Replies: 1 comment 1 reply
-
This is a very interesting question. I'm not entirely sure if flow states are really necessary in your use-case. Couldn't you mark all high security data as sources and places with low security as sinks and do a normal state-less taint flow analysis to see if there is flow between the sources and the sinks? You might still want to explore using FlowStates. For experimenting a bit with FlowStates, I think you could define You can "set" the state of a bit of data at the source by defining an predicate isAdditionalFlowStep(
DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2 A state preserving step would have |
Beta Was this translation helpful? Give feedback.
-
Hello,
i am new to CodeQL and want to perform a Lattice-based Taintanalysis with custom Labels in Java.
Essentially, i want to declare methods and their parameters or returns with custom labels to represent some security level, e.g., "high" and "low", and want to detect if there are flows between data labeled with high to data labeled with low.
Therefore i have to following Requirements:
First Question: Is CodeQL able to perform an analysis with these requirements? If no, the following can be skipped.
Currently i can specify really basic dataflow and tainttracking queries according to the tutorial https://codeql.github.com/docs/codeql-language-guides/analyzing-data-flow-in-java/.
However, i do not really find a tutorial how to define and attach the "Labels" for Data in Java.
I already thought
DataFlow::FlowState
andDataFlow::StateConfigSig
does the trick and are similar to Flow Labels in CodeQL for Javascript as shown in the tutorial https://codeql.github.com/docs/codeql-language-guides/using-flow-labels-for-precise-data-flow-analysis/.Second Question: Can the
FlowState
be used for labeling Data and analyzing flows with it? If no, what is the suitable means for this.In case of no, the following can be skipped.
I have several problems/questions with
FlowState
andFlowStateConfigSig
StateConfigSig
requires me to "Declare FlowState", however i do not know what this means on the configuration level. What do i have to specify here?FlowState
/Label for specific data to start with. Is there some tutorial i did not find or could you help me here?FlowState
, however, i do not find anyway to access it. Whats the right way to obtain the current FlowState of a Node or similar?isSource
/isSink
requires the definition of a subclass of FlowState. However, i would like to keep the query dynamic so the sources or sinks i want to select can be dynamically specified. A workaround would be to provide a customFlowState
for this which then is extended by other classes. Is there another way for doing this?Can you help me with these problems/problems as well?
Sorry for the long text and thanks for the help in advance.
Beta Was this translation helpful? Give feedback.
All reactions