Merge pull request #3663 from erik-krogh/bad-crypto

erik-krogh · web-flow · commit c9fc1a378d8b · 2020-06-12T11:32:12.000+02:00
JS: Introduce query to detect biased random number generators
diff --git a/javascript/ql/src/Security/CWE-327/BadRandomness.qhelp b/javascript/ql/src/Security/CWE-327/BadRandomness.qhelp
@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+			Placeholder
+		</p>
+
+	</overview>
+	<recommendation>
+
+		<p>
+			Placeholder.
+		</p>
+
+	</recommendation>
+	<example>
+
+		<p>
+			Placeholder
+		</p>
+
+	</example>
+
+	<references>
+		<li>NIST, FIPS 140 Annex a: <a href="http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf"> Approved Security Functions</a>.</li>
+		<li>NIST, SP 800-131A: <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf"> Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.</li>
+		<li>OWASP: <a
+		href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption">Rule
+		- Use strong approved cryptographic algorithms</a>.
+		</li>
+		<li>Stack Overflow: <a href="https://stackoverflow.com/questions/3956478/understanding-randomness">Understanding “randomness”</a>.</li>
+	</references>
+
+</qhelp>
diff --git a/javascript/ql/src/Security/CWE-327/BadRandomness.ql b/javascript/ql/src/Security/CWE-327/BadRandomness.ql
@@ -0,0 +1,195 @@
+/**
+ * @name Creating biased random numbers from cryptographically secure source.
+ * @description Some mathematical operations on random numbers can cause bias in
+ *              the results and compromise security.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/biased-cryptographic-random
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import javascript
+private import semmle.javascript.dataflow.internal.StepSummary
+private import semmle.javascript.security.dataflow.InsecureRandomnessCustomizations
+private import semmle.javascript.dataflow.InferredTypes
+
+/**
+ * Gets a number that is a power of 2.
+ */
+private int powerOfTwo() {
+  result = 1
+  or
+  result = 2 * powerOfTwo() and
+  not result < 0
+}
+
+/**
+ * Gets a node that has value 2^n for some n.
+ */
+private DataFlow::Node isPowerOfTwo() {
+  exists(DataFlow::Node prev |
+    prev.getIntValue() = powerOfTwo()
+    or
+    // Getting around the 32 bit ints in QL. These are some hex values of the form 0x10000000
+    prev.asExpr().(NumberLiteral).getValue() =
+      ["281474976710656", "17592186044416", "1099511627776", "68719476736", "4294967296"]
+  |
+    result = prev.getASuccessor*()
+  )
+}
+
+/**
+ * Gets a node that has value (2^n)-1 for some n.
+ */
+private DataFlow::Node isPowerOfTwoMinusOne() {
+  exists(DataFlow::Node prev |
+    prev.getIntValue() = powerOfTwo() - 1
+    or
+    // Getting around the 32 bit ints in QL. These are some hex values of the form 0xfffffff
+    prev.asExpr().(NumberLiteral).getValue() =
+      ["281474976710655", "17592186044415", "1099511627775", "68719476735", "4294967295"]
+  |
+    result = prev.getASuccessor*()
+  )
+}
+
+/**
+ * Gets a Buffer/TypedArray containing cryptographically secure random numbers.
+ */
+private DataFlow::SourceNode randomBufferSource() {
+  result = DataFlow::moduleMember("crypto", ["randomBytes", "randomFillSync"]).getACall()
+  or
+  exists(DataFlow::CallNode call |
+    call = DataFlow::moduleMember("crypto", ["randomFill", "randomFillSync"]) and
+    result = call.getArgument(0).getALocalSource()
+  )
+  or
+  result = DataFlow::globalVarRef("crypto").getAMethodCall("getRandomValues")
+  or
+  result = DataFlow::moduleImport("secure-random").getACall()
+  or
+  result =
+    DataFlow::moduleImport("secure-random")
+        .getAMethodCall(["randomArray", "randomUint8Array", "randomBuffer"])
+}
+
+/**
+ * Gets the pseudo-property used to track elements inside a Buffer.
+ * The API for `Set` is close enough to the API for `Buffer` that we can reuse the type-tracking steps.
+ */
+private string prop() { result = DataFlow::PseudoProperties::setElement() }
+
+/**
+ * Gets a reference to a cryptographically secure random number produced by `source` and type tracked using `t`.
+ */
+private DataFlow::Node goodRandom(DataFlow::TypeTracker t, DataFlow::SourceNode source) {
+  t.startInProp(prop()) and
+  result = randomBufferSource() and
+  result = source
+  or
+  // Loading a number from a `Buffer`.
+  exists(DataFlow::TypeTracker t2 | t = t2.append(LoadStep(prop())) |
+    // the random generators return arrays/Buffers of random numbers, we therefore track through an indexed read.
+    exists(DataFlow::PropRead read | result = read |
+      read.getBase() = goodRandom(t2, source) and
+      not read.getPropertyNameExpr() instanceof Label
+    )
+    or
+    // reading a number from a Buffer.
+    exists(DataFlow::MethodCallNode call | result = call |
+      call.getReceiver() = goodRandom(t2, source) and
+      call
+          .getMethodName()
+          .regexpMatch("read(BigInt|BigUInt|Double|Float|Int|UInt)(8|16|32|64)?(BE|LE)?")
+    )
+  )
+  or
+  exists(DataFlow::TypeTracker t2 | t = t2.smallstep(goodRandom(t2, source), result))
+  or
+  // re-using the collection steps for `Set`.
+  exists(DataFlow::TypeTracker t2 |
+    result = CollectionsTypeTracking::collectionStep(goodRandom(t2, source), t, t2)
+  )
+  or
+  InsecureRandomness::isAdditionalTaintStep(goodRandom(t.continue(), source), result) and
+  // bit shifts and multiplication by powers of two are generally used for constructing larger numbers from smaller numbers.
+  not exists(BinaryExpr binop | binop = result.asExpr() |
+    binop.getOperator().regexpMatch(".*(<|>).*")
+    or
+    binop.getOperator() = "*" and isPowerOfTwo().asExpr() = binop.getAnOperand()
+    or
+    // string concat does not produce a number
+    unique(InferredType type | type = binop.flow().analyze().getAType()) = TTString()
+  )
+}
+
+/**
+ * Gets a reference to a cryptographically secure random number produced by `source`.
+ */
+DataFlow::Node goodRandom(DataFlow::SourceNode source) {
+  result = goodRandom(DataFlow::TypeTracker::end(), source)
+}
+
+/**
+ * Gets a node that that produces a biased result from otherwise cryptographically secure random numbers produced by `source`.
+ */
+DataFlow::Node badCrypto(string description, DataFlow::SourceNode source) {
+  // addition and multiplication - always bad when both the lhs and rhs are random.
+  exists(BinaryExpr binop | result.asExpr() = binop |
+    goodRandom(_).asExpr() = binop.getLeftOperand() and
+    goodRandom(_).asExpr() = binop.getRightOperand() and
+    goodRandom(source).asExpr() = binop.getAnOperand() and
+    (
+      binop.getOperator() = "+" and description = "addition"
+      or
+      binop.getOperator() = "*" and description = "multiplication"
+    )
+  )
+  or
+  // division - bad if result is rounded.
+  exists(DivExpr div | result.asExpr() = div |
+    goodRandom(source).asExpr() = div.getLeftOperand() and
+    description = "division and rounding the result" and
+    not div.getRightOperand() = isPowerOfTwoMinusOne().asExpr() and // division by (2^n)-1 most of the time produces a uniformly random number between 0 and 1.
+    DataFlow::globalVarRef("Math")
+        .getAMemberCall(["round", "floor", "ceil"])
+        .getArgument(0)
+        .asExpr() = div
+  )
+  or
+  // modulo - only bad if not by a power of 2 - and the result is not checked for bias
+  exists(ModExpr mod, DataFlow::Node random | result.asExpr() = mod and mod.getOperator() = "%" |
+    description = "modulo" and
+    goodRandom(source) = random and
+    random.asExpr() = mod.getLeftOperand() and
+    // division by a power of 2 is OK. E.g. if `x` is uniformly random is in the range [0..255] then `x % 32` is uniformly random in the range [0..31].
+    not mod.getRightOperand() = isPowerOfTwo().asExpr() and
+    // not exists a comparison that checks if the result is potentially biased.
+    not exists(BinaryExpr comparison | comparison.getOperator() = [">", "<", "<=", ">="] |
+      AccessPath::getAnAliasedSourceNode(random.getALocalSource())
+          .flowsToExpr(comparison.getAnOperand())
+      or
+      exists(DataFlow::PropRead otherRead |
+        otherRead = random.(DataFlow::PropRead).getBase().getALocalSource().getAPropertyRead() and
+        not exists(otherRead.getPropertyName()) and
+        otherRead.flowsToExpr(comparison.getAnOperand())
+      )
+    )
+  )
+  or
+  // create a number from a string - always a bad idea.
+  exists(DataFlow::CallNode number, StringOps::ConcatenationRoot root | result = number |
+    number = DataFlow::globalVarRef(["Number", "parseInt", "parseFloat"]).getACall() and
+    root = number.getArgument(0) and
+    goodRandom(source) = root.getALeaf() and
+    exists(root.getALeaf().getStringValue()) and
+    description = "string concatenation"
+  )
+}
+
+from DataFlow::Node node, string description, DataFlow::SourceNode source
+where node = badCrypto(description, source)
+select node, "Using " + description + " on a $@ produces biased results.", source,
+  "cryptographically secure random number"
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll
@@ -36,16 +36,7 @@ module InsecureRandomness {
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      // Assume that all operations on tainted values preserve taint: crypto is hard
-      succ.asExpr().(BinaryExpr).getAnOperand() = pred.asExpr()
-      or
-      succ.asExpr().(UnaryExpr).getOperand() = pred.asExpr()
-      or
-      exists(DataFlow::MethodCallNode mc |
-        mc = DataFlow::globalVarRef("Math").getAMemberCall(_) and
-        pred = mc.getAnArgument() and
-        succ = mc
-      )
+      InsecureRandomness::isAdditionalTaintStep(pred, succ)
     }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll
@@ -78,4 +78,20 @@ module InsecureRandomness {
   class CryptoKeySink extends Sink {
     CryptoKeySink() { this instanceof CryptographicKey }
   }
+
+  /**
+   * Holds if the step `pred` -> `succ` is an additional taint-step for random values that are not cryptographically secure.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    // Assume that all operations on tainted values preserve taint: crypto is hard
+    succ.asExpr().(BinaryExpr).getAnOperand() = pred.asExpr()
+    or
+    succ.asExpr().(UnaryExpr).getOperand() = pred.asExpr()
+    or
+    exists(DataFlow::MethodCallNode mc |
+      mc = DataFlow::globalVarRef("Math").getAMemberCall(_) and
+      pred = mc.getAnArgument() and
+      succ = mc
+    )
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-327/BadRandomness.expected b/javascript/ql/test/query-tests/Security/CWE-327/BadRandomness.expected
@@ -0,0 +1,15 @@
+| bad-random.js:3:11:3:61 | crypto. ... s(1)[0] | Using addition on a $@ produces biased results. | bad-random.js:3:11:3:31 | crypto. ... ytes(1) | cryptographically secure random number |
+| bad-random.js:3:11:3:61 | crypto. ... s(1)[0] | Using addition on a $@ produces biased results. | bad-random.js:3:38:3:58 | crypto. ... ytes(1) | cryptographically secure random number |
+| bad-random.js:4:11:4:61 | crypto. ... s(1)[0] | Using multiplication on a $@ produces biased results. | bad-random.js:4:11:4:31 | crypto. ... ytes(1) | cryptographically secure random number |
+| bad-random.js:4:11:4:61 | crypto. ... s(1)[0] | Using multiplication on a $@ produces biased results. | bad-random.js:4:38:4:58 | crypto. ... ytes(1) | cryptographically secure random number |
+| bad-random.js:9:28:9:43 | buffer[i] / 25.6 | Using division and rounding the result on a $@ produces biased results. | bad-random.js:6:16:6:40 | crypto. ... (bytes) | cryptographically secure random number |
+| bad-random.js:11:17:11:31 | buffer[i] % 100 | Using modulo on a $@ produces biased results. | bad-random.js:6:16:6:40 | crypto. ... (bytes) | cryptographically secure random number |
+| bad-random.js:14:11:14:63 | Number( ... (0, 3)) | Using string concatenation on a $@ produces biased results. | bad-random.js:14:25:14:45 | crypto. ... ytes(3) | cryptographically secure random number |
+| bad-random.js:73:32:73:42 | byte / 25.6 | Using division and rounding the result on a $@ produces biased results. | bad-random.js:70:20:70:44 | crypto. ... (bytes) | cryptographically secure random number |
+| bad-random.js:75:21:75:30 | byte % 100 | Using modulo on a $@ produces biased results. | bad-random.js:70:20:70:44 | crypto. ... (bytes) | cryptographically secure random number |
+| bad-random.js:81:11:81:51 | secureR ... (10)[0] | Using addition on a $@ produces biased results. | bad-random.js:81:11:81:26 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:81:11:81:51 | secureR ... (10)[0] | Using addition on a $@ produces biased results. | bad-random.js:81:33:81:48 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:85:11:85:35 | goodRan ... Random2 | Using addition on a $@ produces biased results. | bad-random.js:83:23:83:38 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:85:11:85:35 | goodRan ... Random2 | Using addition on a $@ produces biased results. | bad-random.js:84:23:84:38 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:87:16:87:24 | bad + bad | Using addition on a $@ produces biased results. | bad-random.js:83:23:83:38 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:87:16:87:24 | bad + bad | Using addition on a $@ produces biased results. | bad-random.js:84:23:84:38 | secureRandom(10) | cryptographically secure random number |
diff --git a/javascript/ql/test/query-tests/Security/CWE-327/BadRandomness.qlref b/javascript/ql/test/query-tests/Security/CWE-327/BadRandomness.qlref
@@ -0,0 +1 @@
+Security/CWE-327/BadRandomness.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-327/bad-random.js b/javascript/ql/test/query-tests/Security/CWE-327/bad-random.js

Original file line number	Diff line number	Diff line change
`@@ -36,16 +36,7 @@ module InsecureRandomness {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {`
`39`		`- // Assume that all operations on tainted values preserve taint: crypto is hard`
`40`		`- succ.asExpr().(BinaryExpr).getAnOperand() = pred.asExpr()`
`41`		`- or`
`42`		`- succ.asExpr().(UnaryExpr).getOperand() = pred.asExpr()`
`43`		`- or`
`44`		`- exists(DataFlow::MethodCallNode mc \|`
`45`		`- mc = DataFlow::globalVarRef("Math").getAMemberCall(_) and`
`46`		`- pred = mc.getAnArgument() and`
`47`		`- succ = mc`
`48`		`- )`
	`39`	`+ InsecureRandomness::isAdditionalTaintStep(pred, succ)`
`49`	`40`	`}`
`50`	`41`	`}`
`51`	`42`	`}`