discover vulnerabilities with codeql boik su
play

Discover vulnerabilities with CodeQL Boik Su Security Researcher @ - PowerPoint PPT Presentation

Jun 16, 2023 •1.38k likes •2.1k views

Discover vulnerabilities with CodeQL Boik Su Security Researcher @ CyCraft CHROOTs member Programming lover qazbnm456 @boik_su Agenda Brief introduction to CodeQL CodeQLs Tricks Replicate CVEs to find you CVEs More

  1. Discover vulnerabilities with CodeQL

  2. Boik Su Security Researcher @ CyCraft CHROOT’s member Programming lover 🤔 qazbnm456 @boik_su

  3. Agenda • Brief introduction to CodeQL • CodeQL’s Tricks • Replicate CVEs to find you CVEs • More powerful pattern finder • Regression Tests • ClientDependency Massacre • Conclusion 3

  4. Agenda • Brief introduction to CodeQL • CodeQL’s Tricks • Replicate CVEs to find you CVEs • More powerful pattern finder • Regression Tests • ClientDependency Massacre • Conclusion 4

  5. Brief introduction to CodeQL CodeQL’s variant analysis and powerful analyzers 5

  6. How Semmle QL works Analysis Overview

  7. Analyses • CodeQL ships with extensive libraries to empower variant analysis • Static Analysis • Data Flow Analysis • Taint Analysis • CFG Analysis • Supported languages include C/C++, C#, Java, Javascript, Python and more 7

  8. Static Analysis • Find static things among the Snapshot Database • Fast and accurate to find flaws that don’t require complex requirements to meet • Hardcoded password strings, dangerous functions, etc

  9. Static Analysis • from Method m where m.getName() = "Execute" select m • from VariableAccess va where va.getTarget().getName().regexpMatch(“.*pass(wd|word|code).*”) select va.getTarget()

  10. Static Analysis

  11. Data Flow Analysis • DataFlow node carries a single value due to the value-preserving flow • Find out how things flow back and forth among data nodes • Baby steps to discovering intriguing paths

  12. Data Flow Analysis • from AspNetRemoteFlowSource remote, Method m, MethodCall mc where m.getDeclaringType().getABaseType().hasQualifiedName("System.Web.IHttpHandler") and m.isSourceDeclaration() and DataFlow::localFlow(remote, DataFlow::exprNode(mc.getAnArgument())) and mc.getEnclosingCallable() = m select m, mc

  13. Taint Analysis • DataFlow node carries a single value due to the value-preserving flow • Taint tracking extends data flow by including non-value-preserving flow steps • For example, • If x is a tainted string then y is also tainted

  14. Taint Analysis • class MyTaint extends TaintTracking::Configuration { MyTaint() { this = "…" } override predicate isSource(DataFlow::Node source) { … } override predicate isSink(DataFlow::Node sink) { … } } from MyTaint taint, DataFlow::Node source, DataFlow::Node sink where taint.hasFlow(source, sink) select source, “Dataflow to $@.”, sink, sink.getNode()

  15. CFG Analysis • A di ff erent program representation in terms of intraprocedural control flow graphs (CFGs) • Phrased in terms of basic blocks rather than single control flow nodes • I don’t see it being used often

  16. Agenda • Brief introduction to CodeQL • CodeQL’s Tricks • Replicate CVEs to find you CVEs • More powerful pattern finder • Regression Tests • ClientDependency Massacre • Conclusion 16

  17. Replicate CVEs to find you CVEs Model threats to find them somewhere else 17

  18. Why would we do this? • It’s because that some vulnerabilities were fixed by just mitigating reporters’ provided cases • By replicating these vulnerabilities by modeling with CodeQL, it’s possibly to find the same flaws through other paths • It’s also possible to find the same flaws from other projects or repositories • This is called “Variant Analysis”, the process of using a known vulnerability as a seed to find similar problems in other code bases

  19. Keybase hostname-validation regular expression • Look at these two regular expressions • '\.twitter\.com/([\\w]+)[/]?$' • '\.twitter\.com/[\\w]+[/]?$'

  20. Keybase hostname-validation regular expression • Look at these two regular expressions • '\.twitter\.com/([\\w]+)[/]?$' • '\.twitter\.com/[\\w]+[/]?$' • The issue stems from the fact that it use \. instead of \\. in these two regular expression

  21. Keybase hostname-validation regular expression

  22. Let’s model this flaw Step 1: Find all occurrence • from InvokeExpr c where c.getCalleeName() = "RegExp" select c Step 2: Find all occurrence with ".*" inside • from InvokeExpr c, StringLiteral s where c.getCalleeName() = "RegExp" and s.getStringValue().matches(“%.*%") and s.getEnclosingStmt() = c.getEnclosingStmt() select c

  23. Electron 1.2.2 - 4.2.12 Regular expression failure upon checking a website’s URL to activate the webExtension

  24. The Patch Escape correctly all special characters

  25. Umbraco CMS Local File Inclusion • The ClientDependency package, used by Umbraco, exposes the "DependencyHandler.axd" file in the root of the website • This file is used to combine and minify CSS and JavaScript files, which are supplied in a base64 encoded string • /DependencyHandler.axd? s=L3VtYnJhY28vbGliL2pxdWVyeS9qcXVlcnkubWluLmpz&t=Css&cdv=1 • /umbraco/lib/jquery/jquery.min.js

  26. Umbraco CMS Local File Inclusion

  27. Umbraco CMS Local File Inclusion • According to Umbraco Security Advisories, there are multiple times of LFI in ClientDependency • It’s a good target for Variant Analysis • Umbraco Forms seems to be a good target next

  28. Umbraco CMS Local File Inclusion GET /DependencyHandler.axd ?s=http://umbraco.example.com/web.config&t=Css&cdv=1

  29. Let’s model this flaw • In Asp.Net, it’s common to implement the IHttpHandler interface in order to intercept users’ requests • Therefore, those classes are good sources for us! • After reviewing the source code of ClientDependency, we know that the WriteFileToStream function is responsible for the vulnerability • Hence, this function is good sink

  30. Let’s model this flaw • Model two previous flaws with CodeQL • Then, pop up a new LFI issue within ClientDependency 1.8.2.1 - 1.9.8

  31. Let’s model this flaw • Model two previous flaws with CodeQL • Then, pop up a new LFI issue within ClientDependency 1.8.2.1 - 1.9.8 • Source Node

  32. Let’s model this flaw • Model two previous flaws with CodeQL • Then, pop up a new LFI issue within ClientDependency 1.8.2.1 - 1.9.8 • Sink Node

  33. Agenda • Brief introduction to CodeQL • CodeQL’s Tricks • Replicate CVEs to find you CVEs • More powerful pattern finder • Regression Tests • ClientDependency Massacre • Conclusion 33

  34. More powerful pattern finder Find something through semantics 34

  35. Pattern Finder • Method 1: Grep / Strings / Regular Expression • Method 2: UML Class Diagram • Method 3: CodeQL 35

  36. Grep / Strings / Regular Expression • Pros • Fast, e ffi cient and intuitive • Better to locate certain objects • Cons • Subject to non-relevant items having similar names • Hard to track back to the origins

  37. UML Class Diagram • Pros • Fast, e ffi cient and intuitive • Relational mappings • Cons • Performance degrades when code is complicated • Meanwhile, it becomes increasingly di ffi cult to keep track of all these relationships

  39. UML Class Diagram • CVE-2018-1000861 • RCE exists in the Stapler web framework used by Jenkins • Stapler staplers most objects to URLs • Use UML to find a good gadget to jump into the RCE chain

  40. UML Class Diagram • CVE-2018-1000861 • RCE exists in the Stapler web framework used by Jenkins • Stapler staplers most objects to URLs • Use UML to find a good gadget to jump into the RCE chain

  41. CodeQL • Pros • Cover even more general and tricky cases • Easy to maintain and good to be sustainable • Cons • Need professionals to enact patterns • Takes time to process and compute

  42. Umbraco CMS Local File Inclusion • CVE-2020-XXXX • Pre-Auth RCE if we can leak the machineKey • UmbracoEnsuredPage class is to initiate a pre-auth check of a user before the page is accessed • How do we find an easy-to-use breach to get RCE

  43. Unauthenticated Accessible Page The Umbraco Pages that you can access directly w/o authentication

  44. Umbraco CMS Local File Inclusion • CVE-2020-XXXX • Pre-Auth RCE if we can leak machineKey • UmbracoEnsuredPage class is to initiate a pre-auth check of a user before the page is accessed • How do we find an easy-to-use breach to get RCE • /umbraco/ping.aspx seems to be a good target

  45. Agenda • Brief introduction to CodeQL • CodeQL’s Tricks • Replicate CVEs to find you CVEs • More powerful pattern finder • Regression Tests • ClientDependency Massacre • Conclusion 45

  46. Regression Tests SSDLC adoption 46

  47. What’s SSDLC • SSDLC, aka S-SDLC, is the initialism of Secure Software Development Life Cycle • Simply put, add security activities to the system development lifecycle. Preferably in every phase of the SDLC, and formalized • Part of DevSecOps

  48. How to use CodeQL as Tests • Define common pitfalls with CodeQL by professionals • Hardcoded Strings, OOB access, etc • Public research and paper of Variant Analysis using CodeQL • Since it’s community-driven, lgtm has already provided a bunch of rules • It also provides rules specifically for security

  49. Client-side URL redirect Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites

  50. Untrusted XML is read insecurely Untrusted XML is read with an insecure resolver and DTD processing enabled

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu Yun , Dhaval Kapil, and Taesoo Kim Georgia Institute of Technology 1 Heap vulnerabilities are the most common, yet serious security issues. %

387 views • 34 slides
Welcome tEa Session 14 14 Se Sept ptembe mber r 20 2020 20 Discover Victoria Discover

Welcome tEa Session 14 14 Se Sept ptembe mber r 20 2020 20 Discover Victoria Discover

Discover Victoria Discover You Direct School Admission Welcome tEa Session 14 14 Se Sept ptembe mber r 20 2020 20 Discover Victoria Discover You The Curriculum & Learning Experience Broad-Based Holistic

600 views • 33 slides
How Computers Discover How Computers Discover A Mini-Review of Algorithmic Meta-Discovery Filip

How Computers Discover How Computers Discover A Mini-Review of Algorithmic Meta-Discovery Filip

laboratory Gerstner Discover how to discover best How Computers Discover How Computers Discover A Mini-Review of Algorithmic Meta-Discovery Filip Zelezn y CVUT Prague, School of Electrical Engineering, Dept. of Cybernetics

214 views • 17 slides
DISCOVER RIM WASH SYSTEM WHAT IS DISCOVER? It is a new and innovative NO TOUCH rim wash

DISCOVER RIM WASH SYSTEM WHAT IS DISCOVER? It is a new and innovative NO TOUCH rim wash

DISCOVER RIM WASH SYSTEM WHAT IS DISCOVER? It is a new and innovative NO TOUCH rim wash system, capable of cleaning rims by distributing the product and washing at high pressure, without using a brush. FUNCTIONS DISCOVER can perform the

531 views • 10 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security & Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Eco Tur Angola Discover Angola With Us ! www.eco-tur.com What do we do ? (1) Our

Eco Tur Angola Discover Angola With Us ! www.eco-tur.com What do we do ? (1) Our

Eco Tur Angola Discover Angola With Us ! www.eco-tur.com What do we do ? (1) Our primary aim is to facilitate and enable people in visiting the less explored beautiful side of Angola. = DISCOVER ! What do we do? (2) We also

986 views • 8 slides
Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities > analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

413 views • 20 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
L u x u r y i s p e r s o n a l . Destination Discover Dubai D e s t i n a t i o n 11

L u x u r y i s p e r s o n a l . Destination Discover Dubai D e s t i n a t i o n 11

L u x u r y i s p e r s o n a l . Destination Discover Dubai D e s t i n a t i o n 11 Destination Discover Dubai Located on the Arabian Peninsula, Dubai is the natural meeting place at the crossroads of Europe, Asia and Africa, and a

444 views • 25 slides
TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction Session Goals Presenter and Trustwave SpiderLabs background Analysis Overview Data Source Most frequently found SEVERE vulnerabilities

907 views • 62 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
Design Patterns Programmeertechnieken, Tim Cocx Discover the world at Leiden University Discover

Design Patterns Programmeertechnieken, Tim Cocx Discover the world at Leiden University Discover

Design Patterns Programmeertechnieken, Tim Cocx Discover the world at Leiden University Discover the world at Leiden University A nice interface example public class datastructure { public void temp(){ Collection<Object> someCollection

591 views • 44 slides
Modeling Programmeertechnieken, Tim Cocx Discover the world at Leiden University Discover the

Modeling Programmeertechnieken, Tim Cocx Discover the world at Leiden University Discover the

Modeling Programmeertechnieken, Tim Cocx Discover the world at Leiden University Discover the world at Leiden University Software development Lifecycle (Requirements) analysis: - Requirements gathering and description - Construction of

589 views • 57 slides
THEM : Kat Gupta REPRESENTATIONS OF University of Nottingham SUFFRAGISTS, @mixosaurus

THEM : Kat Gupta REPRESENTATIONS OF University of Nottingham SUFFRAGISTS, @mixosaurus

THE TAINT OF MILITANCY IS NOT UPON THEM : Kat Gupta REPRESENTATIONS OF University of Nottingham SUFFRAGISTS, @mixosaurus SUFFRAGETTES AND DIRECT ACTION IN THE TIMES , 1908-1914 WHY THE SUFFRAGE MOVEMENT? How a political movement was

844 views • 45 slides
Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and

Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and

Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and Jason Flinn University of Michigan Speculative Execution TIME Sequential dependent tasks Predict A Predict results of Task A to break

589 views • 25 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen UniversityofMichigan SOSP2009 Overview App App Policy App Policy Speculation Infrastructure Mechanism

891 views • 5 slides
Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers

Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers

Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers Device Drivers User User space program User User level I/O software & libraries Kernel space Device independent OS software Operating

765 views • 5 slides
Behavior-Based Detection The old way match syntactic signatures: One-to- one < 50%

Behavior-Based Detection The old way match syntactic signatures: One-to- one < 50%

Behavior-Based Detection The old way match syntactic signatures: One-to- one < 50% detection The new way examine underlying behavior: One-to- many 1 Specifying Behaviors NtOpenKey \CurrentVersion\Run NtDeleteValueKey

1.58k views • 102 slides
Dependence and Data Flow Models (c) 2007 Mauro Pezz & Michal Young Ch 6, slide 1 Why Data

Dependence and Data Flow Models (c) 2007 Mauro Pezz & Michal Young Ch 6, slide 1 Why Data

Dependence and Data Flow Models (c) 2007 Mauro Pezz & Michal Young Ch 6, slide 1 Why Data Flow Models? Why Data Flow Models? Models from Chapter 5 emphasized control Models from Chapter 5 emphasized control Control flow

375 views • 33 slides
Lua Code: Security Overview and Practical Approaches to Static Analysis Andrei Costin

Lua Code: Security Overview and Practical Approaches to Static Analysis Andrei Costin

IEEE SPW: LangSec'17 (San Jose, CA) Lua Code: Security Overview and Practical Approaches to Static Analysis Andrei Costin ancostin@jyu.fi, andrei@firmware.re University of Jyvaskyla, Finland Agenda Introduction Contributions

374 views • 23 slides

More recommend