diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c034d3f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +**/.cache \ No newline at end of file diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..14aa3a0 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,4 @@ +[submodule "codeql"] + path = codeql + url = https://github.com/github/codeql + branch = lgtm.com diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..ea0bd45 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,94 @@ + +# Code of Conduct + +The GitHub Universe 2020 Discussion Forum is intended to be a place for questions, feedback and chat related to sessions at the virtual GitHub Universe 2020 event. This is a civilized place for connecting with other attendees, and Hubbers from across the world taking part in the event. By participating in this community, you are agreeing to the same [Terms of Service](https://help.github.com/articles/github-terms-of-service) that apply to GitHub.com, as well as the GitHub Universe 2020 Discussion Forum specific Code of Conduct. + +With this Code of Conduct, we hope to help you understand how best to collaborate in Discussions, what you can expect from moderators, and what type of actions or content may result in temporary or permanent suspension from this project. We will investigate any abuse reports and may moderate public content within the discussion that we determine to be in violation of either the GitHub Terms of Service or this Code of Conduct. + +GitHub users worldwide bring wildly different perspectives, ideas, and experiences, and range from people who created their first "Hello World" project last week to the most well-known software developers in the world. We are committed to making GitHub Universe a welcoming environment for all the different voices and perspectives here, while maintaining a space where people are free to express themselves. + + +### Pledge + +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to make participation in the GitHub Universe Discussions a harassment-free experience for everyone, regardless of age, body size, ability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. + + +### Standards + +Treat the GitHub Universe Discussions with respect. The following are not hard and fast rules, merely aids to the human judgment of our Community. Use these guidelines to keep this a clean, well-lighted place for civilized public discourse. + + +#### _Best Practices for Building a Strong Community_ + + + +* Be respectful and considerate. + * Be welcoming and open-minded. Other GitHub members may not have the same experience level or background as you, but that doesn't mean they don't have good ideas to contribute. We encourage you to be welcoming to new members and those just getting started. + * Respect each other. Nothing sabotages healthy conversation like rudeness. Be civil and professional, and don’t post anything that a reasonable person would consider offensive, abusive, or hate speech. Don’t harass or grief anyone. Treat each other with dignity and consideration in all interactions. \ +You may wish to respond to something by disagreeing with it. That’s fine. But remember to criticize ideas, not people. Avoid name-calling, ad hominem attacks, responding to a post’s tone instead of its actual content, and knee-jerk contradiction. Instead, provide reasoned counter-arguments that improve the conversation. + * Communicate with empathy. Disagreements or differences of opinion are a fact of life. Being part of a community means interacting with people from a variety of backgrounds and perspectives, many of which may not be your own. If you disagree with someone, try to understand and share their feelings before you address them. This will promote a respectful and friendly atmosphere where people feel comfortable asking questions, participating in discussions, and making contributions. +* Contribute in a positive and constructive way. + * Improve the discussion. Help us make this a great place for discussion by always working to improve the discussion in some way, however small. If you are not sure your post adds to the conversation, think over what you want to say and try again later. \ +The topics discussed here matter to us, and we want you to act as if they matter to you, too. Be respectful of the topics and the people discussing them, even if you disagree with some of what is being said. + * Be clear and stay on topic. Communicating with strangers on the Internet can be awkward. It's hard to convey or read tone, and sarcasm is frequently misunderstood. Try to use clear language, and think about how it will be received by the other person. \ +This applies to sharing links, as well. Any links shared in the discussions should be shared with the intent of providing relevant and appropriate information. Links should not be posted to simply drive traffic or attention to a site. Links should always be accompanied by a full explanation of the content and purpose of the link. Posting links, especially unsolicited ones, without relevant and valuable context can come across as advertising or serving even more malicious purposes. + * Share mindfully. Don't share sensitive information. This includes your own email address. We don't allow the sharing of such information in this discussion forum, as it can create security and privacy risks for the poster, as well as other users. + * Keep it tidy. Make the effort to put things in the right place, so that we can spend more time discussing and less time cleaning up. So: + * Don’t cross-post the same thing in multiple topics. + * Don’t post no-content replies. + * Don’t divert a topic by changing it midstream. + * Rather than posting “+1” or “Agreed”, use the Reaction emoji button. +* Be trustworthy. + * Always be honest. Don’t knowingly share incorrect information or intentionally mislead other GitHub members. If you don’t know the answer to someone’s question but still want to help, you can try helping them research or find resources instead. GitHub staff will also be active in the discussions, so if you’re unsure of an answer, it’s likely a moderator will be able to help. + +#### _What is not Allowed_ + +* Threats of violence. You may not threaten violence towards others or use the site to organize, promote, or incite acts of real-world violence or terrorism. Think carefully about the words you use, the images you post, and even the software you write, and how they may be interpreted by others. Even if you mean something as a joke, it might not be received that way. If you think that someone else might interpret the content you post as a threat, or as promoting violence or terrorism, stop. Don't post it. In extraordinary cases, we may report threats of violence to law enforcement if we think there may be a genuine risk of physical harm or a threat to public safety. +* Hate speech and discrimination. While it is not forbidden to broach topics such as age, body size, ability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation, we do not tolerate speech that attacks a person or group of people on the basis of who they are. Just realize that talking about these or other sensitive topics can make others feel unwelcome, or perhaps even unsafe, if approached in an aggressive or insulting manner. We expect our community members to be respectful when discussing sensitive topics. +* Bullying and harassment. We do not tolerate bullying or harassment. This means any habitual badgering or intimidation targeted at a specific person or group of people. In general, if your actions are unwanted and you continue to engage in them, there's a good chance you are headed into bullying or harassment territory. +* Impersonation. You may not impersonate another person by copying their avatar, posting content under their email address, intentionally using a deceptively similar username or otherwise posing as someone else. Impersonation is a form of harassment. +* Doxxing and invasion of privacy. Don't post other people's personal information, such as phone numbers, private email addresses, physical addresses, credit card numbers, Social Security/National Identity numbers, or passwords. Depending on the context, such as in the case of intimidation or harassment, we may consider other information, such as photos or videos that were taken or distributed without the subject's consent, to be an invasion of privacy, especially when such material presents a safety risk to the subject. +* Prurient/Sexually explicit content. Basically, don't post pornography. This does not mean that all nudity or sexual content is prohibited. We recognize that sexuality is a part of life and non-pornographic sexual content may be a part of your project, or may be presented for educational or artistic purposes. If you have any questions or concerns about something you want to post, [feel free to reach out and ask](https://support.github.com/contact) beforehand. +* Spam. Respect the GitHub Universe Discussions. Don’t post advertisements, link to spammy websites, or otherwise vandalize the community. This community is meant for GitHub Universe participants to talk about the sessions, to provide feedback, as questions, learn, and share ideas with one another - not for advertising or other spam-like content. Content that we deem spammy will be removed. +* Copyrighted or illegal content. Only post your own stuff. You are responsible for what you post. If you post something you didn’t create yourself, you must have the right to post it. You may not post illegal content, including content illegal under copyright and trademark laws, links to illegal content, or methods for circumventing the law. +* Active malware or exploits. Being part of this community includes not taking advantage of other members of the community. We do not allow anyone to use our platform for exploit delivery (e.g. Using the community as a means to deliver malicious executables) or as attack infrastructure (e.g. Organizing denial of service attacks or managing command and control servers). Note, however, that we do not prohibit the posting of source code which could be used to develop malware or exploits, as the publication and distribution of such source code has educational value and provides a net benefit to the security community. +* Anyone under the age of 13. If you're a child under the age of 13, you may not have an account on GitHub. GitHub does not knowingly collect information from or direct any of our content specifically to children under 13. If we learn or have reason to suspect that you are a user who is under the age of 13, we will unfortunately have to close both your GitHub.com account. We don't want to discourage you from learning to code, but those are the rules. Please see our [Terms of Service](https://help.github.com/articles/github-terms-of-service) for information about account termination. +* Other conduct which could reasonably be considered inappropriate in a professional setting. The GitHub Universe Discussions is a professional space and should be treated as such. + +### Enforcement + + +#### _What GitHub Universe Discussions members Can Do_ + +* If you see a problem, report it. Moderators have special authority; they are responsible for this community. But so are you. With your help, moderators can be community facilitators, not just janitors or police. \ +When you see bad behavior, don’t reply. It encourages the bad behavior by acknowledging it, consumes your energy, and wastes everyone’s time. Just report it by copying a direct link to the reply in question and emailing it to events@github.com + +#### Our Responsibilities + + +There are a variety of actions that we may take in response to inappropriate behavior or content. It usually depends on the exact circumstances of a particular case. We recognize that sometimes people may say or do inappropriate things for any number of reasons. Perhaps they did not realize how their words would be perceived. Or maybe they just let their emotions get the best of them. Of course, sometimes, there are folks who just want to spam or cause trouble. + +Each case requires a different approach, and we try to tailor our response to meet the needs of the situation. We'll review each situation on a case-by-case basis. In each case, we will have a diverse team investigate the content and surrounding facts and respond as appropriate, using this Code of Conduct to guide our decision. + +Actions we may take in response to a flag or abuse report include, but are not limited to: + + + +* Content Removal +* Content Blocking +* GitHub Account Suspension +* GitHub Account Termination + +### Contacting GitHub Staff + + +If, for any reason, you want to contact GitHub Staff, the Community Managers, Administrators, or Moderators of this forum privately, you can send an email to events@github.com. + +Let's work together to keep the discussion a place where people feel safe to participate by being respectful of them and their time. + + +### Legal Notices + +Yes, legalese is boring, but we must protect ourselves – and by extension, you and your data – against unfriendly folks. We have a [Terms of Service](https://help.github.com/articles/github-terms-of-service/) and [Privacy Statement](https://help.github.com/articles/github-privacy-statement/) describing your (and our) behavior and rights related to content, privacy, and laws. To use this service, you must agree to abide by our [Terms of Service](https://help.github.com/articles/github-terms-of-service/) and the [Privacy Statement](https://help.github.com/articles/github-privacy-statement/). + +This Code of Conduct does not modify our [Terms of Service](https://help.github.com/articles/github-terms-of-service/) and is not intended to be a complete list. GitHub retains full discretion under the [Terms of Service](https://help.github.com/articles/github-terms-of-service/) to remove any content or terminate any accounts for activity that is "unlawful, offensive, threatening, libelous, defamatory, pornographic, obscene or otherwise objectionable or violates any party's intellectual property or these Terms of Service." This Code of Conduct describes when we will exercise that discretion. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3084900 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2006-2020 GitHub, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..6a80a8b --- /dev/null +++ b/README.md @@ -0,0 +1,43 @@ +
+ Prerequisites • + Resources +
+ +> CodeQL is GitHub's expressive language and engine for code analysis, which allows you to explore source code to find bugs and security vulnerabilities. During this beginner-friendly workshop, you will learn to write queries in CodeQL to find use-after-free vulnerabilities in open-source C/C++ code. + +## :mega: Prerequisites +- Install [Visual Studio Code](https://code.visualstudio.com/). +- Install the [CodeQL extension for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode/procedures/setting-up.html). +- You do _not_ need to install the CodeQL CLI: the extension will handle this for you. +- Clone this repository: + ``` + git clone --recursive https://github.com/githubuniverseworkshops/codeql + ``` + - **Please don't forget `--recursive`:** This allows you to obtain the standard CodeQL query libraries, which are included as a Git submodule of this repository. + - **What if I forgot to add `--recursive`?** If you've already cloned the repository, please set up the submodule by running: + ``` + git submodule --init --remote + ``` +- Open the repository in Visual Studio Code: **File** > **Open Folder** > Browse to the checkout of `githubuniverseworkshops/codeql`. +- Import the [CodeQL database](TODO) to be used in the workshop: + - Click the **CodeQL** rectangular icon in the left sidebar. + - Place your mouse over **Databases**, and click the icon labelled `Download Database`. + - Use this URL: **TODO**. + - Click on the database name, and click **Set Current Database**. +- You're ready! Proceed to the [workshop](workshop.md). + +## :books: Resources +- For more advanced CodeQL development in future, you may wish to set up the [CodeQL starter workspace](https://codeql.github.com/docs/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code/#using-the-starter-workspace) for all languages. +- [CodeQL overview](https://codeql.github.com/docs/codeql-overview/) +- [CodeQL for C/C++](https://codeql.github.com/docs/codeql-language-guides/codeql-for-cpp/) +- [Analyzing data flow in C/C++](https://codeql.github.com/docs/codeql-language-guides/analyzing-data-flow-in-cpp/) +- [Using the CodeQL extension for VS Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) +- CodeQL on [GitHub Learning Lab](https://lab.github.com/search?q=codeql) +- CodeQL on [GitHub Security Lab](https://codeql.com) + +## License + +The code in this repository is licensed under the [MIT License](LICENSE) by GitHub. \ No newline at end of file diff --git a/codeql b/codeql new file mode 160000 index 0000000..ab856d6 --- /dev/null +++ b/codeql @@ -0,0 +1 @@ +Subproject commit ab856d6c01a388dbf07b45ff10300cf9102d4d44 diff --git a/example_db.zip b/example_db.zip new file mode 100644 index 0000000..c3c52f3 Binary files /dev/null and b/example_db.zip differ diff --git a/workshop-queries/example.ql b/workshop-queries/example.ql new file mode 100644 index 0000000..d611b41 --- /dev/null +++ b/workshop-queries/example.ql @@ -0,0 +1,12 @@ +/** + * @name Block + * @kind problem + * @problem.severity warning + * @id cpp/example/block + */ + +import cpp + +from BlockStmt b, int n +where n = b.getNumStmt() +select b, "This is a block with " + n + " statements." diff --git a/workshop-queries/qlpack.yml b/workshop-queries/qlpack.yml new file mode 100644 index 0000000..607e263 --- /dev/null +++ b/workshop-queries/qlpack.yml @@ -0,0 +1,3 @@ +name: workshop-queries-cpp +version: 0.0.0 +libraryPathDependencies: [codeql-cpp] \ No newline at end of file diff --git a/workshop.md b/workshop.md new file mode 100644 index 0000000..6325b1a --- /dev/null +++ b/workshop.md @@ -0,0 +1,344 @@ +# CodeQL workshop for C/C++: Finding use-after-free security vulnerabilities + +- Analyzed language: C/C++ + +If you are attending this workshop at GitHub Universe, or watching a recording, the facilitators will guide you through the steps below. You can use this document as a written reference. + +## Overview + +- [Problem statement](#problemstatement) +- [Setup instructions](#setupinstructions) +- [Workshop](#workshop) + - [Section 0: Getting started](#section0) + - [Section 1: Finding references to freed memory](#section1) + - [Section 2: Finding dereferences](#section2) + - [Section 3: Finding use-after-free vulnerabilities](#section3) + +## Problem statement + +Use-after-free vulnerabilities occur when a program retains a pointer to memory locations after they have been freed, and attempts to reference the freed memory. When the memory was freed, the system may choose to allocate that memory for another purpose. Attempting to reference the freed memory could result in a variety of unsafe behaviour: crashing the program, retrieving an unexpected value, corrupting data used by another program, or executing unsafe code. + +The following C code shows a simple example of using memory after it has been freed. +```c +free(s->x); +... +use(s->x); +``` + +The code frees the field `x` of a struct `s`, but does not immediately reset the field's value to zero. As a result, the struct now contains a 'dangling' pointer, which creates the potential for a use-after-free vulnerability. This becomes a real vulnerability when the code references `s->x` again, passing it to `use`. + +A safer coding practice is to always immediately zero the field after freeing it, like this: + +```c +free(s->x); +s->x = 0; +``` + +Then until `s->x` is reassigned, any attempts to reference it will simply obtain the `null` memory address. + +This is a well-known class of vulnerability, documented as [CWE-416](https://cwe.mitre.org/data/definitions/416.html). A relatively recent example in the `curl` tool was assigned [CVE-2018-16840](https://curl.se/docs/CVE-2018-16840.html), and inspired the material here. + +In security terminology, a reference to freed memory is considered a **source** of tainted data, and a pointer that is dereferenced (used) is considered a **sink** for a use-after-free vulnerability. + +If the tainted reference is reassigned (e.g. to zero) before it reaches a use, it is considered safe. + +In this workshop, we will use CodeQL to analyze a sample of C++ source code that demonstrates simple variants of use-after-free vulnerabilities, and write a CodeQL query to identify the vulnerable pattern with reasonable precision. + +## Setup instructions for Visual Studio Code + +To take part in the workshop you will need to set up a CodeQL development environment. See the [Prerequisites section in the README](README.md#mega-prerequisites) for full instructions. + +When you have completed setup, you should have: + +1. Installed the Visual Studio Code IDE. +1. Installed the [CodeQL extension for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html). +1. Cloned this repository with `git clone --recursive`. +1. Opened this repository in VS Code. +1. Downloaded, imported, and selected the `use-after-free-example` CodeQL database from within VS Code. +1. A `workshop-queries` folder within your workspace, containing an example query. +1. A `codeql` folder within your workspace, containing the CodeQL standard libraries for most target languages. +1. A copy of this `workshop.md` guide in your workspace. +1. Open the query `workshop-queries/example.ql` and try running it! + +## Workshop + +### Getting started + +- Use the IDE's autocomplete suggestions (`Ctrl+Space`) and jump-to-definition command (`F12`) to explore the CodeQL libraries. +- To run a query, open the Command Palette (`Cmd+Shift+P` or `Ctrl+Shift+P`), and click **CodeQL: Run Query**. You can also see this command when right-clicking on a query file in the editor. +- Try this out by running the example query `example.ql` in the workshop repository! +- When the query completes, click on the results to jump to the corresponding location in the source code. +- To run a part of a query, such as a single predicate, open the Command Palette and click **CodeQL: Quick Evaluation**. You can also see this command when right-clicking on selected query text in the editor. +- To understand how the source code is represented in the CodeQL libraries, use the **AST Viewer**. You can see this in the left panel of the CodeQL view. Click on a query result to get to a source file, and then click **View AST**, or run **CodeQL: View AST** from the Command Palette. + +The rest of the workshop is split into several steps. You can write one query per step, or work with a single query that you refine at each step. + +Each step has a **Hint** that describes useful classes and predicates in the CodeQL standard libraries for C/C++ and keywords in CodeQL. + +Each step has a **Solution** that indicates one possible answer. Note that all queries will need to begin with `import cpp` to use the standard libraries, but for simplicity this may be omitted below. + +### Finding references to freed memory + +1. Find all function call expressions, such as `free(x)` and `use(y, z)`. +