quantum-c#: Add generic dataflow module

Author: fcasal

csharp/ql/lib/experimental/quantum/dotnet/AlgorithmInstances.qll

@@ -25,14 +25,13 @@ class SigningNamedCurveAlgorithmInstance extends Crypto::EllipticCurveInstance i
   }
 }
 
-class HashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof HashAlgorithmName {
-  HashAlgorithmConsumer consumer;
+class HashAlgorithmNameInstance extends Crypto::HashAlgorithmInstance instanceof HashAlgorithmName {
+  HashAlgorithmNameConsumer consumer;
 
-  HashAlgorithmInstance() {
+  HashAlgorithmNameInstance() {
     HashAlgorithmNameToUse::flow(DataFlow::exprNode(this), consumer.getInputNode())
   }
 
-  // Q: super.getHashFamily does not work because it is ambigous. But super.(HashAlgorithmName) does not work either.
   override Crypto::THashType getHashFamily() { result = this.(HashAlgorithmName).getHashFamily() }
 
   override string getRawHashAlgorithmName() { result = super.getAlgorithmName() }

csharp/ql/lib/experimental/quantum/dotnet/AlgorithmValueConsumers.qll

@@ -15,14 +15,14 @@ class ECDsaAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer {
   }
 }
 
-class HashAlgorithmConsumer extends Crypto::AlgorithmValueConsumer {
-  HashAlgorithmUser call;
+class HashAlgorithmNameConsumer extends Crypto::AlgorithmValueConsumer {
+  HashAlgorithmNameUser call;
 
-  HashAlgorithmConsumer() { this = call.getHashAlgorithmUser() }
+  HashAlgorithmNameConsumer() { this = call.getHashAlgorithmNameUser() }
 
   override Crypto::ConsumerInputDataFlowNode getInputNode() { result.asExpr() = this }
 
   override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
-    exists(HashAlgorithmInstance l | l.getConsumer() = this and result = l)
+    exists(HashAlgorithmNameInstance l | l.getConsumer() = this and result = l)
   }
 }

csharp/ql/lib/experimental/quantum/dotnet/Cryptography.qll

@@ -23,13 +23,19 @@ class CryptographyCreateCall extends MethodCall {
     or
     result = this.(ECDsaCreateCallWithECCurve)
   }
-
 }
 
 class ECDsaCreateCall extends CryptographyCreateCall {
   ECDsaCreateCall() { this.getQualifier().getType().hasName("ECDsa") }
 }
 
+// TODO
+// class HashAlgorithmCreateCall extends CryptographyCreateCall {
+//   ValueOrRefType type;
+
+//   HashAlgorithmCreateCall() { type = this.getQualifier().getType().getDeclaringType() }
+// }
+
 class RSACreateCall extends CryptographyCreateCall {
   RSACreateCall() { this.getQualifier().getType().hasName("RSA") }
 }
@@ -84,7 +90,11 @@ class HashAlgorithmName extends PropertyAccess {
 
   string getAlgorithmName() { result = algorithmName }
 
-  Crypto::THashType getHashFamily() { hashAlgorithmToFamily(this.getAlgorithmName(), result, _) }
+  Crypto::THashType getHashFamily() {
+    if hashAlgorithmToFamily(this.getAlgorithmName(), _, _)
+    then hashAlgorithmToFamily(this.getAlgorithmName(), result, _)
+    else result = Crypto::OtherHashType()
+  }
 
   int getFixedDigestLength() { hashAlgorithmToFamily(this.getAlgorithmName(), _, result) }
 }
@@ -107,18 +117,18 @@ private predicate hashAlgorithmToFamily(
   hashName = "SHA3_384" and hashFamily = Crypto::SHA3() and digestLength = 384
   or
   hashName = "SHA3_512" and hashFamily = Crypto::SHA3() and digestLength = 512
-  // Q: is there an idiomatic way to add a default type here?
+  // TODO: is there an idiomatic way to add a default type here?
 }
 
-class HashAlgorithmUser extends MethodCall {
+class HashAlgorithmNameUser extends MethodCall {
   Expr arg;
 
-  HashAlgorithmUser() {
+  HashAlgorithmNameUser() {
     arg = this.getAnArgument() and
     arg.getType() instanceof HashAlgorithmNameType
   }
 
-  Expr getHashAlgorithmUser() { result = arg }
+  Expr getHashAlgorithmNameUser() { result = arg }
 }
 
 /**
@@ -173,6 +183,8 @@ class DotNetSigner extends MethodCall {
     )
   }
 
+  predicate isIntermediate() { none() }
+
   Expr getSignatureOutput() {
     this.isSigner() and
     result = this

csharp/ql/lib/experimental/quantum/dotnet/FlowAnalysis.qll

@@ -16,27 +16,72 @@ module SigningNamedCurveToSignatureCreateFlowConfig implements DataFlow::ConfigS
 module SigningNamedCurveToSignatureCreateFlow =
   DataFlow::Global<SigningNamedCurveToSignatureCreateFlowConfig>;
 
-/**
- * Flow from a known ECDsa property access to a `ECDsa.Create(sink)` call.
- */
-private module CreateToUseFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof CryptographyCreateCall }
-
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof DotNetSigner }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    node2.asExpr().(DotNetSigner).getQualifier() = node1.asExpr()
-  }
-}
-
-module CryptographyCreateToUseFlow = DataFlow::Global<CreateToUseFlowConfig>;
-
 module HashAlgorithmNameToUseConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HashAlgorithmName }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(HashAlgorithmConsumer consumer | sink = consumer.getInputNode())
+    exists(HashAlgorithmNameConsumer consumer | sink = consumer.getInputNode())
   }
 }
 
 module HashAlgorithmNameToUse = DataFlow::Global<HashAlgorithmNameToUseConfig>;
+
+signature class CreationCallSig instanceof Call;
+
+signature class UseCallSig instanceof QualifiableExpr {
+  predicate isIntermediate();
+}
+
+module CryptographyCreateToUseFlow = CreationToUseFlow<CryptographyCreateCall, DotNetSigner>;
+
+module CreationToUseFlow<CreationCallSig Creation, UseCallSig Use> {
+  private module CreationToUseConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
+      source.asExpr() instanceof Creation
+      or
+      exists(Use use |
+        source.asExpr() = use.(QualifiableExpr).getQualifier() and use.isIntermediate()
+      )
+    }
+
+    predicate isSink(DataFlow::Node sink) {
+      exists(Use use | sink.asExpr() = use.(QualifiableExpr).getQualifier())
+    }
+  }
+
+  private module CreationToUseFlow = DataFlow::Global<CreationToUseConfig>;
+
+  Creation getCreationFromUse(
+    Use use, CreationToUseFlow::PathNode source, CreationToUseFlow::PathNode sink
+  ) {
+    source.getNode().asExpr() = result and
+    sink.getNode().asExpr() = use.(MethodCall).getQualifier() and
+    CreationToUseFlow::flowPath(source, sink)
+  }
+
+  Use getUseFromCreation(
+    Creation creation, CreationToUseFlow::PathNode source, CreationToUseFlow::PathNode sink
+  ) {
+    source.getNode().asExpr() = creation and
+    sink.getNode().asExpr() = result.(MethodCall).getQualifier() and
+    CreationToUseFlow::flowPath(source, sink)
+  }
+
+  Use getIntermediateUseFromUse(
+    Use use, CreationToUseFlow::PathNode source, CreationToUseFlow::PathNode sink
+  ) {
+    // Use sources are always intermediate uses.
+    source.getNode().asExpr() = result.(QualifiableExpr).getQualifier() and
+    sink.getNode().asExpr() = use.(QualifiableExpr).getQualifier() and
+    CreationToUseFlow::flowPath(source, sink)
+  }
+
+  // TODO: Remove this.
+  Expr flowsTo(Expr expr) {
+    exists(CreationToUseFlow::PathNode source, CreationToUseFlow::PathNode sink |
+      source.getNode().asExpr() = expr and
+      sink.getNode().asExpr() = result and
+      CreationToUseFlow::flowPath(source, sink)
+    )
+  }
+}

csharp/ql/lib/experimental/quantum/dotnet/OperationInstances.qll

@@ -9,7 +9,7 @@ class ECDsaORRSASigningOperationInstance extends Crypto::SignatureOperationInsta
   CryptographyCreateCall creator;
 
   ECDsaORRSASigningOperationInstance() {
-    CryptographyCreateToUseFlow::flow(DataFlow::exprNode(creator), DataFlow::exprNode(this))
+    creator = CryptographyCreateToUseFlow::getCreationFromUse(this, _, _)
   }
 
   override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {