step-3

query a function named strlen

import cpp

from Function f

where f.getName() = "strlen"

select f, "a function named strlen"

step-4

query a function named memcpy

import cpp

from Function f

where f.getName() = "memcpy"

select f, "a function named memcpy"

step-5

query macros named ntohs or ntohl or ntohll

import cpp

from Macro macro

where macro.getName() = "ntohs"

    or macro.getName() = "ntohl"

    or macro.getName() = "ntohll"

select macro, "found macro"

more effective

import cpp

from Macro macro

where macro.getName() in ["ntohs", "ntohl", "ntohll"]

select macro, "found macro"

use Regular Expression

import cpp

from Macro macro

where macro.getName().regexpMatch("ntoh(s|l|ll)")

select macro, "found macro"

step-6

query the caller of a function

import cpp

from FunctionCall fc

where fc.getTarget().getName() = "memcpy"

select fc, "caller of the memcpy"

step-7

query the invocations of macros

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi

step-8

query the expressions that correspond to macro invocations.

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi.getExpr()

step-9

Write your own CodeQL class to represent a set of interesting source code elements

To define a class, you write:

  1. The keyword class.
  2. The name of the class. This is an identifier starting with an uppercase letter.
  3. The supertypes that the class is derived from via extends and/or instanceof
  4. The body of the class, enclosed in braces.
class OneTwoThree extends int {

    OneTwoThree() { // characteristic predicate

      this = 1 or this = 2 or this = 3

    }

    string getAString() { // member predicate

      result = "One, two or three: " + this.toString()

    }

    predicate isEven() { // member predicate

      this = 2

    }

}


import cpp

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

  NetworkByteSwap() {

    exists(MacroInvocation mi |

      mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

      this = mi.getExpr()

    )

  }

}

from NetworkByteSwap n

select n

step-10

query to track the flow of tainted data from network controlled interges to the memcpy length argument

import cpp

import semmle.code.cpp.dataflow.TaintTracking

import DataFlow::PathGraph

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

    NetworkByteSwap() {

      exists(MacroInvocation mi |

        mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

        this = mi.getExpr()

      )

    }

  }

class Config extends TaintTracking::Configuration {

    Config() { this = "no matter" }

    override predicate isSource(DataFlow::Node source) {

        source.asExpr() instanceof NetworkByteSwap

    }

    override predicate isSink(DataFlow::Node sink) {

        exists(FunctionCall fc | fc.getTarget().getName() = "memcpy" and sink.asExpr() = fc.getArgument(2))

    }

}

from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink

where cfg.hasFlowPath(source, sink)

select sink, source, sink, "Network byte swap flows to memcpy"

CodeQl lab learn的更多相关文章

  1. RH253读书笔记(1)-Lab 1 System Monitoring

    Lab 1 System Monitoring Goal: To build skills to better assess system resources, performance and sec ...

  2. Learn to securely share files on the blockchain with IPFS!

    https://medium.com/@mycoralhealth/learn-to-securely-share-files-on-the-blockchain-with-ipfs-219ee47d ...

  3. 什么是 Meta Learning / Learning to Learn ?

    Learning to Learn Chelsea Finn    Jul 18, 2017 A key aspect of intelligence is versatility – the cap ...

  4. Lab 6-2

    Analyze the malware found in the file Lab06-02.exe. Questions and Short Answers What operation does ...

  5. Lab 6-1

    LABS The goal of the labs for this chapter is to help you to understand the overall functionality of ...

  6. Lab 1-4

    Analyze the file Lab01-04.exe. Questions and Short Answers Upload the Lab01-04.exe file to http://ww ...

  7. Lab 1-1

    LABS The purpose of the labs is to give you an opportunity to practice the skills taught in the chap ...

  8. 第六章:Reminders实验:第二部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 Reminders Lab: Part 2 This chapter covers capturing user input through the ...

  9. 第五章:Reminders实验:第一部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 By now you are familiar with the basics of creating a new project, program ...

  10. 6.824 Lab 2: Raft 2A

    6.824 Lab 2: Raft Part 2A Due: Feb 23 at 11:59pm Part 2B Due: Mar 2 at 11:59pm Part 2C Due: Mar 9 at ...

随机推荐

  1. ros系统(1)

    在虚拟机上安装好ros系统之后,打开终端,启动ROS Master,输入roscore命令,结果如下: 再启动小海龟仿真器,输入命令:rosrun turtlesim turtlesim_node,结 ...

  2. day10-SpringBoot的异常处理

    SpringBoot异常处理 1.基本介绍 默认情况下,SpringBoot提供/error处理所有错误的映射,也就是说当出现错误时,SpringBoot底层会请求转发到/error这个映射路径所关联 ...

  3. Yaml入门与使用

    一.入门 1.概念:  yml是YAML("YAML Ain't a Markup Language)语言文件,以数据为中心,而不是一标记语言为重点,比json,xml更适合做配置文件. 为 ...

  4. C/C++ 恨透了 double free or corruption

    *以下内容为本人的学习笔记,如需要转载,请声明原文链接微信公众号「ENG八戒」https://mp.weixin.qq.com/s/IwSVImp5cOB3gZbaf0YiPw 写过 C/C++ 的都 ...

  5. ES(ECMAScript)标准下中的let、var和const

    ES标准下中的let,var和const let会报重复声明,var则比较随意,重不重复无所谓 // 使用 var 的时候重复声明变量是没问题的,只不过就是后面会把前面覆盖掉 var num = 10 ...

  6. ACM-NEFUOJ-汉诺塔问题

    P200汉诺塔 #include<bits/stdc++.h> using namespace std; int main() { int n,i; long long s[40]; s[ ...

  7. Django笔记十四之统计总数、最新纪录和空值判断等功能

    本篇笔记将介绍一些 Django 查询中统计总数.最新纪录和空值判断等功能. count in_bulk latest.earliest first.last exists contains.icon ...

  8. pysimplegui之系统托盘图标创建

    在 PySimpleGUI(tkinter 版本)上运行时,系统托盘图标为 PNG 和 GIF 格式.PNG.GIF 和 ICO 格式适用于 Wx 和 Qt 端口. 指定"图标"时 ...

  9. JUC中常见的集合

    Map: HashMap ===> ConcurrentHashMap List: ArrayList ===> CopyOnWriteArrayList Set: HashSet === ...

  10. [C++核心编程] 4.6、继承

    文章目录 4.6 继承 4.6.1 继承的基本语法 4.6.2 继承方式 4.6.3 继承中的对象模型 4.6.4 继承中构造和析构顺序 4.6.5 继承同名成员处理方式 4.6.6 继承同名静态成员 ...