Adds offensivecon's workshop slides and materials

Conferences/2020/OffensiveCon/exercises/dataflow/ex0.ql

@@ -0,0 +1,12 @@
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+
+class KMalloc extends Function {
+  KMalloc() { getName() = "kmalloc" }
+}
+
+from KMalloc fun, FunctionCall source, Expr sink
+where
+  source = fun.getACallToThisFunction() and
+  DataFlow::localExprFlow(source, sink)
+select source, sink, sink.getEnclosingStmt()

Conferences/2020/OffensiveCon/exercises/dataflow/ex1.ql

@@ -0,0 +1,12 @@
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+
+class KMalloc extends Function {
+  KMalloc() { getName() = "kmalloc" }
+}
+
+from KMalloc fun, FunctionCall source
+where
+  source = fun.getACallToThisFunction() and
+  not exists(IfStmt sink | DataFlow::localExprFlow(source, sink.getControllingExpr()))
+select source

Conferences/2020/OffensiveCon/exercises/dataflow/ex2.ql

@@ -0,0 +1,27 @@
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+
+class KMalloc extends Function {
+  KMalloc() {
+    getName() = "kmalloc" or
+    getName() = "acpi_os_allocate_zeroed" or
+    getName() = "kzalloc" or
+    getName() = "kcalloc" or
+    getName() = "kmalloc_array" or
+    getName() = "acpi_os_allocate" or
+    getName() = "mempool_kmalloc" or
+    getName() = "alloc_resource" or
+    getName() = "bitmap_alloc" or
+    getName() = "sg_kmalloc" or
+    getName() = "pcpu_mem_zalloc" or
+    getName() = "bitmap_zalloc"
+  }
+}
+
+from KMalloc fun, FunctionCall source
+where
+  source = fun.getACallToThisFunction() and
+  not exists(IfStmt sink |
+    DataFlow::localExprFlow(source, sink.getControllingExpr().getAChild*())
+  )
+select source

Conferences/2020/OffensiveCon/exercises/functions/ex0.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from Function fun
+where fun.getName().matches("%ioctl%") and fun.hasDefinition()
+select fun

Conferences/2020/OffensiveCon/exercises/functions/ex1.ql

@@ -0,0 +1,8 @@
+import cpp
+
+from Function fun, FunctionCall call
+where
+  fun.getName().matches("%ioctl%") and
+  fun.hasDefinition() and
+  call = fun.getACallToThisFunction()
+select call.getEnclosingFunction(), call

Conferences/2020/OffensiveCon/exercises/functions/ex2.ql

@@ -0,0 +1,7 @@
+import cpp
+
+from Function fun, FunctionAccess access
+where
+  fun.getName().matches("%ioctl%") and
+  access = fun.getAnAccess()
+select access, fun

Conferences/2020/OffensiveCon/exercises/quantifiers/ex0.ql

@@ -0,0 +1,12 @@
+import cpp
+
+class UnusedFunction extends Function {
+  UnusedFunction() {
+    this.hasDefinition() and
+    not exists(FunctionCall call | call.getTarget() = this) and
+    not exists(FunctionAccess access | access.getTarget() = this)
+  }
+}
+
+from UnusedFunction unused
+select unused

Conferences/2020/OffensiveCon/exercises/quantifiers/ex1.ql

@@ -0,0 +1,8 @@
+import cpp
+
+class UnusedVariable extends LocalVariable {
+  UnusedVariable() { not exists(VariableAccess access | access.getTarget() = this) }
+}
+
+from UnusedVariable unused
+select unused

Conferences/2020/OffensiveCon/exercises/quantifiers/ex2.ql

@@ -0,0 +1,10 @@
+import cpp
+
+class InterestingAssignment extends Assignment {
+  InterestingAssignment() {
+    this.getRValue().getUnderlyingType() != this.getLValue().getUnderlyingType()
+  }
+}
+
+from InterestingAssignment unused
+select unused, unused.getLValue().getUnderlyingType(), unused.getRValue().getUnderlyingType()

Conferences/2020/OffensiveCon/exercises/tainttracking/ex0.ql

@@ -0,0 +1,9 @@
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+
+from MacroInvocation macro, Expr e1, Expr e2
+where
+  macro.getMacroName() = "_IOC_SIZE" and
+  e1 = macro.getExpr() and
+  TaintTracking::localExprTaint(e1, e2)
+select e1, e2

Conferences/2020/OffensiveCon/exercises/testcase/ex0.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from FunctionCall call
+where call.getTarget().getName() = "recv"
+select call

Conferences/2020/OffensiveCon/exercises/testcase/ex1.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from FunctionCall call
+where call.getTarget().getName() = "amqp_tcp_socket_recv"
+select call

Conferences/2020/OffensiveCon/exercises/testcase/ex2.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from FunctionAccess access
+where access.getTarget().getName() = "amqp_tcp_socket_recv"
+select access

Conferences/2020/OffensiveCon/exercises/testcase/ex3.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from Struct struct
+where struct.getName() = "amqp_socket_class_t"
+select struct

Conferences/2020/OffensiveCon/exercises/testcase/ex4.ql

@@ -0,0 +1,8 @@
+import cpp
+
+from Struct struct, Field recv
+where
+  struct.getName() = "amqp_socket_class_t" and
+  recv = struct.getAField() and
+  recv.getName() = "recv"
+select struct, recv.getAnAccess()

Conferences/2020/OffensiveCon/exercises/testcase/ex5.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from FunctionCall call
+where call.getTarget().getName() = "amqp_socket_recv"
+select call

Conferences/2020/OffensiveCon/exercises/testcase/ex6.ql

@@ -0,0 +1,12 @@
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+
+class NetworkBytes extends FieldAccess {
+  NetworkBytes() {
+    this.getQualifier().getType().getName() = "amqp_bytes_t" and
+    this.getTarget().getName() = "bytes"
+  }
+}
+
+from NetworkBytes bytes
+select bytes

Conferences/2020/OffensiveCon/exercises/testcase/ex7.ql

@@ -0,0 +1,8 @@
+import cpp
+
+class TargetFunction extends Function {
+  TargetFunction() { this.getName() = "amqp_pool_alloc_bytes" }
+}
+
+from TargetFunction fun
+select fun.getACallToThisFunction()

Conferences/2020/OffensiveCon/exercises/testcase/ex8.ql

@@ -0,0 +1,30 @@
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+
+class NetworkBytes extends FieldAccess {
+  NetworkBytes() {
+    this.getQualifier().getType().getName() = "amqp_bytes_t" and
+    this.getTarget().getName() = "bytes"
+  }
+}
+
+class TargetFunction extends Function {
+  TargetFunction() { this.getName() = "amqp_pool_alloc_bytes" }
+}
+
+class Config extends TaintTracking::Configuration {
+  Config() { this = "rabbitmq-c" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NetworkBytes }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(TargetFunction function, FunctionCall call |
+      call = function.getACallToThisFunction() and
+      call.getAnArgument() = sink.asExpr()
+    )
+  }
+}
+
+from Config config, DataFlow::Node source, DataFlow::Node sink
+where config.hasFlow(source, sink)
+select source, sink

Conferences/2020/OffensiveCon/exercises/types/ex0.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from FunctionCall call
+where call.getAnArgument() instanceof SizeofOperator
+select call

Conferences/2020/OffensiveCon/exercises/types/ex1.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from FunctionCall call
+where call.getAnArgument().getAChild*() instanceof SizeofOperator
+select call

Conferences/2020/OffensiveCon/exercises/types/ex2.ql

@@ -0,0 +1,8 @@
+import cpp
+
+from FunctionCall call, Expr child
+where
+  call.getTarget().getName() = "kmalloc" and
+  child = call.getAnArgument().getAChild*() and
+  child instanceof SizeofOperator
+select call, child

Conferences/2020/OffensiveCon/exercises/types/ex3.ql

@@ -0,0 +1,10 @@
+import cpp
+
+from FunctionCall call, Expr child, Expr sized
+where
+  call.getTarget().getName() = "kmalloc" and
+  child = call.getAnArgument().getAChild*() and
+  child instanceof SizeofOperator and
+  sized = child.getChild(0) and
+  sized.getUnderlyingType() instanceof PointerType
+select call, sized, sized.getUnderlyingType()

Conferences/2020/OffensiveCon/exercises/types/ex4.ql

@@ -0,0 +1,7 @@
+import cpp
+
+from FunctionCall call, Expr size
+where
+  call.getTarget().getName() = "kmalloc" and
+  size = call.getArgument(0)
+select call, size, size.getValue().toInt()

Conferences/2020/OffensiveCon/exercises/types/ex5.ql

@@ -0,0 +1,8 @@
+import cpp
+
+from FunctionCall call, Expr size
+where
+  call.getTarget().getName() = "kmalloc" and
+  size = call.getArgument(0) and
+  size instanceof MulExpr
+select call, size

Conferences/2020/OffensiveCon/exercises/variables/ex0.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from VariableAccess access
+where access.getTarget().getName() = "current_task"
+select access.getEnclosingFunction()

Conferences/2020/OffensiveCon/exercises/variables/ex1.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from Variable var
+where var.getName().matches("%buffer%")
+select var

Conferences/2020/OffensiveCon/exercises/variables/ex2.ql

@@ -0,0 +1,4 @@
+import cpp
+
+from LocalVariable var
+select var

Conferences/2020/OffensiveCon/exercises/variables/ex3.ql

@@ -0,0 +1,4 @@
+import cpp
+
+from GlobalOrNamespaceVariable var
+select var

Conferences/2020/OffensiveCon/exercises/variables/ex4.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from GlobalOrNamespaceVariable var
+where var.getName() = "current_task"
+select var.getAnAccess()

Conferences/2020/OffensiveCon/exercises/variables/ex5.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from GlobalOrNamespaceVariable var
+where var.getName() = "current_task"
+select var.getAnAccess().getEnclosingFunction()

Conferences/2020/OffensiveCon/exercises/variables/ex6.ql

@@ -0,0 +1,4 @@
+import cpp
+
+from GlobalOrNamespaceVariable var
+select var, count(var.getAnAccess())