CodeQL Java Optimisation：Make CodeQL Data Flow Analysis support java features such as java reflection, threading, etc (1).pdf

1、演讲人：m0d9时间：2024.08.24关于我ID：m0d9From:腾讯云云鼎实验室CodeQL 概述与Java 分析难点解决CodeQL Java 代码分析难点CodeQL 数据流分析解析历史漏洞回溯PART ONE01CodeQL 概述CodeQL 历史2019201820?2006Semmle 成立微软收购GithubGithub 收购Semmle默认SAST 工具LGTM2022LGTM下线程序分析PTA(soot/Tai-e)Datalog(Souffl/Doop)CodeQL 概述Demoimport java.lang.Runnable;public class Runnab

2、leDemo implements Runnable private String threadName;RunnableDemo(String name)threadName=name;public void run()System.out.println(threadName);public static void main(String args)throws Exception String tt=args0;RunnableDemo T1=new RunnableDemo(tt);Thread t=new Thread(T1);t.start();class MyTaintTrack

3、ingConfig extends TaintTracking:Configuration MyTaintTrackingConfig()this=MyTaintTrackingConfig override predicate isSource(DataFlow:Node source)exists(Method m|m.hasName(main)and m.getAParameter()=source.asParameter()override predicate isSink(DataFlow:Node sink)exists(MethodAccess ma|ma.getCallee()

4、.getDeclaringType().hasQualifiedName(java.io,PrintStream)and sink.asExpr()=ma.getAnArgument()from MyTaintTrackingConfig cfg,DataFlow:PathNode source,DataFlow:PathNode sinkwhere cfg.hasFlowPath(source,sink)select sink.getNode(),source,sink,Partial flow from unsanitized user data+Source CodeQL=ResultC

5、odeQL 概述架构-DB 类似DataLog 的facts，有自己的格式-QL 编译形成dil，dil 类似DataLog的DLCodeQL 概述Databasesource code.trap.reldbschemaCodeQL 概述QL.dilDatalog intermediate representation.ql.raRelational algebra intermediate representationJava 程序分析难点Java 程序分析难点Runnableimport java.lang.Runnable;public class RunnableDemo implem

6、ents Runnable private String threadName;RunnableDemo(String name)threadName=name;public void run()System.out.println(threadName);public static void main(String args)throws Exception String tt=args0;RunnableDemo T1=new RunnableDemo(tt);Thread t=new Thread(T1);t.start();-java.lang.Runnable-java.lang.T