Skip to content

Latest commit

 

History

History
106 lines (83 loc) · 2.91 KB

CUSTOM_ANALYSIS.md

File metadata and controls

106 lines (83 loc) · 2.91 KB
Raw

Customize an analysis

In addition to the specification of taint analysis it is possible to create custom rules.

Call graph checking

To verify that your program meets a given specification use the below kind of rule (MUST_VERIFY_CALL_FLOW action) which will traverse the call graph (only from the main function) of a program to check, in this exemple, if a user is authenticated and has the permission before retrieving a possible secret.

{
    "custom_rules": [
        {
            "sequence":
            [
                {"function_name": "dev_iam_authenticated", "language": "php"},
                {"function_name": "dev_iam_rights", "language": "php"},
                {"function_name": "dev_retrieve_secret", "language": "php"}
            ],
            "description": "rule #1 not verified",
            "action": "MUST_VERIFY_CALL_FLOW"
        }]
}

The call graph of the following code:

<?php

function secret()
{
    dev_iam_authenticated();
    
    if(1 == rand())
    {
        dev_iam_rights();
    }
    else
    {
        nada();
    }
    
    var_dump(dev_retrieve_secret());
}

secret();

has one path that does not verify the above rule #1, thus this last will be raised:

Restricted function calls

To verify if a function call comply with defined conditions use this kind of rule (MUST_NOT_VERIFY_DEFINITION and MUST_VERIFY_DEFINITION actions), in this example Twig auto escaping strategy is verified:

{
    "name": "__construct",
    "is_function": true,
    "instanceof": "Twig_Environment",
    "parameters": 
    [
        {"id": 2, "values": 
            [ 
                {"value" : "false", "is_array": true, "array_index": "autoescape"} 
            ]}
    ], 
    "description": "Twig_Environment autoescaping should be set to true",
    "language": "php", 
    "action": "MUST_NOT_VERIFY_DEFINITION",
    "attack": "security misconfiguration", 
    "cwe": "CWE_1004"
}

In the below code the conditions of the custom rule set on the Twig_Environment function call are not satisfied:

<?php

$a = new Twig_Environment($loader, array("autoescape" => false));

Create an object

A variable, property of return of a function could be a custom object of a class name defined in the extra property:

        {
            "name": "query", 
            "is_function": true, 
            "instanceof": "CI_Model->db", 
            "description": "Result of db queries as new sources",
            "language": "php", 
            "action": "DEFINE_OBJECT", 
            "extra": "DBQueryCodeIgniter" 
        }
}
  • is_function, when set on true, name is a function and the rule applies on the return of the function.

Then it's possible to use this class name when defining sources, sinks, sanitizers or validators.