CodeQL Java Optimisation：Make CodeQL Data Flow Analysis support java features such as java reflection, threading, etc (1).pdf

《CodeQL Java Optimisation：Make CodeQL Data Flow Analysis support java features such as java reflection, threading, etc (1).pdf》由会员分享，可在线阅读，更多相关《CodeQL Java Optimisation：Make CodeQL Data Flow Analysis support java features such as java reflection, threading, etc (1).pdf（41页珍藏版）》请在三个皮匠报告上搜索。

1、演讲人：m0d9时间：2024.08.24关于我ID：m0d9From:腾讯云云鼎实验室CodeQL 概述与Java 分析难点解决CodeQL Java 代码分析难点CodeQL 数据流分析解析历史漏洞回溯PART ONE01CodeQL 概述CodeQL 历史2019201820?2006Semmle 成立微软收购GithubGithub 收购Semmle默认SAST 工具LGTM2022LGTM下线程序分析PTA(soot/Tai-e)Datalog(Souffl/Doop)CodeQL 概述Demoimport java.lang.Runnable;public class Runnab

2、leDemo implements Runnable private String threadName;RunnableDemo(String name)threadName=name;public void run()System.out.println(threadName);public static void main(String args)throws Exception String tt=args0;RunnableDemo T1=new RunnableDemo(tt);Thread t=new Thread(T1);t.start();class MyTaintTrack

3、ingConfig extends TaintTracking:Configuration MyTaintTrackingConfig()this=MyTaintTrackingConfig override predicate isSource(DataFlow:Node source)exists(Method m|m.hasName(main)and m.getAParameter()=source.asParameter()override predicate isSink(DataFlow:Node sink)exists(MethodAccess ma|ma.getCallee()

4、.getDeclaringType().hasQualifiedName(java.io,PrintStream)and sink.asExpr()=ma.getAnArgument()from MyTaintTrackingConfig cfg,DataFlow:PathNode source,DataFlow:PathNode sinkwhere cfg.hasFlowPath(source,sink)select sink.getNode(),source,sink,Partial flow from unsanitized user data+Source CodeQL=ResultC

5、odeQL 概述架构-DB 类似DataLog 的facts，有自己的格式-QL 编译形成dil，dil 类似DataLog的DLCodeQL 概述Databasesource code.trap.reldbschemaCodeQL 概述QL.dilDatalog intermediate representation.ql.raRelational algebra intermediate representationJava 程序分析难点Java 程序分析难点Runnableimport java.lang.Runnable;public class RunnableDemo implem

6、ents Runnable private String threadName;RunnableDemo(String name)threadName=name;public void run()System.out.println(threadName);public static void main(String args)throws Exception String tt=args0;RunnableDemo T1=new RunnableDemo(tt);Thread t=new Thread(T1);t.start();-java.lang.Runnable-java.lang.T