Crypto: Add Java Cryptographic Analysis Queries

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -40,7 +40,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+  override Crypto::EllipticCurveType getEllipticCurveType() {
     if
       Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
         _)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -72,7 +72,7 @@ class KnownOpenSslHashConstantAlgorithmInstance extends OpenSslAlgorithmInstance
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
 
-  override Crypto::THashType getHashFamily() {
+  override Crypto::THashType getHashType() {
     knownOpenSslConstantToHashFamilyType(this, result)
     or
     not knownOpenSslConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()

java/ql/lib/experimental/quantum/JCA.qll

@@ -426,7 +426,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = super.getPadding() }
 
-    override Crypto::THashType getHashFamily() { result = hash_name_to_type_known(hashName, _) }
+    override Crypto::THashType getHashType() { result = hash_name_to_type_known(hashName, _) }
 
     override int getFixedDigestLength() { exists(hash_name_to_type_known(hashName, result)) }
   }
@@ -859,7 +859,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = super.getValue() }
 
-    override Crypto::THashType getHashFamily() {
+    override Crypto::THashType getHashType() {
       result = hash_name_to_type_known(this.getRawHashAlgorithmName(), _)
     }
 
@@ -1095,21 +1095,6 @@ module JCAModel {
     }
   }
 
-  /**
-   * An instance of `java.security.SecureRandom.nextBytes(byte[])` call.
-   * This is already generally modeled for Java in CodeQL, but
-   * we model it again as part of the crypto API model to have a cohesive model.
-   */
-  class JavaSecuritySecureRandom extends Crypto::RandomNumberGenerationInstance instanceof Call {
-    JavaSecuritySecureRandom() {
-      this.getCallee().hasQualifiedName("java.security", "SecureRandom", "nextBytes")
-    }
-
-    override Crypto::DataFlowNode getOutputNode() { result.asExpr() = this.(Call).getArgument(0) }
-
-    override string getGeneratorName() { result = this.(Call).getCallee().getName() }
-  }
-
   class KeyGeneratorGenerateCall extends Crypto::KeyGenerationOperationInstance instanceof MethodCall
   {
     Crypto::KeyArtifactType type;
@@ -1302,7 +1287,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = this.(StringLiteral).getValue() }
 
-    override Crypto::THashType getHashFamily() { result = hash_name_to_type_known(hashName, _) }
+    override Crypto::THashType getHashType() { result = hash_name_to_type_known(hashName, _) }
 
     override int getFixedDigestLength() { exists(hash_name_to_type_known(hashName, result)) }
   }
@@ -1770,7 +1755,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = this.(StringLiteral).getValue() }
 
-    override Crypto::THashType getHashFamily() { result = hashType }
+    override Crypto::THashType getHashType() { result = hashType }
 
     override int getFixedDigestLength() { result = digestLength }
   }
@@ -1905,7 +1890,7 @@ module JCAModel {
 
     override string getRawEllipticCurveName() { result = super.getValue() }
 
-    override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+    override Crypto::EllipticCurveType getEllipticCurveType() {
       if
         Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), _, _)
       then

java/ql/lib/experimental/quantum/Language.qll

@@ -93,8 +93,9 @@ private class GenericRemoteDataSource extends Crypto::GenericRemoteDataSource {
   override string getAdditionalDescription() { result = this.toString() }
 }
 
-private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
-  ConstantDataSource() {
+private class ConstantDataSourceLiteral extends Crypto::GenericConstantSourceInstance instanceof Literal
+{
+  ConstantDataSourceLiteral() {
     // TODO: this is an API specific workaround for JCA, as 'EC' is a constant that may be used
     // where typical algorithms are specified, but EC specifically means set up a
     // default curve container, that will later be specified explicitly (or if not a default)
@@ -112,6 +113,20 @@ private class ConstantDataSource extends Crypto::GenericConstantSourceInstance i
   override string getAdditionalDescription() { result = this.toString() }
 }
 
+private class ConstantDataSourceArrayInitializer extends Crypto::GenericConstantSourceInstance instanceof ArrayInit
+{
+  ConstantDataSourceArrayInitializer() { this.getAnInit() instanceof Literal }
+
+  override DataFlow::Node getOutputNode() { result.asExpr() = this }
+
+  override predicate flowsTo(Crypto::FlowAwareElement other) {
+    // TODO: separate config to avoid blowing up data-flow analysis
+    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
+  }
+
+  override string getAdditionalDescription() { result = this.toString() }
+}
+
 /**
  * An instance of random number generation, modeled as the expression
  * tied to an output node (i.e., the result of the source of randomness)
@@ -215,7 +230,7 @@ module ArtifactFlowConfig implements DataFlow::ConfigSig {
 
 module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
 
-module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
+module ArtifactFlow = TaintTracking::Global<ArtifactFlowConfig>;
 
 // Import library-specific modeling
 import JCA

java/ql/src/experimental/quantum/Examples/InsecureIVorNonceSource.ql

@@ -0,0 +1,47 @@
+/**
+ * @name Insecure nonce/iv (static value or weak random source)
+ * @id java/quantum/insecure-iv-or-nonce
+ * @description A nonce/iv is generated from a source that is not secure. This can lead to
+ *              vulnerabilities such as replay attacks or key recovery. Insecure generation
+ *              is any static nonce, or any known insecure source for a nonce/iv if
+ *              the value is used for an encryption operation (decryption operations are ignored
+ *              as the nonce/iv would be provided alongside the ciphertext).
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src, Crypto::NodeBase op, string msg
+where
+  nonce.getSourceNode() = src and
+  (
+    // Case 1: Any constant nonce/iv is bad, regardless of how it is used
+    src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    op = nonce and // binding op by not using it
+    msg = "Nonce or IV uses constant source $@"
+    or
+    // Case 2: The nonce has a non-random source and there is no known operation for the nonce
+    //         assume it is used for encryption
+    not src.asElement() instanceof SecureRandomnessInstance and
+    not src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    not exists(Crypto::CipherOperationNode o | o.getANonce() = nonce) and
+    op = nonce and // binding op, but not using it
+    msg =
+      "Nonce or IV uses insecure source $@ with no observed nonce usage (assuming could be for encryption)."
+    or
+    // Case 3: The nonce has a non-random source and is used in an encryption operation
+    not src.asElement() instanceof SecureRandomnessInstance and
+    not src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    op.(Crypto::CipherOperationNode).getANonce() = nonce and
+    (
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TEncryptMode
+      or
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TWrapMode
+    ) and
+    msg = "Nonce or IV uses insecure source $@ at encryption operation $@"
+  )
+select nonce, msg, src, src.toString(), op, op.toString()

java/ql/src/experimental/quantum/Examples/NonAESGCMCipher.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Cipher not AES-GCM mode
+ * @id java/quantum/non-aes-gcm
+ * @description An AES cipher is in use without GCM
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+class NonAESGCMAlgorithmNode extends Crypto::KeyOperationAlgorithmNode {
+  NonAESGCMAlgorithmNode() {
+    this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and
+    this.getModeOfOperation().getModeType() != Crypto::KeyOpAlg::GCM()
+  }
+}
+
+from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode
+where
+  op.getAKnownAlgorithm() instanceof NonAESGCMAlgorithmNode and
+  codeNode = op.getAnOutputArtifact()
+select op, "Non-AES-GCM instance."

java/ql/src/experimental/quantum/Analysis/ReusedNonce.ql → java/ql/src/experimental/quantum/Examples/ReusedNonce.ql

@@ -4,7 +4,7 @@
  * @id java/quantum/reused-nonce
  * @kind problem
  * @problem.severity error
- * @precision medium
+ * @precision high
  * @tags quantum
  *       experimental
  */

java/ql/src/experimental/quantum/Examples/UnknownHash.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Unknown hashes
+ * @description Finds uses of cryptographic hashing algorithms of unknown type.
+ * @id java/quantum/unknown-hash
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+from Crypto::HashAlgorithmNode alg
+where not exists(alg.getHashType())
+select alg, "Use of unknown hash algorithm or API."

java/ql/src/experimental/quantum/Examples/UnknownIVorNonceSource.ql

@@ -0,0 +1,36 @@
+/**
+ * @name Unknown nonce/iv source
+ * @id java/quantum/unknown-iv-or-nonce-source
+ * @description A nonce/iv is generated from a source that is not secure. Failure to initialize
+ *              an IV or nonce properly can lead to vulnerabilities such as replay attacks or key recovery.
+ *              IV may be unknown at a decryption operation (IV would be provided alongside the ciphertext).
+ *              These cases are ignored.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::NonceArtifactNode nonce, Crypto::NodeBase op, string msg
+where
+  not exists(nonce.getSourceNode()) and
+  (
+    // Nonce not associated with any known cipher operation, assume unknown as insecure
+    not exists(Crypto::CipherOperationNode o | o.getANonce() = nonce) and
+    op = nonce and
+    msg =
+      "Unknown IV/Nonce initialization source with no observed nonce usage (assuming could be for encryption)."
+    or
+    // Nonce associated cipher operation where the mode is not explicitly encryption
+    op.(Crypto::CipherOperationNode).getANonce() = nonce and
+    (
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TEncryptMode
+      or
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TWrapMode
+    ) and
+    msg = "Unknown IV/Nonce initialization source at encryption operation $@"
+  )
+select nonce, msg, op, op.toString()

java/ql/src/experimental/quantum/Analysis/UnknownKDFIterationCount.ql → java/ql/src/experimental/quantum/Examples/UnknownKDFIterationCount.ql

@@ -4,7 +4,7 @@
  * @id java/quantum/unknown-kdf-iteration-count
  * @kind problem
  * @precision medium
- * @severity warning
+ * @problem.severity error
  * @tags quantum
  *       experimental
  */

java/ql/src/experimental/quantum/Examples/WeakAsymmetric.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Weak Asymmetric Key Size
+ * @id java/quantum/weak-asymmetric-key-size
+ * @description An asymmetric cipher with a short key size is in use
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+from Crypto::KeyOperationAlgorithmNode op, int keySize, string algName
+where
+  keySize = op.getKeySizeFixed() and
+  keySize < 2048 and
+  algName = op.getAlgorithmName() and
+  // Can't be an elliptic curve
+  op.getAlgorithmType() != Crypto::KeyOpAlg::AlgorithmType::EllipticCurveType()
+select "Use of weak asymmetric key size (" + keySize.toString() + " bits) for algorithm " + algName

java/ql/src/experimental/quantum/Examples/WeakBlockModes.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Weak AES Block mode
+ * @id java/quantum/weak-block-modes
+ * @description An AES cipher is in use with an insecure block mode
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+class WeakAESBlockModeAlgNode extends Crypto::KeyOperationAlgorithmNode {
+  Crypto::ModeOfOperationAlgorithmNode mode;
+
+  WeakAESBlockModeAlgNode() {
+    this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and
+    mode = super.getModeOfOperation() and
+    (
+      mode.getModeType() = Crypto::KeyOpAlg::ECB() or
+      mode.getModeType() = Crypto::KeyOpAlg::CFB() or
+      mode.getModeType() = Crypto::KeyOpAlg::OFB() or
+      mode.getModeType() = Crypto::KeyOpAlg::CTR()
+    )
+  }
+
+  Crypto::ModeOfOperationAlgorithmNode getMode() { result = mode }
+}
+
+from WeakAESBlockModeAlgNode alg
+select alg, "Weak AES block mode instance $@.", alg.getMode(), alg.getMode().toString()

java/ql/src/experimental/quantum/Examples/WeakHash.ql

@@ -0,0 +1,34 @@
+/**
+ * @name Weak hashes
+ * @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak.
+ * @id java/quantum/weak-hash
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags external/cwe/cwe-327
+ *       quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+from Crypto::HashAlgorithmNode alg, Crypto::HashType htype, string msg
+where
+  htype = alg.getHashType() and
+  (
+    (htype != Crypto::SHA2() and htype != Crypto::SHA2()) and
+    msg = "Use of unapproved hash algorithm or API " + htype.toString() + "."
+    or
+    (htype = Crypto::SHA2() or htype = Crypto::SHA3()) and
+    not exists(alg.getDigestLength()) and
+    msg =
+      "Use of approved hash algorithm or API type " + htype.toString() + " but unknown digest size."
+    or
+    (htype = Crypto::SHA2() or htype = Crypto::SHA3()) and
+    alg.getDigestLength() < 256 and
+    msg =
+      "Use of approved hash algorithm or API type " + htype.toString() + " but weak digest size (" +
+        alg.getDigestLength() + ")."
+  )
+select alg, msg