step-3

query a function named strlen

import cpp

from Function f

where f.getName() = "strlen"

select f, "a function named strlen"

step-4

query a function named memcpy

import cpp

from Function f

where f.getName() = "memcpy"

select f, "a function named memcpy"

step-5

query macros named ntohs or ntohl or ntohll

import cpp

from Macro macro

where macro.getName() = "ntohs"

    or macro.getName() = "ntohl"

    or macro.getName() = "ntohll"

select macro, "found macro"

more effective

import cpp

from Macro macro

where macro.getName() in ["ntohs", "ntohl", "ntohll"]

select macro, "found macro"

use Regular Expression

import cpp

from Macro macro

where macro.getName().regexpMatch("ntoh(s|l|ll)")

select macro, "found macro"

step-6

query the caller of a function

import cpp

from FunctionCall fc

where fc.getTarget().getName() = "memcpy"

select fc, "caller of the memcpy"

step-7

query the invocations of macros

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi

step-8

query the expressions that correspond to macro invocations.

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi.getExpr()

step-9

Write your own CodeQL class to represent a set of interesting source code elements

To define a class, you write:

  1. The keyword class.
  2. The name of the class. This is an identifier starting with an uppercase letter.
  3. The supertypes that the class is derived from via extends and/or instanceof
  4. The body of the class, enclosed in braces.
class OneTwoThree extends int {

    OneTwoThree() { // characteristic predicate

      this = 1 or this = 2 or this = 3

    }

    string getAString() { // member predicate

      result = "One, two or three: " + this.toString()

    }

    predicate isEven() { // member predicate

      this = 2

    }

}


import cpp

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

  NetworkByteSwap() {

    exists(MacroInvocation mi |

      mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

      this = mi.getExpr()

    )

  }

}

from NetworkByteSwap n

select n

step-10

query to track the flow of tainted data from network controlled interges to the memcpy length argument

import cpp

import semmle.code.cpp.dataflow.TaintTracking

import DataFlow::PathGraph

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

    NetworkByteSwap() {

      exists(MacroInvocation mi |

        mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

        this = mi.getExpr()

      )

    }

  }

class Config extends TaintTracking::Configuration {

    Config() { this = "no matter" }

    override predicate isSource(DataFlow::Node source) {

        source.asExpr() instanceof NetworkByteSwap

    }

    override predicate isSink(DataFlow::Node sink) {

        exists(FunctionCall fc | fc.getTarget().getName() = "memcpy" and sink.asExpr() = fc.getArgument(2))

    }

}

from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink

where cfg.hasFlowPath(source, sink)

select sink, source, sink, "Network byte swap flows to memcpy"

CodeQl lab learn的更多相关文章

  1. RH253读书笔记(1)-Lab 1 System Monitoring

    Lab 1 System Monitoring Goal: To build skills to better assess system resources, performance and sec ...

  2. Learn to securely share files on the blockchain with IPFS!

    https://medium.com/@mycoralhealth/learn-to-securely-share-files-on-the-blockchain-with-ipfs-219ee47d ...

  3. 什么是 Meta Learning / Learning to Learn ?

    Learning to Learn Chelsea Finn    Jul 18, 2017 A key aspect of intelligence is versatility – the cap ...

  4. Lab 6-2

    Analyze the malware found in the file Lab06-02.exe. Questions and Short Answers What operation does ...

  5. Lab 6-1

    LABS The goal of the labs for this chapter is to help you to understand the overall functionality of ...

  6. Lab 1-4

    Analyze the file Lab01-04.exe. Questions and Short Answers Upload the Lab01-04.exe file to http://ww ...

  7. Lab 1-1

    LABS The purpose of the labs is to give you an opportunity to practice the skills taught in the chap ...

  8. 第六章:Reminders实验:第二部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 Reminders Lab: Part 2 This chapter covers capturing user input through the ...

  9. 第五章:Reminders实验:第一部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 By now you are familiar with the basics of creating a new project, program ...

  10. 6.824 Lab 2: Raft 2A

    6.824 Lab 2: Raft Part 2A Due: Feb 23 at 11:59pm Part 2B Due: Mar 2 at 11:59pm Part 2C Due: Mar 9 at ...

随机推荐

  1. P4555 最长双回文串 解题报告

    看到回文串,于是就想到了马拉车. 马拉车可以帮我们求出每个 \(i\) 的最大扩展距离,容易得出,双回文串就是两个回文串拼一起.当然,两个回文串必须要相交,不然形不成一个字符串. 有的小可爱就会想直接 ...

  2. openfoam并行通信探索(一)

    前言 最近在忙,快一两周没更新了,今天说下如何实现openfoam内的并行通信 为什么要并行通信 说到并行通信大家不要害怕啊,只是不同核之间数据传递,比如说咱们仿真开16个核,3号计算单元对4号计算单 ...

  3. DFS总结

    常见剪枝方法 优化搜索顺序 优先搜索决策树较小的点,例如在165. 小猫爬山一题中,优先搜索体重较大的扩展出的情况较少 排除冗余信息 如果某些情况在此前已经被搜索过了,那么无需继续搜索 可行性剪枝 如 ...

  4. 安装原版Windows自动安装已经备份的驱动

    安装完Windows10后联网会自动更新驱动,除了自动更新.如果不让新安装的Windows系统自动安装驱动以外,还有自己手动安装驱动的方式.如何在安装系统过程中就让系统自己安装好驱动? 重装系统首先要 ...

  5. 全面了解 Redis 高级特性,实现高性能、高可靠的数据存储和处理

    目录 高性能.高可用.高可扩展性的原理 持久化 RDB持久化 AOF持久化 持久化的配置 RDB配置 AOF配置 持久化的恢复 RDB的恢复 AOF的恢复 RDB和AOF的选择 持久化对性能的影响 数 ...

  6. Apache Hudi 0.9.0版本重磅发布!更强大的流式数据湖平台

    1. 重点特性 1.1 Spark SQL支持 0.9.0 添加了对使用 Spark SQL 的 DDL/DML 的支持,朝着使所有角色(非工程师.分析师等)更容易访问和操作 Hudi 迈出了一大步. ...

  7. IOC创建对象方式

    IOC创建对象方式 User 类  public class User {  private String name;          public User(String name) {      ...

  8. golang pprof 监控系列(3) —— memory,block,mutex 统计原理

    golang pprof 监控系列(3) -- memory,block,mutex 统计原理 大家好,我是蓝胖子. 在上一篇文章 golang pprof监控系列(2) -- memory,bloc ...

  9. 统计模拟实验—R实现(蒲丰投针)

    统计模拟实验 统计模拟是数理统计.和计算机科学的结合,是一门综合性学科.在科学研究和生产实际的各个领域中,普遍存在着大量数据的分析处理工作.如何应用数理统计中的方法来解决实际问题,以及如何解决在应用中 ...

  10. ChatGPT 与 Midjourney 强强联手,让先秦阿房宫重现辉煌!

    Midjourney 是一款非常特殊的 AI 绘画聊天机器人,它并不是软件,也不用安装,而是直接搭载在 Discord 平台之上,所有的功能都是通过调用 Discord 的聊天机器人程序实现的.要想使 ...