Merge pull request #43 from github/offensive-con-workshop-materials

Adds offensivecon's workshop slides and materials

Author: xcorail

Conferences/2020/OffensiveCon/cant-grep-this.pdf

@@ -0,0 +1,12 @@
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+
+class KMalloc extends Function {
+  KMalloc() { getName() = "kmalloc" }
+}
+
+from KMalloc fun, FunctionCall source, Expr sink
+where
+  source = fun.getACallToThisFunction() and
+  DataFlow::localExprFlow(source, sink)
+select source, sink, sink.getEnclosingStmt()

Conferences/2020/OffensiveCon/exercises/dataflow/ex0.ql

@@ -0,0 +1,12 @@
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+
+class KMalloc extends Function {
+  KMalloc() { getName() = "kmalloc" }
+}
+
+from KMalloc fun, FunctionCall source
+where
+  source = fun.getACallToThisFunction() and
+  not exists(IfStmt sink | DataFlow::localExprFlow(source, sink.getControllingExpr()))
+select source

Conferences/2020/OffensiveCon/exercises/dataflow/ex1.ql

@@ -0,0 +1,27 @@
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+
+class KMalloc extends Function {
+  KMalloc() {
+    getName() = "kmalloc" or
+    getName() = "acpi_os_allocate_zeroed" or
+    getName() = "kzalloc" or
+    getName() = "kcalloc" or
+    getName() = "kmalloc_array" or
+    getName() = "acpi_os_allocate" or
+    getName() = "mempool_kmalloc" or
+    getName() = "alloc_resource" or
+    getName() = "bitmap_alloc" or
+    getName() = "sg_kmalloc" or
+    getName() = "pcpu_mem_zalloc" or
+    getName() = "bitmap_zalloc"
+  }
+}
+
+from KMalloc fun, FunctionCall source
+where
+  source = fun.getACallToThisFunction() and
+  not exists(IfStmt sink |
+    DataFlow::localExprFlow(source, sink.getControllingExpr().getAChild*())
+  )
+select source

Conferences/2020/OffensiveCon/exercises/dataflow/ex2.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from Function fun
+where fun.getName().matches("%ioctl%") and fun.hasDefinition()
+select fun

Conferences/2020/OffensiveCon/exercises/functions/ex0.ql

@@ -0,0 +1,8 @@
+import cpp
+
+from Function fun, FunctionCall call
+where
+  fun.getName().matches("%ioctl%") and
+  fun.hasDefinition() and
+  call = fun.getACallToThisFunction()
+select call.getEnclosingFunction(), call

Conferences/2020/OffensiveCon/exercises/functions/ex1.ql

@@ -0,0 +1,7 @@
+import cpp
+
+from Function fun, FunctionAccess access
+where
+  fun.getName().matches("%ioctl%") and
+  access = fun.getAnAccess()
+select access, fun

Conferences/2020/OffensiveCon/exercises/functions/ex2.ql

@@ -0,0 +1,12 @@
+import cpp
+
+class UnusedFunction extends Function {
+  UnusedFunction() {
+    this.hasDefinition() and
+    not exists(FunctionCall call | call.getTarget() = this) and
+    not exists(FunctionAccess access | access.getTarget() = this)
+  }
+}
+
+from UnusedFunction unused
+select unused

Conferences/2020/OffensiveCon/exercises/quantifiers/ex0.ql

@@ -0,0 +1,8 @@
+import cpp
+
+class UnusedVariable extends LocalVariable {
+  UnusedVariable() { not exists(VariableAccess access | access.getTarget() = this) }
+}
+
+from UnusedVariable unused
+select unused

Conferences/2020/OffensiveCon/exercises/quantifiers/ex1.ql

@@ -0,0 +1,10 @@
+import cpp
+
+class InterestingAssignment extends Assignment {
+  InterestingAssignment() {
+    this.getRValue().getUnderlyingType() != this.getLValue().getUnderlyingType()
+  }
+}
+
+from InterestingAssignment unused
+select unused, unused.getLValue().getUnderlyingType(), unused.getRValue().getUnderlyingType()