More cleanup

2026-02-15 06:23:42 +01:00 · 2022-11-08 12:39:49 -05:00
parent 43760b6bb1
commit eceda7a787
2 changed files with 10 additions and 51 deletions
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WinCng.ql
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WinCng.ql
@@ -1,39 +0,0 @@
-/**
- * @id cpp/nist-pqc/pqc-vulnerable-algorithms-cng
- * @name Usage of PQC vulnerable algorithms
- * @description Usage of PQC vulnerable algorithms.
- * @microsoft.severity important
- * @kind path-problem
- * @problem.severity warning
- * @precision high
- * @tags security
- *       pqc
- *       nist
- */
-
-import cpp
-import DataFlow::PathGraph
-import WindowsCng
-import WindowsCngPQCVulnerableUsage
-
-// CNG-specific DataFlow configuration
-class BCryptConfiguration extends TaintTracking::Configuration {
-	BCryptConfiguration() {
-		this = "BCryptConfiguration"
-	}
-	override predicate isSource(DataFlow::Node source) {
-        source instanceof BCryptOpenAlgorithmProviderSource
-	}
- 
-	override predicate isSink(DataFlow::Node sink) { 
-        sink instanceof BCryptOpenAlgorithmProviderSink 
-    }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-        isWindowsCngAsymmetricKeyAdditionalTaintStep( node1, node2)
-    }
-}
-
-from BCryptConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "PQC vulnerable algorithm in use has been detected."
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
@@ -1,30 +1,28 @@
 import cpp
 import WindowsCng

-predicate vulnerableCngFunctionName(string name) { name in ["BCryptSignHash", "BCryptEncrypt"] }
-
 predicate keyGenAndImportFunctionName(string name) { name in ["BCryptImportKeyPair", "BCryptGenerateKeyPair"] }

-predicate vulnerableCngFunction(Function f) {
-  exists(string name | f.hasGlobalName(name) and vulnerableCngFunctionName(name))
-}
-
 predicate keyGenAndImportFunction(Function f){
    exists(string name | f.hasGlobalName(name) and keyGenAndImportFunctionName(name))
 }

 //TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
-predicate isExprKeyHandleForBCryptSignHash(Expr e) {
-  exists(FunctionCall call |
-    e = call.getArgument(0) and
-    vulnerableCngFunction(call.getTarget())
-  )
+
+
+predicate isCallArgument(string funcGlobalName, Expr arg, int index){
+    exists(Call c | c.getArgument(index) = arg and c.getTarget().hasGlobalName(funcGlobalName))
 }

 class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
-  BCryptSignHashArgumentSink() { isExprKeyHandleForBCryptSignHash(this.asExpr()) }
+  BCryptSignHashArgumentSink() { isCallArgument("BCryptSignHash", this.asExpr(), 0) }
 }

+class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
+    BCryptEncryptArgumentSink() { isCallArgument("BCryptEncrypt", this.asExpr(), 0) }
+  }
+  
+
 class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
  BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() {
    this.asExpr() instanceof StringLiteral and