Merge pull request #18 from raulgarciamsft/nccoe-pqc-migration

Initial PR - Proof of Concept using CNG

Author: bdrodes

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WindowsCng.qll

@@ -0,0 +1,7 @@
+import cpp
+import DataFlow::PathGraph
+import semmle.code.cpp.dataflow.TaintTracking
+
+abstract class BCryptOpenAlgorithmProviderSink extends DataFlow::Node {}
+abstract class BCryptOpenAlgorithmProviderSource extends DataFlow::Node {}
+

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WindowsCngPQCVAsymmetricKeyUsage.ql

@@ -0,0 +1,40 @@
+/**
+ * @id cpp/nist-pqc/pqc-vulnerable-algorithms-cng
+ * @name Usage of PQC vulnerable algorithms
+ * @description Usage of PQC vulnerable algorithms.
+ * @microsoft.severity important
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @tags security
+ *       pqc
+ *       nist
+ */
+
+import cpp
+import DataFlow::PathGraph
+import WindowsCng
+import WindowsCngPQCVAsymmetricKeyUsage
+
+// CNG-specific DataFlow configuration
+class BCryptConfiguration extends DataFlow::Configuration {
+	BCryptConfiguration() {
+		this = "BCryptConfiguration"
+	}
+	override predicate isSource(DataFlow::Node source) {
+        source instanceof BCryptOpenAlgorithmProviderSource
+	}
+ 
+	override predicate isSink(DataFlow::Node sink) { 
+        sink instanceof BCryptOpenAlgorithmProviderSink 
+    }
+
+    override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+        isWindowsCngAsymmetricKeyAdditionalTaintStep( node1, node2)
+    }
+}
+
+from BCryptConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "PQC vulnerable algorithm $@ in use has been detected.",
+    source.getNode().asExpr(), source.getNode().asExpr().toString()

cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WindowsCngPQCVAsymmetricKeyUsage.qll

@@ -0,0 +1,81 @@
+import cpp
+import WindowsCng
+
+//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
+
+predicate isExprAlgIdForBCryptOpenAlgorithmProvider(Expr e){
+    exists( FunctionCall call |
+        // BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used
+        e = call.getArgument(1)
+         and
+         call.getTarget().hasGlobalName("BCryptOpenAlgorithmProvider")
+    )
+}
+
+predicate isExprAlgHandleForBCryptGenerateOrImportKeyPair(Expr e){
+    exists( FunctionCall call |
+        e = call.getArgument(0)
+         and
+         ( call.getTarget().hasGlobalName("BCryptImportKeyPair") or 
+         call.getTarget().hasGlobalName("BCryptGenerateKeyPair"))
+    )
+}
+
+predicate isExprOutKeyHandleForBCryptGenerateOrImportKeyPair(Expr e){
+    exists( FunctionCall call |
+        ( e = call.getArgument(3) and call.getTarget().hasGlobalName("BCryptImportKeyPair") )or 
+        ( e = call.getArgument(1) and  call.getTarget().hasGlobalName("BCryptGenerateKeyPair") )
+    )
+}
+
+predicate isExprKeyHandleForBCryptSignHash(Expr e){
+    exists( FunctionCall call |
+        e = call.getArgument(0)
+         and
+         call.getTarget().hasGlobalName("BCryptSignHash")
+    )
+}
+
+class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
+    BCryptSignHashArgumentSink() {
+    isExprKeyHandleForBCryptSignHash(this.asExpr())
+  }
+}
+
+class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
+    BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() {
+        this.asExpr() instanceof StringLiteral and
+        (
+            this.asExpr().getValue() in ["DH", "DSA", "ECDSA", "ECDH"]
+            or this.asExpr().getValue().matches("ECDH%")
+            or this.asExpr().getValue().matches("RSA%")
+        )
+    }
+
+}
+
+predicate isAdditionalTaintStepOpenAlgolrithmProviderToGenerateOrImportKeyPair(DataFlow::Node node1, DataFlow::Node node2)
+{
+    isExprAlgIdForBCryptOpenAlgorithmProvider(node1.asExpr()) and
+    isExprAlgHandleForBCryptGenerateOrImportKeyPair(node2.asExpr())
+}
+
+
+predicate isAdditionalTaintStepWithinGenerateOrImportKeyPair(DataFlow::Node node1, DataFlow::Node node2)
+{
+    isExprAlgHandleForBCryptGenerateOrImportKeyPair(node1.asExpr()) and
+    isExprOutKeyHandleForBCryptGenerateOrImportKeyPair(node2.asExpr())
+}
+
+predicate isAdditionalTaintStepGenerateOrImportKeyPairToSignHash(DataFlow::Node node1, DataFlow::Node node2)
+{
+    isExprOutKeyHandleForBCryptGenerateOrImportKeyPair(node1.asExpr()) and
+    isExprKeyHandleForBCryptSignHash(node2.asExpr())
+}
+
+predicate isWindowsCngAsymmetricKeyAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isAdditionalTaintStepOpenAlgolrithmProviderToGenerateOrImportKeyPair(node1, node2)
+    or isAdditionalTaintStepWithinGenerateOrImportKeyPair(node1, node2) 
+    or isAdditionalTaintStepGenerateOrImportKeyPairToSignHash(node1, node2)
+}
+