMode { }
+
+struct ECB: BlockMode { 
+	init() { }
+}
+
+struct CBC: BlockMode { 
+	init() { }
+}
+
+protocol PaddingProtocol { }
+
+enum Padding: PaddingProtocol {
+  case noPadding, zeroPadding, pkcs7, pkcs5, eme_pkcs1v15, emsa_pkcs1v15, iso78164, iso10126
+}
+
+
+// --- tests ---
+
+func test1() {
+	let key: Array<UInt8> = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f]
+	let ecb = ECB()
+	let cbc = CBC()
+	let padding = Padding.noPadding
+
+	let b1 = AES(key: key, blockMode: ecb, padding: padding) // BAD
+	let b2 = AES(key: key, blockMode: ecb) // BAD
+	let b3 = AES(key: key, blockMode: ECB(), padding: padding) // BAD
+	let b4 = AES(key: key, blockMode: ECB()) // BAD
+
+	let g1 = AES(key: key, blockMode: cbc, padding: padding) // GOOD
+	let g2 = AES(key: key, blockMode: cbc) // GOOD
+	let g3 = AES(key: key, blockMode: CBC(), padding: padding) // GOOD
+	let g4 = AES(key: key, blockMode: CBC()) // GOOD
+}

swift/ql/test/query-tests/Security/ECB-Encryption/testBlowfish.swift

@@ -0,0 +1,41 @@
+
+// --- stubs ---
+
+// These stubs roughly follows the same structure as classes from CryptoSwift
+class Blowfish
+{
+	init(key: Array<UInt8>, blockMode: BlockMode, padding: Padding) { }
+	init(key: Array<UInt8>, blockMode: BlockMode) { }
+}
+
+protocol BlockMode { }
+
+struct ECB: BlockMode { 
+	init() { }
+}
+
+struct CBC: BlockMode { 
+	init() { }
+}
+
+protocol PaddingProtocol { }
+
+enum Padding: PaddingProtocol {
+  case noPadding, zeroPadding, pkcs7, pkcs5, eme_pkcs1v15, emsa_pkcs1v15, iso78164, iso10126
+}
+
+
+// --- tests ---
+
+func test1() {
+	let key: Array<UInt8> = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f]
+	let ecb = ECB()
+	let cbc = CBC()
+	let padding = Padding.noPadding
+
+	let b1 = Blowfish(key: key, blockMode: ecb, padding: padding) // BAD
+	let b2 = Blowfish(key: key, blockMode: ECB(), padding: padding) // BAD
+
+	let g1 = Blowfish(key: key, blockMode: cbc, padding: padding) // GOOD
+	let g2 = Blowfish(key: key, blockMode: CBC(), padding: padding) // GOOD
+}