From 10b81eebb75696cdc7d15d92ab4dbb77e5ad5edc Mon Sep 17 00:00:00 2001 From: tiferet Date: Wed, 22 Feb 2023 17:08:39 -0800 Subject: [PATCH] Improve EndpointTypes: - Create two derived classes for EndpointType: SinkType and SourceType. - EndpointTypes don't use a `newtype`, but rather extend string, with their characteristic predicate replacing the current getDescription predicate. --- .../adaptivethreatmodeling/ATMConfig.qll | 2 +- .../EndpointCharacteristics.qll | 6 +-- .../adaptivethreatmodeling/EndpointTypes.qll | 50 +++++++++++-------- .../src/ExtractNegativeExamples.ql | 4 +- 4 files changed, 36 insertions(+), 26 deletions(-) diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll index 3336254659d..5d8da8459b4 100644 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll +++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll @@ -109,7 +109,7 @@ abstract class AtmConfig extends TaintTracking::Configuration { // Exclude endpoints that have a characteristic that implies they're not sinks for _any_ sink type. exists(float confidence | confidence >= result.mediumConfidence() and - result.hasImplications(any(NegativeType negative), true, confidence) + result.hasImplications(any(NegativeSinkType negative), true, confidence) ) or // Exclude endpoints that have a characteristic that implies they're not sinks for _this particular_ sink type, diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll index 2cce1372252..50a917b9807 100644 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll +++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll @@ -451,7 +451,7 @@ abstract private class NotASinkCharacteristic extends EndpointCharacteristic { override predicate hasImplications( EndpointType endpointClass, boolean isPositiveIndicator, float confidence ) { - endpointClass instanceof NegativeType and + endpointClass instanceof NegativeSinkType and isPositiveIndicator = true and confidence = highConfidence() } @@ -470,7 +470,7 @@ abstract class LikelyNotASinkCharacteristic extends EndpointCharacteristic { override predicate hasImplications( EndpointType endpointClass, boolean isPositiveIndicator, float confidence ) { - endpointClass instanceof NegativeType and + endpointClass instanceof NegativeSinkType and isPositiveIndicator = true and confidence = mediumConfidence() } @@ -595,7 +595,7 @@ abstract private class StandardEndpointFilterCharacteristic extends EndpointFilt override predicate hasImplications( EndpointType endpointClass, boolean isPositiveIndicator, float confidence ) { - endpointClass instanceof NegativeType and + endpointClass instanceof NegativeSinkType and isPositiveIndicator = true and confidence = mediumConfidence() } diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointTypes.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointTypes.qll index acb63761bf8..e020ac03f19 100644 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointTypes.qll +++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointTypes.qll @@ -5,16 +5,16 @@ * only predict classes defined within this file. This file is the source of truth for the integer * representation of each of these classes. */ -newtype TEndpointType = - TNegativeType() or - TSqlSinkType() or - TTaintedPathSinkType() or - TRequestForgerySinkType() or - TOtherMaDSinkType() -/** A class that can be predicted by endpoint scoring models. */ -abstract class EndpointType extends TEndpointType { - abstract string getDescription(); +/** A class that can be predicted by a classifier. */ +abstract class EndpointType extends string { + /** + * Holds when the string matches the name of the sink / source type. + */ + bindingset[this] + EndpointType() { any() } + + final string getDescription() { result = this } /** * Gets the integer representation of this endpoint type. This integer representation specifies the class number @@ -29,13 +29,23 @@ abstract class EndpointType extends TEndpointType { * See https://github.com/github/codeql/blob/44213f0144fdd54bb679ca48d68b28dcf820f7a8/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll#LL353C11-L357C31 */ abstract string getKind(); +} - string toString() { result = getDescription() } +/** A class for sink types that can be predicted by a classifier. */ +abstract class SinkType extends EndpointType { + bindingset[this] + SinkType() { any() } +} + +/** A class for source types that can be predicted by a classifier. */ +abstract class SourceType extends EndpointType { + bindingset[this] + SourceType() { any() } } /** The `Negative` class for non-sinks. */ -class NegativeType extends EndpointType, TNegativeType { - override string getDescription() { result = "non-sink" } +class NegativeSinkType extends SinkType { + NegativeSinkType() { this = "non-sink" } override int getEncoding() { result = 0 } @@ -43,8 +53,8 @@ class NegativeType extends EndpointType, TNegativeType { } /** All sinks relevant to the SQL injection query */ -class SqlSinkType extends EndpointType, TSqlSinkType { - override string getDescription() { result = "sql injection sink" } +class SqlSinkType extends SinkType { + SqlSinkType() { this = "sql injection sink" } override int getEncoding() { result = 1 } @@ -52,8 +62,8 @@ class SqlSinkType extends EndpointType, TSqlSinkType { } /** All sinks relevant to the tainted path injection query. */ -class TaintedPathSinkType extends EndpointType, TTaintedPathSinkType { - override string getDescription() { result = "path injection sink" } +class TaintedPathSinkType extends SinkType { + TaintedPathSinkType() { this = "path injection sink" } override int getEncoding() { result = 2 } @@ -61,8 +71,8 @@ class TaintedPathSinkType extends EndpointType, TTaintedPathSinkType { } /** All sinks relevant to the SSRF query. */ -class RequestForgerySinkType extends EndpointType, TRequestForgerySinkType { - override string getDescription() { result = "ssrf sink" } +class RequestForgerySinkType extends SinkType { + RequestForgerySinkType() { this = "ssrf sink" } override int getEncoding() { result = 3 } @@ -70,8 +80,8 @@ class RequestForgerySinkType extends EndpointType, TRequestForgerySinkType { } /** Other sinks modeled by a MaD `kind` but not belonging to any of the existing sink types. */ -class OtherMaDSinkType extends EndpointType, TOtherMaDSinkType { - override string getDescription() { result = "other sink" } +class OtherMaDSinkType extends SinkType { + OtherMaDSinkType() { this = "other sink" } override int getEncoding() { result = 4 } diff --git a/java/ql/experimental/adaptivethreatmodeling/src/ExtractNegativeExamples.ql b/java/ql/experimental/adaptivethreatmodeling/src/ExtractNegativeExamples.ql index 8a90d99f2a8..43cb5e4dcb6 100644 --- a/java/ql/experimental/adaptivethreatmodeling/src/ExtractNegativeExamples.ql +++ b/java/ql/experimental/adaptivethreatmodeling/src/ExtractNegativeExamples.ql @@ -31,7 +31,7 @@ from where characteristic.appliesToEndpoint(endpoint) and confidence >= characteristic.highConfidence() and - characteristic.hasImplications(any(NegativeType negative), true, confidence) and + characteristic.hasImplications(any(NegativeSinkType negative), true, confidence) and // Exclude endpoints that have contradictory endpoint characteristics, because we only want examples we're highly // certain about in the prompt. not EndpointCharacteristics::erroneousEndpoints(endpoint, _, _, _, _) and @@ -47,7 +47,7 @@ where | characteristic2.appliesToEndpoint(endpoint) and confidence2 >= characteristic2.maximalConfidence() and - not positiveType instanceof NegativeType and + not positiveType instanceof NegativeSinkType and characteristic2.hasImplications(positiveType, true, confidence2) ) and endpoint = getSampleFromSampleRate(0.01) and