Merge pull request #9636 from michaelnebel/csharp/sinkmodelcsv

C#: Convert Sinks to CSV format for SymmetricAlgorithm.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -377,6 +377,7 @@ module CsvValidation {
     exists(string row, string kind | sinkModel(row) |
       kind = row.splitAt(";", 7) and
       not kind = ["code", "sql", "xss", "remote", "html"] and
+      not kind.matches("encryption-%") and
       msg = "Invalid kind \"" + kind + "\" in sink model."
     )
     or

csharp/ql/lib/semmle/code/csharp/frameworks/system/security/Cryptography.qll

@@ -42,3 +42,23 @@ private class SystemSecurityCryptographyOidCollectionFlowModelCsv extends Summar
       ]
   }
 }
+
+/** Sinks for `System.Security.Cryptography`. */
+private class SystemSecurityCryptographySinkModelCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "System.Security.Cryptography;SymmetricAlgorithm;true;CreateEncryptor;(System.Byte[],System.Byte[]);;Argument[0];encryption-encryptor;manual",
+        "System.Security.Cryptography;SymmetricAlgorithm;true;CreateDecryptor;(System.Byte[],System.Byte[]);;Argument[0];encryption-decryptor;manual",
+        "System.Security.Cryptography;SymmetricAlgorithm;true;set_Key;(System.Byte[]);;Argument[0];encryption-keyprop;manual",
+      ]
+  }
+}
+
+/** Sinks for `Windows.Security.Cryptography.Core`. */
+private class WindowsSecurityCryptographyCoreSinkModelCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      "Windows.Security.Cryptography.Core;SymmetricKeyAlgorithmProvider;false;CreateSymmetricKey;(Windows.Storage.Streams.IBuffer);;Argument[0];encryption-symmetrickey;manual"
+  }
+}

csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll

@@ -4,6 +4,7 @@
  */
 
 import csharp
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 module HardcodedSymmetricEncryptionKey {
   private import semmle.code.csharp.frameworks.system.security.cryptography.SymmetricAlgorithm
@@ -38,45 +39,20 @@ module HardcodedSymmetricEncryptionKey {
     StringLiteralSource() { this.asExpr() instanceof StringLiteral }
   }
 
-  private class SymmetricEncryptionKeyPropertySink extends Sink {
-    SymmetricEncryptionKeyPropertySink() {
-      this.asExpr() = any(SymmetricAlgorithm sa).getKeyProperty().getAnAssignedValue()
-    }
-
-    override string getDescription() { result = "'Key' property assignment" }
-  }
-
-  private class SymmetricEncryptionCreateEncryptorSink extends Sink {
-    SymmetricEncryptionCreateEncryptorSink() {
-      exists(SymmetricAlgorithm ag, MethodCall mc | mc = ag.getASymmetricEncryptor() |
-        this.asExpr() = mc.getArgumentForName("rgbKey")
-      )
-    }
-
-    override string getDescription() { result = "Encryptor(rgbKey, IV)" }
-  }
+  private class SymmetricAlgorithmSink extends Sink {
+    private string kind;
 
-  private class SymmetricEncryptionCreateDecryptorSink extends Sink {
-    SymmetricEncryptionCreateDecryptorSink() {
-      exists(SymmetricAlgorithm ag, MethodCall mc | mc = ag.getASymmetricDecryptor() |
-        this.asExpr() = mc.getArgumentForName("rgbKey")
-      )
-    }
+    SymmetricAlgorithmSink() { sinkNode(this, kind) and kind.matches("encryption%") }
 
-    override string getDescription() { result = "Decryptor(rgbKey, IV)" }
-  }
-
-  private class CreateSymmetricKeySink extends Sink {
-    CreateSymmetricKeySink() {
-      exists(MethodCall mc, Method m |
-        mc.getTarget() = m and
-        m.hasQualifiedName("Windows.Security.Cryptography.Core.SymmetricKeyAlgorithmProvider",
-          "CreateSymmetricKey") and
-        this.asExpr() = mc.getArgumentForName("keyMaterial")
-      )
+    override string getDescription() {
+      kind = "encryption-encryptor" and result = "Encryptor(rgbKey, IV)"
+      or
+      kind = "encryption-decryptor" and result = "Decryptor(rgbKey, IV)"
+      or
+      kind = "encryption-symmetrickey" and result = "CreateSymmetricKey(IBuffer keyMaterial)"
+      or
+      kind = "encryption-keyprop" and result = "'Key' property assignment"
     }
-
-    override string getDescription() { result = "CreateSymmetricKey(IBuffer keyMaterial)" }
   }
 
   private class CryptographicBuffer extends Class {

csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs

@@ -46,13 +46,36 @@ static void Main(string[] args)
             // GOOD (this function hashes password)
             var de = DecryptWithPassword(ct, c, iv);
 
+            // BAD: hard-coded password passed to Decrypt
+            var de1 = Decrypt(ct, c, iv);
+
             // BAD [NOT DETECTED]
             CreateCryptographicKey(null, byteArrayFromString);
 
             // GOOD
             CreateCryptographicKey(null, File.ReadAllBytes("secret.key"));
         }
 
+        public static string Decrypt(byte[] cipherText, byte[] password, byte[] IV)
+        {
+            byte[] rawPlaintext;
+            var salt = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 };
+
+            using (Aes aes = new AesManaged())
+            {
+                using (MemoryStream ms = new MemoryStream())
+                {
+                    using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(password, IV), CryptoStreamMode.Write))
+                    {
+                        cs.Write(cipherText, 0, cipherText.Length);
+                    }
+                    rawPlaintext = ms.ToArray();
+                }
+
+                return Encoding.Unicode.GetString(rawPlaintext);
+            }
+        }
+
         public static string DecryptWithPassword(byte[] cipherText, byte[] password, byte[] IV)
         {
             byte[] rawPlaintext;

csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.expected

@@ -1,6 +1,7 @@
 | HardcodedSymmetricEncryptionKey.cs:17:21:17:97 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:17:21:17:97 | array creation of type Byte[] | key |
 | HardcodedSymmetricEncryptionKey.cs:22:23:22:99 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:22:23:22:99 | array creation of type Byte[] | key |
 | HardcodedSymmetricEncryptionKey.cs:31:21:31:21 | access to local variable d | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:25:21:25:97 | array creation of type Byte[] | key |
-| HardcodedSymmetricEncryptionKey.cs:85:23:85:25 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:25:21:25:97 | array creation of type Byte[] | key |
-| HardcodedSymmetricEncryptionKey.cs:98:87:98:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:25:21:25:97 | array creation of type Byte[] | key |
-| HardcodedSymmetricEncryptionKey.cs:98:87:98:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:28:62:28:115 | "Hello, world: here is a very bad way to create a key" | key |
+| HardcodedSymmetricEncryptionKey.cs:68:87:68:94 | access to parameter password | Hard-coded symmetric $@ is used in symmetric algorithm in Decryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:25:21:25:97 | array creation of type Byte[] | key |
+| HardcodedSymmetricEncryptionKey.cs:108:23:108:25 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:25:21:25:97 | array creation of type Byte[] | key |
+| HardcodedSymmetricEncryptionKey.cs:121:87:121:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:25:21:25:97 | array creation of type Byte[] | key |
+| HardcodedSymmetricEncryptionKey.cs:121:87:121:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:28:62:28:115 | "Hello, world: here is a very bad way to create a key" | key |