diff --git a/Conferences/2020/OffensiveCon/cant-grep-this.pdf b/Conferences/2020/OffensiveCon/cant-grep-this.pdf new file mode 100644 index 0000000..8352c29 Binary files /dev/null and b/Conferences/2020/OffensiveCon/cant-grep-this.pdf differ diff --git a/Conferences/2020/OffensiveCon/exercises/dataflow/ex0.ql b/Conferences/2020/OffensiveCon/exercises/dataflow/ex0.ql new file mode 100644 index 0000000..a70e509 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/dataflow/ex0.ql @@ -0,0 +1,12 @@ +import cpp +import semmle.code.cpp.dataflow.DataFlow + +class KMalloc extends Function { + KMalloc() { getName() = "kmalloc" } +} + +from KMalloc fun, FunctionCall source, Expr sink +where + source = fun.getACallToThisFunction() and + DataFlow::localExprFlow(source, sink) +select source, sink, sink.getEnclosingStmt() diff --git a/Conferences/2020/OffensiveCon/exercises/dataflow/ex1.ql b/Conferences/2020/OffensiveCon/exercises/dataflow/ex1.ql new file mode 100644 index 0000000..18c6681 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/dataflow/ex1.ql @@ -0,0 +1,12 @@ +import cpp +import semmle.code.cpp.dataflow.DataFlow + +class KMalloc extends Function { + KMalloc() { getName() = "kmalloc" } +} + +from KMalloc fun, FunctionCall source +where + source = fun.getACallToThisFunction() and + not exists(IfStmt sink | DataFlow::localExprFlow(source, sink.getControllingExpr())) +select source diff --git a/Conferences/2020/OffensiveCon/exercises/dataflow/ex2.ql b/Conferences/2020/OffensiveCon/exercises/dataflow/ex2.ql new file mode 100644 index 0000000..6258b81 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/dataflow/ex2.ql @@ -0,0 +1,27 @@ +import cpp +import semmle.code.cpp.dataflow.DataFlow + +class KMalloc extends Function { + KMalloc() { + getName() = "kmalloc" or + getName() = "acpi_os_allocate_zeroed" or + getName() = "kzalloc" or + getName() = "kcalloc" or + getName() = "kmalloc_array" or + getName() = "acpi_os_allocate" or + getName() = "mempool_kmalloc" or + getName() = "alloc_resource" or + getName() = "bitmap_alloc" or + getName() = "sg_kmalloc" or + getName() = "pcpu_mem_zalloc" or + getName() = "bitmap_zalloc" + } +} + +from KMalloc fun, FunctionCall source +where + source = fun.getACallToThisFunction() and + not exists(IfStmt sink | + DataFlow::localExprFlow(source, sink.getControllingExpr().getAChild*()) + ) +select source diff --git a/Conferences/2020/OffensiveCon/exercises/functions/ex0.ql b/Conferences/2020/OffensiveCon/exercises/functions/ex0.ql new file mode 100644 index 0000000..60a9bd9 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/functions/ex0.ql @@ -0,0 +1,5 @@ +import cpp + +from Function fun +where fun.getName().matches("%ioctl%") and fun.hasDefinition() +select fun diff --git a/Conferences/2020/OffensiveCon/exercises/functions/ex1.ql b/Conferences/2020/OffensiveCon/exercises/functions/ex1.ql new file mode 100644 index 0000000..f5659f7 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/functions/ex1.ql @@ -0,0 +1,8 @@ +import cpp + +from Function fun, FunctionCall call +where + fun.getName().matches("%ioctl%") and + fun.hasDefinition() and + call = fun.getACallToThisFunction() +select call.getEnclosingFunction(), call diff --git a/Conferences/2020/OffensiveCon/exercises/functions/ex2.ql b/Conferences/2020/OffensiveCon/exercises/functions/ex2.ql new file mode 100644 index 0000000..8ed064b --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/functions/ex2.ql @@ -0,0 +1,7 @@ +import cpp + +from Function fun, FunctionAccess access +where + fun.getName().matches("%ioctl%") and + access = fun.getAnAccess() +select access, fun diff --git a/Conferences/2020/OffensiveCon/exercises/quantifiers/ex0.ql b/Conferences/2020/OffensiveCon/exercises/quantifiers/ex0.ql new file mode 100644 index 0000000..7368d6d --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/quantifiers/ex0.ql @@ -0,0 +1,12 @@ +import cpp + +class UnusedFunction extends Function { + UnusedFunction() { + this.hasDefinition() and + not exists(FunctionCall call | call.getTarget() = this) and + not exists(FunctionAccess access | access.getTarget() = this) + } +} + +from UnusedFunction unused +select unused diff --git a/Conferences/2020/OffensiveCon/exercises/quantifiers/ex1.ql b/Conferences/2020/OffensiveCon/exercises/quantifiers/ex1.ql new file mode 100644 index 0000000..c2f4e65 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/quantifiers/ex1.ql @@ -0,0 +1,8 @@ +import cpp + +class UnusedVariable extends LocalVariable { + UnusedVariable() { not exists(VariableAccess access | access.getTarget() = this) } +} + +from UnusedVariable unused +select unused diff --git a/Conferences/2020/OffensiveCon/exercises/quantifiers/ex2.ql b/Conferences/2020/OffensiveCon/exercises/quantifiers/ex2.ql new file mode 100644 index 0000000..f20e998 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/quantifiers/ex2.ql @@ -0,0 +1,10 @@ +import cpp + +class InterestingAssignment extends Assignment { + InterestingAssignment() { + this.getRValue().getUnderlyingType() != this.getLValue().getUnderlyingType() + } +} + +from InterestingAssignment unused +select unused, unused.getLValue().getUnderlyingType(), unused.getRValue().getUnderlyingType() diff --git a/Conferences/2020/OffensiveCon/exercises/tainttracking/ex0.ql b/Conferences/2020/OffensiveCon/exercises/tainttracking/ex0.ql new file mode 100644 index 0000000..e8cf731 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/tainttracking/ex0.ql @@ -0,0 +1,9 @@ +import cpp +import semmle.code.cpp.dataflow.TaintTracking + +from MacroInvocation macro, Expr e1, Expr e2 +where + macro.getMacroName() = "_IOC_SIZE" and + e1 = macro.getExpr() and + TaintTracking::localExprTaint(e1, e2) +select e1, e2 diff --git a/Conferences/2020/OffensiveCon/exercises/testcase/ex0.ql b/Conferences/2020/OffensiveCon/exercises/testcase/ex0.ql new file mode 100644 index 0000000..d20fbd5 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/testcase/ex0.ql @@ -0,0 +1,5 @@ +import cpp + +from FunctionCall call +where call.getTarget().getName() = "recv" +select call diff --git a/Conferences/2020/OffensiveCon/exercises/testcase/ex1.ql b/Conferences/2020/OffensiveCon/exercises/testcase/ex1.ql new file mode 100644 index 0000000..7d74e5b --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/testcase/ex1.ql @@ -0,0 +1,5 @@ +import cpp + +from FunctionCall call +where call.getTarget().getName() = "amqp_tcp_socket_recv" +select call diff --git a/Conferences/2020/OffensiveCon/exercises/testcase/ex2.ql b/Conferences/2020/OffensiveCon/exercises/testcase/ex2.ql new file mode 100644 index 0000000..3e1bc79 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/testcase/ex2.ql @@ -0,0 +1,5 @@ +import cpp + +from FunctionAccess access +where access.getTarget().getName() = "amqp_tcp_socket_recv" +select access diff --git a/Conferences/2020/OffensiveCon/exercises/testcase/ex3.ql b/Conferences/2020/OffensiveCon/exercises/testcase/ex3.ql new file mode 100644 index 0000000..468cf07 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/testcase/ex3.ql @@ -0,0 +1,5 @@ +import cpp + +from Struct struct +where struct.getName() = "amqp_socket_class_t" +select struct diff --git a/Conferences/2020/OffensiveCon/exercises/testcase/ex4.ql b/Conferences/2020/OffensiveCon/exercises/testcase/ex4.ql new file mode 100644 index 0000000..78c6de0 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/testcase/ex4.ql @@ -0,0 +1,8 @@ +import cpp + +from Struct struct, Field recv +where + struct.getName() = "amqp_socket_class_t" and + recv = struct.getAField() and + recv.getName() = "recv" +select struct, recv.getAnAccess() diff --git a/Conferences/2020/OffensiveCon/exercises/testcase/ex5.ql b/Conferences/2020/OffensiveCon/exercises/testcase/ex5.ql new file mode 100644 index 0000000..22d70a3 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/testcase/ex5.ql @@ -0,0 +1,5 @@ +import cpp + +from FunctionCall call +where call.getTarget().getName() = "amqp_socket_recv" +select call diff --git a/Conferences/2020/OffensiveCon/exercises/testcase/ex6.ql b/Conferences/2020/OffensiveCon/exercises/testcase/ex6.ql new file mode 100644 index 0000000..2b8e498 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/testcase/ex6.ql @@ -0,0 +1,12 @@ +import cpp +import semmle.code.cpp.dataflow.TaintTracking + +class NetworkBytes extends FieldAccess { + NetworkBytes() { + this.getQualifier().getType().getName() = "amqp_bytes_t" and + this.getTarget().getName() = "bytes" + } +} + +from NetworkBytes bytes +select bytes diff --git a/Conferences/2020/OffensiveCon/exercises/testcase/ex7.ql b/Conferences/2020/OffensiveCon/exercises/testcase/ex7.ql new file mode 100644 index 0000000..21bbc68 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/testcase/ex7.ql @@ -0,0 +1,8 @@ +import cpp + +class TargetFunction extends Function { + TargetFunction() { this.getName() = "amqp_pool_alloc_bytes" } +} + +from TargetFunction fun +select fun.getACallToThisFunction() diff --git a/Conferences/2020/OffensiveCon/exercises/testcase/ex8.ql b/Conferences/2020/OffensiveCon/exercises/testcase/ex8.ql new file mode 100644 index 0000000..7eb451f --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/testcase/ex8.ql @@ -0,0 +1,30 @@ +import cpp +import semmle.code.cpp.dataflow.TaintTracking + +class NetworkBytes extends FieldAccess { + NetworkBytes() { + this.getQualifier().getType().getName() = "amqp_bytes_t" and + this.getTarget().getName() = "bytes" + } +} + +class TargetFunction extends Function { + TargetFunction() { this.getName() = "amqp_pool_alloc_bytes" } +} + +class Config extends TaintTracking::Configuration { + Config() { this = "rabbitmq-c" } + + override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NetworkBytes } + + override predicate isSink(DataFlow::Node sink) { + exists(TargetFunction function, FunctionCall call | + call = function.getACallToThisFunction() and + call.getAnArgument() = sink.asExpr() + ) + } +} + +from Config config, DataFlow::Node source, DataFlow::Node sink +where config.hasFlow(source, sink) +select source, sink diff --git a/Conferences/2020/OffensiveCon/exercises/types/ex0.ql b/Conferences/2020/OffensiveCon/exercises/types/ex0.ql new file mode 100644 index 0000000..72b5d25 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/types/ex0.ql @@ -0,0 +1,5 @@ +import cpp + +from FunctionCall call +where call.getAnArgument() instanceof SizeofOperator +select call diff --git a/Conferences/2020/OffensiveCon/exercises/types/ex1.ql b/Conferences/2020/OffensiveCon/exercises/types/ex1.ql new file mode 100644 index 0000000..ef17419 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/types/ex1.ql @@ -0,0 +1,5 @@ +import cpp + +from FunctionCall call +where call.getAnArgument().getAChild*() instanceof SizeofOperator +select call diff --git a/Conferences/2020/OffensiveCon/exercises/types/ex2.ql b/Conferences/2020/OffensiveCon/exercises/types/ex2.ql new file mode 100644 index 0000000..0d7e5ee --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/types/ex2.ql @@ -0,0 +1,8 @@ +import cpp + +from FunctionCall call, Expr child +where + call.getTarget().getName() = "kmalloc" and + child = call.getAnArgument().getAChild*() and + child instanceof SizeofOperator +select call, child diff --git a/Conferences/2020/OffensiveCon/exercises/types/ex3.ql b/Conferences/2020/OffensiveCon/exercises/types/ex3.ql new file mode 100644 index 0000000..83a2d59 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/types/ex3.ql @@ -0,0 +1,10 @@ +import cpp + +from FunctionCall call, Expr child, Expr sized +where + call.getTarget().getName() = "kmalloc" and + child = call.getAnArgument().getAChild*() and + child instanceof SizeofOperator and + sized = child.getChild(0) and + sized.getUnderlyingType() instanceof PointerType +select call, sized, sized.getUnderlyingType() diff --git a/Conferences/2020/OffensiveCon/exercises/types/ex4.ql b/Conferences/2020/OffensiveCon/exercises/types/ex4.ql new file mode 100644 index 0000000..f136855 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/types/ex4.ql @@ -0,0 +1,7 @@ +import cpp + +from FunctionCall call, Expr size +where + call.getTarget().getName() = "kmalloc" and + size = call.getArgument(0) +select call, size, size.getValue().toInt() diff --git a/Conferences/2020/OffensiveCon/exercises/types/ex5.ql b/Conferences/2020/OffensiveCon/exercises/types/ex5.ql new file mode 100644 index 0000000..36e4947 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/types/ex5.ql @@ -0,0 +1,8 @@ +import cpp + +from FunctionCall call, Expr size +where + call.getTarget().getName() = "kmalloc" and + size = call.getArgument(0) and + size instanceof MulExpr +select call, size diff --git a/Conferences/2020/OffensiveCon/exercises/variables/ex0.ql b/Conferences/2020/OffensiveCon/exercises/variables/ex0.ql new file mode 100644 index 0000000..14730a5 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/variables/ex0.ql @@ -0,0 +1,5 @@ +import cpp + +from VariableAccess access +where access.getTarget().getName() = "current_task" +select access.getEnclosingFunction() diff --git a/Conferences/2020/OffensiveCon/exercises/variables/ex1.ql b/Conferences/2020/OffensiveCon/exercises/variables/ex1.ql new file mode 100644 index 0000000..64979ca --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/variables/ex1.ql @@ -0,0 +1,5 @@ +import cpp + +from Variable var +where var.getName().matches("%buffer%") +select var diff --git a/Conferences/2020/OffensiveCon/exercises/variables/ex2.ql b/Conferences/2020/OffensiveCon/exercises/variables/ex2.ql new file mode 100644 index 0000000..f207c1d --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/variables/ex2.ql @@ -0,0 +1,4 @@ +import cpp + +from LocalVariable var +select var diff --git a/Conferences/2020/OffensiveCon/exercises/variables/ex3.ql b/Conferences/2020/OffensiveCon/exercises/variables/ex3.ql new file mode 100644 index 0000000..fff9bdc --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/variables/ex3.ql @@ -0,0 +1,4 @@ +import cpp + +from GlobalOrNamespaceVariable var +select var diff --git a/Conferences/2020/OffensiveCon/exercises/variables/ex4.ql b/Conferences/2020/OffensiveCon/exercises/variables/ex4.ql new file mode 100644 index 0000000..1d872f1 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/variables/ex4.ql @@ -0,0 +1,5 @@ +import cpp + +from GlobalOrNamespaceVariable var +where var.getName() = "current_task" +select var.getAnAccess() diff --git a/Conferences/2020/OffensiveCon/exercises/variables/ex5.ql b/Conferences/2020/OffensiveCon/exercises/variables/ex5.ql new file mode 100644 index 0000000..5ebc68c --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/variables/ex5.ql @@ -0,0 +1,5 @@ +import cpp + +from GlobalOrNamespaceVariable var +where var.getName() = "current_task" +select var.getAnAccess().getEnclosingFunction() diff --git a/Conferences/2020/OffensiveCon/exercises/variables/ex6.ql b/Conferences/2020/OffensiveCon/exercises/variables/ex6.ql new file mode 100644 index 0000000..53d56e1 --- /dev/null +++ b/Conferences/2020/OffensiveCon/exercises/variables/ex6.ql @@ -0,0 +1,4 @@ +import cpp + +from GlobalOrNamespaceVariable var +select var, count(var.getAnAccess())