Crypto: Updating insecure iv/nonce to consider if an operation is known for it, and if so do not alert on non-secure random if it is tied to decryption

2026-04-28 18:25:24 +02:00 · 2025-10-08 16:27:18 -04:00
parent 7a57496c54
commit f524de4afc
2 changed files with 39 additions and 11 deletions
--- a/java/ql/src/experimental/quantum/Analysis/InsecureIVorNonceSource.ql
+++ b/java/ql/src/experimental/quantum/Analysis/InsecureIVorNonceSource.ql
@@ -2,7 +2,10 @@
 * @name Insecure nonce/iv (static value or weak random source)
 * @id java/quantum/insecure-iv-or-nonce
 * @description A nonce/iv is generated from a source that is not secure. This can lead to
- *              vulnerabilities such as replay attacks or key recovery.
+ *              vulnerabilities such as replay attacks or key recovery. Insecure generation
+ *              is any static nonce, or any known insecure source for a nonce/iv if
+ *              the value is used for an encryption operation (decryption operations are ignored
+ *              as the nonce/iv would be provided alongside the ciphertext).
 * @kind problem
 * @problem.severity error
 * @precision high
@@ -12,8 +15,33 @@

 import experimental.quantum.Language

-from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src
+from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src, Crypto::NodeBase op, string msg
 where
  nonce.getSourceNode() = src and
-  not src.asElement() instanceof SecureRandomnessInstance
-select nonce, "Nonce or IV uses insecure or constant source $@", src, src.toString()
+  (
+    // Case 1: Any constant nonce/iv is bad, regardless of how it is used
+    src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    op = nonce and // binding op by not using it
+    msg = "Nonce or IV uses constant source $@"
+    or
+    // Case 2: The nonce has a non-random source and there is no known operation for the nonce
+    //         assume it is used for encryption
+    not src.asElement() instanceof SecureRandomnessInstance and
+    not src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    not exists(Crypto::CipherOperationNode o | o.getANonce() = nonce) and
+    op = nonce and // binding op, but not using it
+    msg =
+      "Nonce or IV uses insecure source $@ with no observed nonce usage (assuming could be for encryption)."
+    or
+    // Case 3: The nonce has a non-random source and is used in an encryption operation
+    not src.asElement() instanceof SecureRandomnessInstance and
+    not src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    op.(Crypto::CipherOperationNode).getANonce() = nonce and
+    (
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TEncryptMode
+      or
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TWrapMode
+    ) and
+    msg = "Nonce or IV uses insecure source $@ at encryption operation $@"
+  )
+select nonce, msg, src, src.toString(), op, op.toString()