From f459b890019475696517f86751f7b3754c558442 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 6 Apr 2022 23:08:41 -0400 Subject: [PATCH 01/41] Java: Timing attack --- .../Security/CWE/CWE-208/SafeComparison.java | 5 ++ .../TimingAttackAgainstSensitiveInfo.qhelp | 45 +++++++++++ .../TimingAttackAgainstSensitiveInfo.ql | 81 +++++++++++++++++++ .../CWE/CWE-208/UnsafeComparison.java | 5 ++ .../Test.java | 17 ++++ .../TimingAttackAgainstSensitiveInfo.expected | 8 ++ .../TimingAttackAgainstSensitiveInfo.qlref | 1 + 7 files changed, 162 insertions(+) create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/SafeComparison.java create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/UnsafeComparison.java create mode 100644 java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/Test.java create mode 100644 java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.expected create mode 100644 java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/SafeComparison.java b/java/ql/src/experimental/Security/CWE/CWE-208/SafeComparison.java new file mode 100644 index 000000000000..cd2e580bd237 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/SafeComparison.java @@ -0,0 +1,5 @@ +private boolean safeComparison(String pwd, HttpServletRequest request) { + String password = request.getParameter("password"); + return MessageDigest.isEqual(password.getBytes(StandardCharsets.UTF_8), pwd.getBytes(StandardCharsets.UTF_8)); +} + diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp new file mode 100644 index 000000000000..f426804b2cc3 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp @@ -0,0 +1,45 @@ + + + + +

+A constant-time algorithm should be used for checking the value of sensitive info. +In other words, the comparison time should not depend on the content of the input. +Otherwise timing information could be used to infer the info's expected, secret value. +

+ + + + +

+Use MessageDigest.isEqual() method to check the value of sensitive info. +If this method is used, then the calculation time depends only on the length of input byte arrays, +and does not depend on the contents of the arrays. +

+ + +

+The following example uses String.equals() method for validating a password. +This method implements a non-constant-time algorithm: +

+ + +

+The next example uses a safe constant-time algorithm for validating a password: +

+ + + + +
  • + Wikipedia: + Timing attack. +
    • + +
  • + Java API Specification: + MessageDigest.isEqual() method +
    • +     + +     diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql new file mode 100644 index 000000000000..38b6b9e247fd --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql @@ -0,0 +1,81 @@ +/** + * @name Timing attack against sensitive info + * @description Use of a non-constant-time verification routine to check the value of an sensitive info, + * possibly allowing a timing attack to infer the info's expected value. + * @kind path-problem + * @problem.severity error + * @precision high + * @id java/timing-attack-against-sensitive-info + * @tags security + * external/cwe/cwe-208 + */ + + +import java +import semmle.code.java.dataflow.FlowSources +import semmle.code.java.dataflow.TaintTracking +import DataFlow::PathGraph + +private string suspicious() { + result = + [ + "%password%", "%passwd%", "%pwd%", "%refresh%token%", "%secret%token", "%secret%key", + "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%key%" + ] +} + +/** A variable that may hold sensitive information, judging by its name. * */ +class CredentialExpr extends Expr { + CredentialExpr() { + exists(Variable v | this = v.getAnAccess() | + v.getName().toLowerCase().matches(suspicious()) and + not v.isFinal() + ) + } +} + +/** Methods that use a non-constant-time algorithm for comparing inputs. */ +private class NonConstantTimeEqualsCall extends MethodAccess { + NonConstantTimeEqualsCall() { + this.getMethod() + .hasQualifiedName("java.lang", "String", ["equals", "contentEquals", "equalsIgnoreCase"]) or + this.getMethod().hasQualifiedName("java.nio", "ByteBuffer", ["equals", "compareTo"]) + } +} + +/** A static method that uses a non-constant-time algorithm for comparing inputs. */ +private class NonConstantTimeComparisonCall extends StaticMethodAccess { + NonConstantTimeComparisonCall() { + this.getMethod().hasQualifiedName("java.util", "Arrays", ["equals", "deepEquals"]) or + this.getMethod().hasQualifiedName("java.util", "Objects", "deepEquals") or + this.getMethod() + .hasQualifiedName("org.apache.commons.lang3", "StringUtils", + ["equals", "equalsAny", "equalsAnyIgnoreCase", "equalsIgnoreCase"]) + } +} + +private predicate isNonConstantEqualsCallArgument(Expr e) { + exists(NonConstantTimeEqualsCall call | e = [call.getQualifier(), call.getArgument(0)]) +} + +private predicate isNonConstantComparisonCallArgument(Expr p) { + exists(NonConstantTimeComparisonCall call | p = [call.getArgument(0), call.getArgument(1)]) +} + +class NonConstantTimeComparisonConfig extends TaintTracking::Configuration { + NonConstantTimeComparisonConfig() { this = "NonConstantTimeComparisonConfig" } + + override predicate isSource(DataFlow::Node source) { + source.asExpr() instanceof CredentialExpr + } + + override predicate isSink(DataFlow::Node sink) { + isNonConstantEqualsCallArgument(sink.asExpr()) or + isNonConstantComparisonCallArgument(sink.asExpr()) + } +} + +from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeComparisonConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "Possible timing attack against $@ validation.", + source.getNode() diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/UnsafeComparison.java b/java/ql/src/experimental/Security/CWE/CWE-208/UnsafeComparison.java new file mode 100644 index 000000000000..d4e2442f4e21 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/UnsafeComparison.java @@ -0,0 +1,5 @@ +private boolean UnsafeComparison(String pwd, HttpServletRequest request) { + String password = request.getParameter("password"); + return password.equals(pwd); +} + diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/Test.java b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/Test.java new file mode 100644 index 000000000000..d7a0346f38e2 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/Test.java @@ -0,0 +1,17 @@ +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.lang.String; +import javax.servlet.http.HttpServletRequest; + +public class Test { + private boolean UnsafeComparison(String pwd, HttpServletRequest request) { + String password = request.getParameter("password"); + return password.equals(pwd); + } + + private boolean safeComparison(String pwd, HttpServletRequest request) { + String password = request.getParameter("password"); + return MessageDigest.isEqual(password.getBytes(StandardCharsets.UTF_8), pwd.getBytes(StandardCharsets.UTF_8)); + } + +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.expected b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.expected new file mode 100644 index 000000000000..f0f65cdffc4c --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.expected @@ -0,0 +1,8 @@ +edges +nodes +| Test.java:10:16:10:23 | password | semmle.label | password | +| Test.java:10:32:10:34 | pwd | semmle.label | pwd | +subpaths +#select +| Test.java:10:16:10:23 | password | Test.java:10:16:10:23 | password | Test.java:10:16:10:23 | password | Possible timing attack against $@ validation. | Test.java:10:16:10:23 | password | +| Test.java:10:32:10:34 | pwd | Test.java:10:32:10:34 | pwd | Test.java:10:32:10:34 | pwd | Possible timing attack against $@ validation. | Test.java:10:32:10:34 | pwd | diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref new file mode 100644 index 000000000000..c6d983ebaf5d --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref @@ -0,0 +1 @@ +experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql From 419be88fbd91e074c3e1075f5c41d20a7dca4ee7 Mon Sep 17 00:00:00 2001 From: Ahmed Farid <53880570+ahmed-farid-dev@users.noreply.github.com> Date: Thu, 26 May 2022 01:37:49 +0100 Subject: [PATCH 02/41] Update TimingAttackAgainstSensitiveInfo.qhelp --- .../TimingAttackAgainstSensitiveInfo.qhelp | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp index f426804b2cc3..ea943c539a82 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp @@ -3,29 +3,38 @@

    -A constant-time algorithm should be used for checking the value of sensitive info. -In other words, the comparison time should not depend on the content of the input. -Otherwise timing information could be used to infer the info's expected, secret value. + Timing Attack is based on the leakage of information of secret parameters by studying +how long it takes the system to respond to different inputs. + it can be circumvented by using a constant-time algorithm for checking the value of sensitive info, +more precisely, the comparison time should not depend on the content of the input. Otherwise the attacker gains +information that is indirectly leaked by the application. This information is then used for malicious purposes, +such as guessing the password of a user.

    -Use MessageDigest.isEqual() method to check the value of sensitive info. + Two types of countermeasures can be applied against timing attacks. The first one consists +in eliminating timing variations whereas the second renders these variations useless for an attacker. +The only absolute way to prevent timing attacks is to make the computation strictly constant time, +independent of the input. + + Use MessageDigest.isEqual() method to securely check the value of sensitive info. If this method is used, then the calculation time depends only on the length of input byte arrays, -and does not depend on the contents of the arrays. +and does not depend on the contents of the arrays. + Or you can done a function by yourself that validate an input safely.

    -The following example uses String.equals() method for validating a password. + The following example uses String.equals() method for validating a password. This method implements a non-constant-time algorithm:

    -

    -The next example uses a safe constant-time algorithm for validating a password: +

    + The next example use a safe constant-time algorithm for validating a password:

    From cd2e471198790459827a780ced903b8363d07b70 Mon Sep 17 00:00:00 2001 From: Ahmed Farid <53880570+ahmed-farid-dev@users.noreply.github.com> Date: Fri, 27 May 2022 02:23:57 +0100 Subject: [PATCH 03/41] Update TimingAttackAgainstSensitiveInfo.qhelp --- .../CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp index ea943c539a82..2c949602dc09 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp @@ -23,12 +23,12 @@ independent of the input. Use MessageDigest.isEqual() method to securely check the value of sensitive info. If this method is used, then the calculation time depends only on the length of input byte arrays, and does not depend on the contents of the arrays. - Or you can done a function by yourself that validate an input safely. + Unlike Arrays.equals() is a fail fast method, If the first byte is not equal, it will return immediately.

    - The following example uses String.equals() method for validating a password. + The following example uses String.equals() which is a fail fast method for validating a password. This method implements a non-constant-time algorithm:

    From 1aa8d851acdb42e77b466dab8b8cb174886b996f Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Wed, 29 Jun 2022 01:05:12 +0100 Subject: [PATCH 04/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql index 38b6b9e247fd..89289ad275fc 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql @@ -16,6 +16,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import DataFlow::PathGraph +/** A string for `match` that identifies strings that look like they represent secret data. */ private string suspicious() { result = [ @@ -54,10 +55,18 @@ private class NonConstantTimeComparisonCall extends StaticMethodAccess { } } +/** + * Holds if `firstObject` and `secondObject` are compared using a method + * that does not use a constant-time algorithm, for example, `String.equals()`. + */ private predicate isNonConstantEqualsCallArgument(Expr e) { - exists(NonConstantTimeEqualsCall call | e = [call.getQualifier(), call.getArgument(0)]) + exists(NonConstantTimeEqualsCall call | e = [call.getQualifier(), call.getAnArgument()]) } +/** + * Holds if `firstInput` and `secondInput` are compared using a static method + * that does not use a constant-time algorithm, for example, `Arrays.equals()`. + */ private predicate isNonConstantComparisonCallArgument(Expr p) { exists(NonConstantTimeComparisonCall call | p = [call.getArgument(0), call.getArgument(1)]) } From e02ad0d51f45be53c60703f4567be78740f17c99 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Wed, 29 Jun 2022 01:11:20 +0100 Subject: [PATCH 05/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql index 89289ad275fc..b5e144f1bfc0 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql @@ -71,6 +71,10 @@ private predicate isNonConstantComparisonCallArgument(Expr p) { exists(NonConstantTimeComparisonCall call | p = [call.getArgument(0), call.getArgument(1)]) } +/** + * A configuration that tracks data flow from variable that may hold sensitive data + * to methods that compare data using a non-constant-time algorithm. + */ class NonConstantTimeComparisonConfig extends TaintTracking::Configuration { NonConstantTimeComparisonConfig() { this = "NonConstantTimeComparisonConfig" } From cc0c1652174980d2a3a4c63617a9e4775bd74474 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 15 Aug 2022 10:58:35 +0100 Subject: [PATCH 06/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql index b5e144f1bfc0..bc0fdd058c14 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql @@ -10,7 +10,6 @@ * external/cwe/cwe-208 */ - import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking @@ -78,9 +77,7 @@ private predicate isNonConstantComparisonCallArgument(Expr p) { class NonConstantTimeComparisonConfig extends TaintTracking::Configuration { NonConstantTimeComparisonConfig() { this = "NonConstantTimeComparisonConfig" } - override predicate isSource(DataFlow::Node source) { - source.asExpr() instanceof CredentialExpr - } + override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr } override predicate isSink(DataFlow::Node sink) { isNonConstantEqualsCallArgument(sink.asExpr()) or @@ -91,4 +88,4 @@ class NonConstantTimeComparisonConfig extends TaintTracking::Configuration { from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeComparisonConfig conf where conf.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Possible timing attack against $@ validation.", - source.getNode() + source.getNode(), "time constant" From 7a6a226df62f22c19f17aef820ac776c3c1cf018 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 12:43:38 +0100 Subject: [PATCH 07/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql index bc0fdd058c14..670512af6a60 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql @@ -20,7 +20,7 @@ private string suspicious() { result = [ "%password%", "%passwd%", "%pwd%", "%refresh%token%", "%secret%token", "%secret%key", - "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%key%" + "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%UserPass%" ] } From edbe697e4d8fd3636039e2ff6513b54803d23e93 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 12:52:13 +0100 Subject: [PATCH 08/41] Rename java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql --- .../TimingAttackAgainstSensitiveInfo.ql | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/experimental/Security/CWE/CWE-208/{ => TimingAttackAgainstSensitiveInfo}/TimingAttackAgainstSensitiveInfo.ql (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql rename to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql From d7f1b0a73afdd79d0003ed146e72c8ffe12c084d Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 12:52:34 +0100 Subject: [PATCH 09/41] Rename java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp --- .../TimingAttackAgainstSensitiveInfo.qhelp | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/experimental/Security/CWE/CWE-208/{ => TimingAttackAgainstSensitiveInfo}/TimingAttackAgainstSensitiveInfo.qhelp (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.qhelp rename to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp From 493ba441d08067167616c7b39cfd34b685187e58 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 12:52:54 +0100 Subject: [PATCH 10/41] Rename java/ql/src/experimental/Security/CWE/CWE-208/SafeComparison.java to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/SafeComparison.java --- .../{ => TimingAttackAgainstSensitiveInfo}/SafeComparison.java | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/experimental/Security/CWE/CWE-208/{ => TimingAttackAgainstSensitiveInfo}/SafeComparison.java (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/SafeComparison.java b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/SafeComparison.java similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-208/SafeComparison.java rename to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/SafeComparison.java From 2fd154a4fcc02f62cfddc483ebe903e26cfb4d60 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 12:53:23 +0100 Subject: [PATCH 11/41] Rename java/ql/src/experimental/Security/CWE/CWE-208/UnsafeComparison.java to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/UnsafeComparison.java --- .../{ => TimingAttackAgainstSensitiveInfo}/UnsafeComparison.java | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/experimental/Security/CWE/CWE-208/{ => TimingAttackAgainstSensitiveInfo}/UnsafeComparison.java (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/UnsafeComparison.java b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/UnsafeComparison.java similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-208/UnsafeComparison.java rename to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/UnsafeComparison.java From fd54ffae0c926f8ee0b13c992d6c88e2c6e0e988 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 13:04:29 +0100 Subject: [PATCH 12/41] Rename NonConstantTimeCheckOnSignatureQuery.qll to TimingAttack.qll --- ...{NonConstantTimeCheckOnSignatureQuery.qll => TimingAttack.qll} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/experimental/Security/CWE/CWE-208/{NonConstantTimeCheckOnSignatureQuery.qll => TimingAttack.qll} (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttack.qll similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll rename to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttack.qll From 9247a6b046b2002277a42b7277cbeca4a2d3272e Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 13:12:31 +0100 Subject: [PATCH 13/41] Rename java/ql/src/experimental/Security/CWE/CWE-208/TimingAttack.qll to java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll --- .../CWE/CWE-208 => semmle/code/java/security}/TimingAttack.qll | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/experimental/{Security/CWE/CWE-208 => semmle/code/java/security}/TimingAttack.qll (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttack.qll b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-208/TimingAttack.qll rename to java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll From 2040aba0101026e9b366f32787c5d9bd63ad2748 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 13:16:57 +0100 Subject: [PATCH 14/41] Update PossibleTimingAttackAgainstSignature.ql --- .../CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql b/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql index 9e0835e2aac5..27736e4bf578 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql @@ -13,7 +13,7 @@ */ import java -import NonConstantTimeCheckOnSignatureQuery +import experimental.semmle.code.java.security.TimingAttack import DataFlow::PathGraph from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeCryptoComparisonConfig conf From 7a79dd6ef361796a3f2edb87a21cfbc40209bfa6 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 13:17:27 +0100 Subject: [PATCH 15/41] Update TimingAttackAgainstSignature.ql --- .../Security/CWE/CWE-208/TimingAttackAgainstSignature.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql index 488b49684b2c..22a3eeeb6973 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql @@ -14,7 +14,7 @@ */ import java -import NonConstantTimeCheckOnSignatureQuery +import experimental.semmle.code.java.security.TimingAttack import DataFlow::PathGraph from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeCryptoComparisonConfig conf From 47ec366987c9d69f91fdf6d00c0a7b0db4761f8d Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 13:45:11 +0100 Subject: [PATCH 16/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../TimingAttackAgainstSensitiveInfo.ql | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql index 670512af6a60..3e08cd1d0e8a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql @@ -79,10 +79,7 @@ class NonConstantTimeComparisonConfig extends TaintTracking::Configuration { override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr } - override predicate isSink(DataFlow::Node sink) { - isNonConstantEqualsCallArgument(sink.asExpr()) or - isNonConstantComparisonCallArgument(sink.asExpr()) - } + override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } } from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeComparisonConfig conf From e39b706c3fab4d28769a3a4407cb3128ce4b321e Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 13:45:51 +0100 Subject: [PATCH 17/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../TimingAttackAgainstSensitiveInfo.ql | 36 ------------------- 1 file changed, 36 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql index 3e08cd1d0e8a..c1da27440d5c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql @@ -34,42 +34,6 @@ class CredentialExpr extends Expr { } } -/** Methods that use a non-constant-time algorithm for comparing inputs. */ -private class NonConstantTimeEqualsCall extends MethodAccess { - NonConstantTimeEqualsCall() { - this.getMethod() - .hasQualifiedName("java.lang", "String", ["equals", "contentEquals", "equalsIgnoreCase"]) or - this.getMethod().hasQualifiedName("java.nio", "ByteBuffer", ["equals", "compareTo"]) - } -} - -/** A static method that uses a non-constant-time algorithm for comparing inputs. */ -private class NonConstantTimeComparisonCall extends StaticMethodAccess { - NonConstantTimeComparisonCall() { - this.getMethod().hasQualifiedName("java.util", "Arrays", ["equals", "deepEquals"]) or - this.getMethod().hasQualifiedName("java.util", "Objects", "deepEquals") or - this.getMethod() - .hasQualifiedName("org.apache.commons.lang3", "StringUtils", - ["equals", "equalsAny", "equalsAnyIgnoreCase", "equalsIgnoreCase"]) - } -} - -/** - * Holds if `firstObject` and `secondObject` are compared using a method - * that does not use a constant-time algorithm, for example, `String.equals()`. - */ -private predicate isNonConstantEqualsCallArgument(Expr e) { - exists(NonConstantTimeEqualsCall call | e = [call.getQualifier(), call.getAnArgument()]) -} - -/** - * Holds if `firstInput` and `secondInput` are compared using a static method - * that does not use a constant-time algorithm, for example, `Arrays.equals()`. - */ -private predicate isNonConstantComparisonCallArgument(Expr p) { - exists(NonConstantTimeComparisonCall call | p = [call.getArgument(0), call.getArgument(1)]) -} - /** * A configuration that tracks data flow from variable that may hold sensitive data * to methods that compare data using a non-constant-time algorithm. From abf1b93616ea40e28e6c7db2c3582f7e49b6252e Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 18:09:00 +0100 Subject: [PATCH 18/41] Update TimingAttack.qll --- .../code/java/security/TimingAttack.qll | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll index c90d16a6681f..cca2103aef0f 100644 --- a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll +++ b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll @@ -8,6 +8,25 @@ import semmle.code.java.dataflow.TaintTracking2 import semmle.code.java.dataflow.DataFlow3 import semmle.code.java.dataflow.FlowSources +/** A string for `match` that identifies strings that look like they represent secret data. */ +private string suspicious() { + result = + [ + "%password%", "%passwd%", "%pwd%", "%refresh%token%", "%secret%token", "%secret%key", + "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%UserPass%" + ] +} + +/** A variable that may hold sensitive information, judging by its name. * */ +class CredentialExpr extends Expr { + CredentialExpr() { + exists(Variable v | this = v.getAnAccess() | + v.getName().toLowerCase().matches(suspicious()) and + not v.isFinal() + ) + } +} + /** A method call that produces cryptographic result. */ abstract private class ProduceCryptoCall extends MethodAccess { Expr output; From c897452a868ef2981d981b76eb05b1bdd92eafc9 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 18:10:04 +0100 Subject: [PATCH 19/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../TimingAttackAgainstSensitiveInfo.ql | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql index c1da27440d5c..9bc3ad79d00d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql @@ -15,25 +15,6 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import DataFlow::PathGraph -/** A string for `match` that identifies strings that look like they represent secret data. */ -private string suspicious() { - result = - [ - "%password%", "%passwd%", "%pwd%", "%refresh%token%", "%secret%token", "%secret%key", - "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%UserPass%" - ] -} - -/** A variable that may hold sensitive information, judging by its name. * */ -class CredentialExpr extends Expr { - CredentialExpr() { - exists(Variable v | this = v.getAnAccess() | - v.getName().toLowerCase().matches(suspicious()) and - not v.isFinal() - ) - } -} - /** * A configuration that tracks data flow from variable that may hold sensitive data * to methods that compare data using a non-constant-time algorithm. From 4b6875602f2726b4eb8bc54a97d920ca6686288e Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 18:21:46 +0100 Subject: [PATCH 20/41] Update TimingAttack.qll --- .../code/java/security/TimingAttack.qll | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll index cca2103aef0f..aefc34da3000 100644 --- a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll +++ b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll @@ -2,10 +2,13 @@ * Provides classes and predicates for queries that detect timing attacks. */ +import java import semmle.code.java.controlflow.Guards import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.TaintTracking2 +import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.DataFlow3 +import semmle.code.java.dataflow.DataFlow2 import semmle.code.java.dataflow.FlowSources /** A string for `match` that identifies strings that look like they represent secret data. */ @@ -329,6 +332,18 @@ class NonConstantTimeComparisonSink extends DataFlow::Node { } } +/** A data flow source of the secret obtained. */ +class SecretSource extends DataFlow::Node { + CredentialExpr secret; + + SecretSource() { secret = this.asExpr() } + + /** Holds if the secret was deliverd by remote user. */ + predicate includesUserInput() { + exists(UserInputSecretConfig config | config.hasFlowTo(DataFlow2::exprNode(secret))) + } +} + /** * A configuration that tracks data flow from cryptographic operations * to methods that compare data using a non-constant-time algorithm. @@ -340,3 +355,14 @@ class NonConstantTimeCryptoComparisonConfig extends TaintTracking::Configuration override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } } + +/** + * A config that tracks data flow from remote user input to Variable that hold sensitive info + */ +class UserInputSecretConfig extends TaintTracking2::Configuration { + UserInputSecretConfig() { this = "UserInputSecretConfig" } + + override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr } +} From 9942b6fcb8f383bd280ad628871c35e3393f814f Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 16 Aug 2022 18:23:03 +0100 Subject: [PATCH 21/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../TimingAttackAgainstSensitiveInfo.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql index 9bc3ad79d00d..16b27c7c0b4f 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql @@ -22,7 +22,7 @@ import DataFlow::PathGraph class NonConstantTimeComparisonConfig extends TaintTracking::Configuration { NonConstantTimeComparisonConfig() { this = "NonConstantTimeComparisonConfig" } - override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr } + override predicate isSource(DataFlow::Node source) { source instanceof SecretSource } override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } } From 47051d035a00a3e4ecb79015318aee1d87b3548e Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 22 Aug 2022 12:46:35 +0100 Subject: [PATCH 22/41] Rename TimingAttackAgainstSensitiveInfo.ql --- ...nsitiveInfo.ql => PossibleTimingAttackAgainstSensitiveInfo.ql} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/{TimingAttackAgainstSensitiveInfo.ql => PossibleTimingAttackAgainstSensitiveInfo.ql} (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql rename to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql From 78003462148c68073b08ad1eb1553dd6fb8ba09c Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 29 Aug 2022 12:28:26 +0100 Subject: [PATCH 23/41] Create TimingAttackAgainstSensitiveInfo.ql --- .../TimingAttackAgainstSensitiveInfo.ql | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql new file mode 100644 index 000000000000..4a62a03d599a --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql @@ -0,0 +1,38 @@ +/** + * @name Timing attack against sensitive info + * @description Use of a non-constant-time verification routine to check the value of an sensitive info, + * possibly allowing a timing attack to infer the info's expected value. + * @kind path-problem + * @problem.severity error + * @precision high + * @id java/timing-attack-against-sensitive-info + * @tags security + * external/cwe/cwe-208 + */ + +import java +import semmle.code.java.dataflow.FlowSources +import semmle.code.java.dataflow.TaintTracking +import DataFlow::PathGraph + +/** + * A configuration that tracks data flow from variable that may hold sensitive data + * to methods that compare data using a non-constant-time algorithm. + */ +class NonConstantTimeComparisonConfig extends TaintTracking::Configuration { + NonConstantTimeComparisonConfig() { this = "NonConstantTimeComparisonConfig" } + + override predicate isSource(DataFlow::Node source) { source instanceof SecretSource } + + override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } +} + +from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeComparisonConfig conf +where + conf.hasFlowPath(source, sink) and + ( + source.getNode().(SecretSource).includesUserInput() and + sink.getNode().(NonConstantTimeComparisonSink).includesUserInput() + ) +select sink.getNode(), source, sink, "timing attack against $@ validation.", + source.getNode(), "time constant" From fcedcc3ca6d20f70830fe2f275a743c8260f3296 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 29 Aug 2022 12:28:51 +0100 Subject: [PATCH 24/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../TimingAttackAgainstSensitiveInfo.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql index 4a62a03d599a..19b4cbea7293 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql @@ -31,7 +31,7 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeComparis where conf.hasFlowPath(source, sink) and ( - source.getNode().(SecretSource).includesUserInput() and + source.getNode().(SecretSource).includesUserInput() or sink.getNode().(NonConstantTimeComparisonSink).includesUserInput() ) select sink.getNode(), source, sink, "timing attack against $@ validation.", From b3c9d07b4ead3d88ab82869453743dd75eb2eec1 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 29 Aug 2022 12:29:54 +0100 Subject: [PATCH 25/41] Update PossibleTimingAttackAgainstSensitiveInfo.ql --- .../PossibleTimingAttackAgainstSensitiveInfo.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql index 16b27c7c0b4f..2bf6e21655dc 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql @@ -4,7 +4,7 @@ * possibly allowing a timing attack to infer the info's expected value. * @kind path-problem * @problem.severity error - * @precision high + * @precision medium * @id java/timing-attack-against-sensitive-info * @tags security * external/cwe/cwe-208 From 1402bb5ba987e0e44fbac2a0dbe9860ae3d042a2 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 29 Aug 2022 12:31:11 +0100 Subject: [PATCH 26/41] Rename TimingAttackAgainstSensitiveInfo.qhelp to PossibleTimingAttackAgainstSensitiveInfo.qhelp --- ...eInfo.qhelp => PossibleTimingAttackAgainstSensitiveInfo.qhelp} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/{TimingAttackAgainstSensitiveInfo.qhelp => PossibleTimingAttackAgainstSensitiveInfo.qhelp} (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.qhelp similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp rename to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.qhelp From 34ca636ae1b5d678502367e0bee0892753e06b89 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 29 Aug 2022 12:32:43 +0100 Subject: [PATCH 27/41] Create TimingAttackAgainstSensitiveInfo.qhelp --- .../TimingAttackAgainstSensitiveInfo.qhelp | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp new file mode 100644 index 000000000000..fe1bfae5074c --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp @@ -0,0 +1,4 @@ + + + + From f74902c02a50550d31adb66dd3aad1c129182723 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 30 Aug 2022 12:04:11 +0100 Subject: [PATCH 28/41] Update PossibleTimingAttackAgainstSensitiveInfo.ql --- .../PossibleTimingAttackAgainstSensitiveInfo.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql index 2bf6e21655dc..68844f629ec3 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql @@ -5,7 +5,7 @@ * @kind path-problem * @problem.severity error * @precision medium - * @id java/timing-attack-against-sensitive-info + * @id java/possible-timing-attack-against-sensitive-info * @tags security * external/cwe/cwe-208 */ From 7bccfacdff6496170c1eca1fd7104e64ccd4934b Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 30 Aug 2022 12:06:02 +0100 Subject: [PATCH 29/41] Update TimingAttackAgainstSensitiveInfo.qlref --- .../TimingAttackAgainstSensitiveInfo.qlref | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref index c6d983ebaf5d..d37f680923ec 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref @@ -1 +1 @@ -experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql +experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql From 8906d05f152d366901d16d9705b7e18d2d88c547 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 30 Aug 2022 12:06:23 +0100 Subject: [PATCH 30/41] Update TimingAttackAgainstSensitiveInfo.qlref --- .../TimingAttackAgainstSensitiveInfo.qlref | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref index d37f680923ec..7c3931e93dde 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qlref @@ -1 +1 @@ -experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql +experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql From 07bd4a9880938fd6352571a8e8a54a91c6831f5e Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 30 Aug 2022 12:10:24 +0100 Subject: [PATCH 31/41] Update TimingAttack.qll --- .../src/experimental/semmle/code/java/security/TimingAttack.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll index aefc34da3000..083c31f9f3f2 100644 --- a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll +++ b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll @@ -16,7 +16,7 @@ private string suspicious() { result = [ "%password%", "%passwd%", "%pwd%", "%refresh%token%", "%secret%token", "%secret%key", - "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%UserPass%" + "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%userpass%" ] } From ccc59ec03076402c9f67e788fda1bd9ba1acb45f Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Tue, 30 Aug 2022 12:33:20 +0100 Subject: [PATCH 32/41] Update TimingAttack.qll --- .../experimental/semmle/code/java/security/TimingAttack.qll | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll index 083c31f9f3f2..5ee71a5808d0 100644 --- a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll +++ b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll @@ -16,7 +16,8 @@ private string suspicious() { result = [ "%password%", "%passwd%", "%pwd%", "%refresh%token%", "%secret%token", "%secret%key", - "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%userpass%" + "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%userpass%", + "%digest%", "%signature%", "%mac%" ] } From bd6db449889d171d097028e80ac25844872677f0 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Fri, 2 Sep 2022 14:31:29 +0100 Subject: [PATCH 33/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../TimingAttackAgainstSensitiveInfo.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql index 19b4cbea7293..1d53a05d34e3 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql @@ -14,6 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import DataFlow::PathGraph +import experimental.semmle.code.java.security.TimingAttack /** * A configuration that tracks data flow from variable that may hold sensitive data From 3774a9a892abf9b25ddb881ce1e9d1dfd9b3c76b Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Fri, 2 Sep 2022 14:31:48 +0100 Subject: [PATCH 34/41] Update PossibleTimingAttackAgainstSensitiveInfo.ql --- .../PossibleTimingAttackAgainstSensitiveInfo.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql index 68844f629ec3..e0d50f8b4ad9 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql @@ -14,6 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import DataFlow::PathGraph +import experimental.semmle.code.java.security.TimingAttack /** * A configuration that tracks data flow from variable that may hold sensitive data From 35514cf5f81c2bc3148017d75165a37c2aae3e12 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 3 Oct 2022 22:23:27 +0100 Subject: [PATCH 35/41] Update TimingAttack.qll --- .../code/java/security/TimingAttack.qll | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll index 5ee71a5808d0..9e9c312f8830 100644 --- a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll +++ b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll @@ -15,18 +15,29 @@ import semmle.code.java.dataflow.FlowSources private string suspicious() { result = [ - "%password%", "%passwd%", "%pwd%", "%refresh%token%", "%secret%token", "%secret%key", - "%passcode%", "%passphrase%", "%token%", "%secret%", "%credential%", "%userpass%", - "%digest%", "%signature%", "%mac%" + "%password", "%passwd", "%pwd%", "%refresh%token%", "%secret%token", "%secret%key", + "%passcode", "%passphrase", "%secret%", "%userpass%", "%digest%", "%signature%" ] } +/** + * A string for `match` that identifies strings that look like they represent secret data that is + * hashed or encrypted. + */ +private string nonSuspicious() { + result = "%hashed%" or + result = "%encrypted%" or + result = "%crypt%" or + result in ["%md5%, "%md2%, "%sha%"] +} + /** A variable that may hold sensitive information, judging by its name. * */ class CredentialExpr extends Expr { CredentialExpr() { exists(Variable v | this = v.getAnAccess() | v.getName().toLowerCase().matches(suspicious()) and - not v.isFinal() + not v.getName().getName().toLowerCase().matches(nonSuspicious()) + not v.isFinal() ) } } From 6404281b176ae19ae8f42ff9398831266611409f Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 3 Oct 2022 22:24:55 +0100 Subject: [PATCH 36/41] Delete PossibleTimingAttackAgainstSensitiveInfo.ql --- ...ossibleTimingAttackAgainstSensitiveInfo.ql | 34 ------------------- 1 file changed, 34 deletions(-) delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql deleted file mode 100644 index e0d50f8b4ad9..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql +++ /dev/null @@ -1,34 +0,0 @@ -/** - * @name Timing attack against sensitive info - * @description Use of a non-constant-time verification routine to check the value of an sensitive info, - * possibly allowing a timing attack to infer the info's expected value. - * @kind path-problem - * @problem.severity error - * @precision medium - * @id java/possible-timing-attack-against-sensitive-info - * @tags security - * external/cwe/cwe-208 - */ - -import java -import semmle.code.java.dataflow.FlowSources -import semmle.code.java.dataflow.TaintTracking -import DataFlow::PathGraph -import experimental.semmle.code.java.security.TimingAttack - -/** - * A configuration that tracks data flow from variable that may hold sensitive data - * to methods that compare data using a non-constant-time algorithm. - */ -class NonConstantTimeComparisonConfig extends TaintTracking::Configuration { - NonConstantTimeComparisonConfig() { this = "NonConstantTimeComparisonConfig" } - - override predicate isSource(DataFlow::Node source) { source instanceof SecretSource } - - override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } -} - -from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeComparisonConfig conf -where conf.hasFlowPath(source, sink) -select sink.getNode(), source, sink, "Possible timing attack against $@ validation.", - source.getNode(), "time constant" From d85c47e3f67a1243ffa5730d55910bddead2ca99 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 3 Oct 2022 22:26:42 +0100 Subject: [PATCH 37/41] Delete TimingAttackAgainstSensitiveInfo.qhelp --- .../TimingAttackAgainstSensitiveInfo.qhelp | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp deleted file mode 100644 index fe1bfae5074c..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp +++ /dev/null @@ -1,4 +0,0 @@ - - - - From 20aee0ed00a08c7583641a9d77830f0c6f0342c1 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 3 Oct 2022 22:27:10 +0100 Subject: [PATCH 38/41] Rename PossibleTimingAttackAgainstSensitiveInfo.qhelp to TimingAttackAgainstSensitiveInfo.qhelp --- ...SensitiveInfo.qhelp => TimingAttackAgainstSensitiveInfo.qhelp} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/{PossibleTimingAttackAgainstSensitiveInfo.qhelp => TimingAttackAgainstSensitiveInfo.qhelp} (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.qhelp b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.qhelp rename to java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.qhelp From 63136803dd0792fcdb2ebc0cb846e2a74440f44b Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Mon, 14 Nov 2022 00:33:17 +0100 Subject: [PATCH 39/41] Update TimingAttack.qll Add some fixes --- .../experimental/semmle/code/java/security/TimingAttack.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll index 9e9c312f8830..23cf4f9a4204 100644 --- a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll +++ b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll @@ -28,7 +28,7 @@ private string nonSuspicious() { result = "%hashed%" or result = "%encrypted%" or result = "%crypt%" or - result in ["%md5%, "%md2%, "%sha%"] + result in ["%md5%", "%md2%", "%sha%"] } /** A variable that may hold sensitive information, judging by its name. * */ @@ -36,7 +36,7 @@ class CredentialExpr extends Expr { CredentialExpr() { exists(Variable v | this = v.getAnAccess() | v.getName().toLowerCase().matches(suspicious()) and - not v.getName().getName().toLowerCase().matches(nonSuspicious()) + not v.getName().toLowerCase().matches(nonSuspicious()) not v.isFinal() ) } From a3c1bc8ff8055b66447e51ccf42a027a0fb7c259 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Sun, 1 Jan 2023 17:14:37 +0100 Subject: [PATCH 40/41] Update TimingAttack.qll --- .../code/java/security/TimingAttack.qll | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll index 23cf4f9a4204..f977192b25d5 100644 --- a/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll +++ b/java/ql/src/experimental/semmle/code/java/security/TimingAttack.qll @@ -31,6 +31,15 @@ private string nonSuspicious() { result in ["%md5%", "%md2%", "%sha%"] } +/** A variable that may hold nonsensitive information, judging by its name. * */ +class NonSensitiveExpr extends Expr { + NonSensitiveExpr() { + exists(Variable v | this = v.getAnAccess() | + v.getName().toLowerCase().matches(nonSuspicious()) + ) + } +} + /** A variable that may hold sensitive information, judging by its name. * */ class CredentialExpr extends Expr { CredentialExpr() { @@ -262,6 +271,20 @@ private class UserInputInComparisonConfig extends TaintTracking2::Configuration } } +private class UserInputIs extends TaintTracking2::Configuration { + UserInputIs() { this = "UserInputIs" } + + override predicate isSource(DataFlow::Node source) { source instanceof InSecretSource } + + override predicate isSink(DataFlow::Node sink) { + exists(NonConstantTimeEqualsCall call | + sink.asExpr() = [call.getAnArgument(), call.getQualifier()] + ) + or + exists(NonConstantTimeComparisonCall call | sink.asExpr() = call.getAnArgument()) + } +} + /** Holds if `expr` looks like a constant. */ private predicate looksLikeConstant(Expr expr) { expr.isCompileTimeConstant() @@ -342,6 +365,12 @@ class NonConstantTimeComparisonSink extends DataFlow::Node { config.hasFlowTo(DataFlow2::exprNode(anotherParameter)) ) } + + predicate includesIs() { + exists(UserInputIs config | + config.hasFlowTo(DataFlow2::exprNode(anotherParameter)) + ) + } } /** A data flow source of the secret obtained. */ @@ -356,6 +385,12 @@ class SecretSource extends DataFlow::Node { } } +class InSecretSource extends DataFlow::Node { + NonSensitiveExpr insecret; + + InSecretSource() { insecret = this.asExpr() } +} + /** * A configuration that tracks data flow from cryptographic operations * to methods that compare data using a non-constant-time algorithm. From 077001f5ad3fb7497cb24f01b46ff164c3ff63a8 Mon Sep 17 00:00:00 2001 From: Ahmed Farid Date: Sun, 1 Jan 2023 17:15:10 +0100 Subject: [PATCH 41/41] Update TimingAttackAgainstSensitiveInfo.ql --- .../TimingAttackAgainstSensitiveInfo.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql index 1d53a05d34e3..8b764e965b3a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql @@ -34,6 +34,7 @@ where ( source.getNode().(SecretSource).includesUserInput() or sink.getNode().(NonConstantTimeComparisonSink).includesUserInput() - ) + ) and + not sink.getNode().(NonConstantTimeComparisonSink).includesIs() select sink.getNode(), source, sink, "timing attack against $@ validation.", source.getNode(), "time constant"