step-3

query a function named strlen

import cpp

from Function f

where f.getName() = "strlen"

select f, "a function named strlen"

step-4

query a function named memcpy

import cpp

from Function f

where f.getName() = "memcpy"

select f, "a function named memcpy"

step-5

query macros named ntohs or ntohl or ntohll

import cpp

from Macro macro

where macro.getName() = "ntohs"

    or macro.getName() = "ntohl"

    or macro.getName() = "ntohll"

select macro, "found macro"

more effective

import cpp

from Macro macro

where macro.getName() in ["ntohs", "ntohl", "ntohll"]

select macro, "found macro"

use Regular Expression

import cpp

from Macro macro

where macro.getName().regexpMatch("ntoh(s|l|ll)")

select macro, "found macro"

step-6

query the caller of a function

import cpp

from FunctionCall fc

where fc.getTarget().getName() = "memcpy"

select fc, "caller of the memcpy"

step-7

query the invocations of macros

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi

step-8

query the expressions that correspond to macro invocations.

import cpp

from MacroInvocation mi

where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")

select mi.getExpr()

step-9

Write your own CodeQL class to represent a set of interesting source code elements

To define a class, you write:

  1. The keyword class.
  2. The name of the class. This is an identifier starting with an uppercase letter.
  3. The supertypes that the class is derived from via extends and/or instanceof
  4. The body of the class, enclosed in braces.
class OneTwoThree extends int {

    OneTwoThree() { // characteristic predicate

      this = 1 or this = 2 or this = 3

    }

    string getAString() { // member predicate

      result = "One, two or three: " + this.toString()

    }

    predicate isEven() { // member predicate

      this = 2

    }

}


import cpp

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

  NetworkByteSwap() {

    exists(MacroInvocation mi |

      mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

      this = mi.getExpr()

    )

  }

}

from NetworkByteSwap n

select n

step-10

query to track the flow of tainted data from network controlled interges to the memcpy length argument

import cpp

import semmle.code.cpp.dataflow.TaintTracking

import DataFlow::PathGraph

/**

 * An expression involved when swapping the byte order of network data.

 * Its value is likely to have been read from the network.

 */

class NetworkByteSwap extends Expr {

    NetworkByteSwap() {

      exists(MacroInvocation mi |

        mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and

        this = mi.getExpr()

      )

    }

  }

class Config extends TaintTracking::Configuration {

    Config() { this = "no matter" }

    override predicate isSource(DataFlow::Node source) {

        source.asExpr() instanceof NetworkByteSwap

    }

    override predicate isSink(DataFlow::Node sink) {

        exists(FunctionCall fc | fc.getTarget().getName() = "memcpy" and sink.asExpr() = fc.getArgument(2))

    }

}

from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink

where cfg.hasFlowPath(source, sink)

select sink, source, sink, "Network byte swap flows to memcpy"

CodeQl lab learn的更多相关文章

  1. RH253读书笔记(1)-Lab 1 System Monitoring

    Lab 1 System Monitoring Goal: To build skills to better assess system resources, performance and sec ...

  2. Learn to securely share files on the blockchain with IPFS!

    https://medium.com/@mycoralhealth/learn-to-securely-share-files-on-the-blockchain-with-ipfs-219ee47d ...

  3. 什么是 Meta Learning / Learning to Learn ?

    Learning to Learn Chelsea Finn    Jul 18, 2017 A key aspect of intelligence is versatility – the cap ...

  4. Lab 6-2

    Analyze the malware found in the file Lab06-02.exe. Questions and Short Answers What operation does ...

  5. Lab 6-1

    LABS The goal of the labs for this chapter is to help you to understand the overall functionality of ...

  6. Lab 1-4

    Analyze the file Lab01-04.exe. Questions and Short Answers Upload the Lab01-04.exe file to http://ww ...

  7. Lab 1-1

    LABS The purpose of the labs is to give you an opportunity to practice the skills taught in the chap ...

  8. 第六章:Reminders实验:第二部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 Reminders Lab: Part 2 This chapter covers capturing user input through the ...

  9. 第五章:Reminders实验:第一部分[Learn Android Studio 汉化教程]

    Learn Android Studio 汉化教程 By now you are familiar with the basics of creating a new project, program ...

  10. 6.824 Lab 2: Raft 2A

    6.824 Lab 2: Raft Part 2A Due: Feb 23 at 11:59pm Part 2B Due: Mar 2 at 11:59pm Part 2C Due: Mar 9 at ...

随机推荐

  1. python爬取今日的bing壁纸

    #!/usr/bin/python #你要的文件夹是 E://pics// ps:没有的话帮你建一个 import requests import os from datetime import da ...

  2. java循环结构中局部变量和成员变量

    前言 在前两篇文章中,壹哥给大家讲解了Java里的条件分支,包括if和switch两种情况.我们知道,除了条件分支结构,还有循环结构,所以接下来的一个学习重点就是Java里的循环.但在学习循环之前,我 ...

  3. HashMap 与 ConcurrentHashMap 底层实现

    系统性学习,异步IT-BLOG 一.HashMap 底层源码 JDK7 版本(数组+链表) 我们存放的 hashMap 都会封装成一个节点对象 Entry(key,value),然后将此节点对象存放到 ...

  4. JVM 频繁 FULL GC 快速排查整理

    在分享此案例前,先聊聊哪些场景会导致频繁Full GC: 内存泄漏(代码有问题,对象引用没及时释放,导致对象不能及时回收)死循环大对象程序执行了System.gc() 尤其是大对象,80%以上的情况就 ...

  5. gralde-plugin->docker-compose的使用

    在java web项目中,本地开发经常会需要在本地使用docker启动数据库等之类的服务.gradle提供了一个插件,允许通过gradle task启动docker的容器.在这里我们介绍的一个gral ...

  6. Three.js 进阶之旅:全景漫游-初阶移动相机版

    声明:本文涉及图文和模型素材仅用于个人学习.研究和欣赏,请勿二次修改.非法传播.转载.出版.商用.及进行其他获利行为. 摘要 3D 全景技术可以实现日常生活中的很多功能需求,比如地图的街景全景模式.数 ...

  7. ChatGPT 通识入门

    最近网络上对于Chat GPT的讨论热潮不断地膨胀,一个势必给整个人类社会带来新变革的科技和工具产生了.这个新的工具能够识别自然语言并能够理解上下文的语境,并能够具备人类思维的模型. 但是ChatGP ...

  8. LAL v0.34.3发布,G711音频来了,Web UI也来了

    Go语言流媒体开源项目 LAL 今天发布了v0.34.3版本. LAL 项目地址:https://github.com/q191201771/lal 老规矩,简单介绍一下: ▦ 一. 音频G711 新 ...

  9. kubernetes(k8s)常用deploy模板 并验证

    kubernetes常用deploy模板,并验证 编写deploy配置文件 root@hello:~# cat deploy.yaml  apiVersion: apps/v1 kind: Deplo ...

  10. SELinux入门学习总结

    前言 安全增强型 Linux(Security-Enhanced Linux)简称 SELinux,它是一个 Linux 内核模块,也是 Linux 的一个安全子系统. SELinux 主要由美国国家 ...