hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update TimingAttackAgainstSignature.ql

Browse Source
This commit is contained in:
Ahmed Farid
2022-07-20 00:56:52 +01:00
committed by GitHub
parent 27d81548a7
commit 3d092f9569
1 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSignature.ql
View File

@@ -1,14 +1,13 @@
/**
* @name Timing attack against digest validation
* @description When checking a signature over a message, a constant-time algorithm should be used.
* Otherwise, an attacker may be able to forge a valid digest for an arbitrary message
* by running a timing attack if they can send to the validation procedure
* both the message and the signature.
* @name Timing attack against Hash
* @description When checking a Hash over a message, a constant-time algorithm should be used.
* Otherwise, an attacker may be able to forge a valid Hash for an arbitrary message
* by running a timing attack if they can send to the validation procedure.
* A successful attack can result in authentication bypass.
* @kind path-problem
* @problem.severity error
* @precision high
* @id py/timing-attack-against-signature
* @id py/timing-attack-against-hash
* @tags security
* external/cwe/cwe-208
*/
@@ -23,15 +22,15 @@ import DataFlow::PathGraph
* A configuration that tracks data flow from cryptographic operations
* to Equality test.
*/
class TimingAttackAgainstsignature extends TaintTracking::Configuration {
TimingAttackAgainstsignature() { this = "TimingAttackAgainstsignature" }
class TimingAttackAgainsthash extends TaintTracking::Configuration {
TimingAttackAgainsthash() { this = "TimingAttackAgainsthash" }
override predicate isSource(DataFlow::Node source) { source instanceof UserInputMsgConfig }
override predicate isSink(DataFlow::Node sink) { sink instanceof UserInputInComparisonConfig }
}
from TimingAttackAgainstsignature config, DataFlow::PathNode source, DataFlow::PathNode sink
from TimingAttackAgainsthash config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Timing attack against $@ validation.", source,
source.getNode()