quantum-c#: initial support for ECDSA and RSA signatures

Author: fcasal

csharp/ql/lib/experimental/quantum/Language.qll

@@ -64,3 +64,5 @@ module ArtifactFlowConfig implements Language::DataFlow::ConfigSig {
 }
 
 module ArtifactFlow = Language::DataFlow::Global<ArtifactFlowConfig>;
+
+import dotnet

csharp/ql/lib/experimental/quantum/dotnet.qll

@@ -0,0 +1,4 @@
+import dotnet.AlgorithmInstances
+import dotnet.AlgorithmValueConsumers
+import dotnet.FlowAnalysis
+import dotnet.Cryptography

csharp/ql/lib/experimental/quantum/dotnet/AlgorithmInstances.qll

@@ -0,0 +1,26 @@
+private import csharp
+private import experimental.quantum.Language
+private import AlgorithmValueConsumers
+private import Cryptography
+private import FlowAnalysis
+
+class SigningNamedCurveAlgorithmInstance extends Crypto::EllipticCurveInstance instanceof SigningNamedCurvePropertyAccess
+{
+  ECDsaAlgorithmValueConsumer consumer;
+
+  SigningNamedCurveAlgorithmInstance() {
+    SigningNamedCurveToSignatureCreateFlow::flow(DataFlow::exprNode(this), consumer.getInputNode())
+  }
+
+  ECDsaAlgorithmValueConsumer getConsumer() { result = consumer }
+
+  override string getRawEllipticCurveName() { result = super.getCurveName() }
+
+  override Crypto::TEllipticCurveType getEllipticCurveType() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), _, result)
+  }
+
+  override int getKeySize() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), result, _)
+  }
+}

csharp/ql/lib/experimental/quantum/dotnet/AlgorithmValueConsumers.qll

@@ -0,0 +1,16 @@
+private import csharp
+private import experimental.quantum.Language
+private import AlgorithmInstances
+private import Cryptography
+
+class ECDsaAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer {
+  ECDsaCreateCall call;
+
+  ECDsaAlgorithmValueConsumer() { this = call.getAlgorithmArg() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result.asExpr() = this }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(SigningNamedCurveAlgorithmInstance l | l.getConsumer() = this and result = l)
+  }
+}

csharp/ql/lib/experimental/quantum/dotnet/Cryptography.qll

@@ -0,0 +1,125 @@
+private import csharp
+
+// This class models Create calls for the ECDsa and RSA classes in .NET.
+class CryptographyCreateCall extends MethodCall {
+  CryptographyCreateCall() {
+    this.getTarget().getName() = "Create" and
+    this.getQualifier().getType().hasFullyQualifiedName("System.Security.Cryptography", _)
+  }
+
+  Expr getAlgorithmArg() {
+    this.hasNoArguments() and result = this
+    or
+    result = this.(ECDsaCreateCallWithParameters).getArgument(0)
+    or
+    result = this.(ECDsaCreateCallWithECCurve).getArgument(0)
+  }
+}
+
+class ECDsaCreateCall extends CryptographyCreateCall {
+  ECDsaCreateCall() { this.getQualifier().getType().hasName("ECDsa") }
+}
+
+class RSACreateCall extends CryptographyCreateCall {
+  RSACreateCall() { this.getQualifier().getType().hasName("RSA") }
+}
+
+class CryptographyType extends Type {
+  CryptographyType() { this.hasFullyQualifiedName("System.Security.Cryptography", _) }
+}
+
+class ECParameters extends CryptographyType {
+  ECParameters() { this.hasName("ECParameters") }
+}
+
+class RSAParameters extends CryptographyType {
+  RSAParameters() { this.hasName("RSAParameters") }
+}
+
+class ECCurve extends CryptographyType {
+  ECCurve() { this.hasName("ECCurve") }
+}
+
+// This class is used to model the `ECDsa.Create(ECParameters)` call
+class ECDsaCreateCallWithParameters extends ECDsaCreateCall {
+  ECDsaCreateCallWithParameters() { this.getArgument(0).getType() instanceof ECParameters }
+}
+
+class ECDsaCreateCallWithECCurve extends ECDsaCreateCall {
+  ECDsaCreateCallWithECCurve() { this.getArgument(0).getType() instanceof ECCurve }
+}
+
+class SigningNamedCurvePropertyAccess extends PropertyAccess {
+  string curveName;
+
+  SigningNamedCurvePropertyAccess() {
+    super.getType().getName() = "ECCurve" and
+    eccurveNameMapping(super.getProperty().toString().toUpperCase(), curveName)
+  }
+
+  string getCurveName() { result = curveName }
+}
+
+/**
+ * Private predicate mapping NIST names to SEC names and leaving all others the same.
+ */
+bindingset[nist]
+private predicate eccurveNameMapping(string nist, string secp) {
+  if nist.matches("NIST%")
+  then
+    nist = "NISTP256" and secp = "secp256r1"
+    or
+    nist = "NISTP384" and secp = "secp384r1"
+    or
+    nist = "NISTP521" and secp = "secp521r1"
+  else secp = nist
+}
+
+// OPERATION INSTANCES
+private class ECDsaClass extends Type {
+  ECDsaClass() { this.hasFullyQualifiedName("System.Security.Cryptography", "ECDsa") }
+}
+
+private class RSAClass extends Type {
+  RSAClass() { this.hasFullyQualifiedName("System.Security.Cryptography", "RSA") }
+}
+
+// TODO
+// class ByteArrayTypeUnionReadOnlyByteSpan extends ArrayType {
+//   ByteArrayTypeUnionReadOnlyByteSpan() {
+//     this.hasFullyQualifiedName("System", "Byte[]") or
+//     this.hasFullyQualifiedName("System", "ReadOnlySpan`1") or
+//   }
+// }
+abstract class DotNetSigner extends MethodCall {
+  DotNetSigner() { this.getTarget().getName().matches(["Verify%", "Sign%"]) }
+
+  Expr getMessageArg() {
+    // Both Sign and Verify methods take the message as the first argument.
+    // Some cases the message is a hash.
+    result = this.getArgument(0)
+  }
+
+  Expr getSignatureArg() {
+    this.isVerifier() and
+    // TODO: Should replace getAChild* with the proper two types byte[] and ReadOnlySpan<byte>
+    (result = this.getArgument([1, 3]) and result.getType().getAChild*() instanceof ByteType)
+  }
+
+  Expr getSignatureOutput() {
+    this.isSigner() and
+    result = this
+  }
+
+  predicate isSigner() { this.getTarget().getName().matches("Sign%") }
+
+  predicate isVerifier() { this.getTarget().getName().matches("Verify%") }
+}
+
+private class ECDsaSigner extends DotNetSigner {
+  ECDsaSigner() { this.getQualifier().getType() instanceof ECDsaClass }
+}
+
+private class RSASigner extends DotNetSigner {
+  RSASigner() { this.getQualifier().getType() instanceof RSAClass }
+}

csharp/ql/lib/experimental/quantum/dotnet/FlowAnalysis.qll

@@ -0,0 +1,32 @@
+private import csharp
+private import Cryptography
+private import AlgorithmValueConsumers
+
+/**
+ * Flow from a known ECDsa property access to a `ECDsa.Create(sink)` call.
+ */
+module SigningNamedCurveToSignatureCreateFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SigningNamedCurvePropertyAccess }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(ECDsaAlgorithmValueConsumer consumer | sink = consumer.getInputNode())
+  }
+}
+
+module SigningNamedCurveToSignatureCreateFlow =
+  DataFlow::Global<SigningNamedCurveToSignatureCreateFlowConfig>;
+
+/**
+ * Flow from a known ECDsa property access to a `ECDsa.Create(sink)` call.
+ */
+private module CreateToUseFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof CryptographyCreateCall }
+
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof DotNetSigner }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node2.asExpr().(DotNetSigner).getQualifier() = node1.asExpr()
+  }
+}
+
+module CryptographyCreateToUseFlow = DataFlow::Global<CreateToUseFlowConfig>;

csharp/ql/lib/experimental/quantum/dotnet/OperationInstances.qll

@@ -0,0 +1,48 @@
+private import csharp
+private import experimental.quantum.Language
+private import DataFlow
+private import FlowAnalysis
+private import Cryptography
+
+class ECDsaORRSASigningOperationInstance extends Crypto::SignatureOperationInstance instanceof DotNetSigner
+{
+  CryptographyCreateCall creator;
+
+  ECDsaORRSASigningOperationInstance() {
+    this instanceof DotNetSigner and
+    CryptographyCreateToUseFlow::flow(DataFlow::exprNode(creator), DataFlow::exprNode(this))
+  }
+
+  // TODO FIXME
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    result = creator.getAlgorithmArg()
+  }
+
+  override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
+    if super.isSigner()
+    then result = Crypto::TSignMode()
+    else
+      if super.isVerifier()
+      then result = Crypto::TVerifyMode()
+      else result = Crypto::TUnknownKeyOperationMode()
+  }
+
+  // TODO FIXME
+  override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
+    result.asExpr() = creator.getAlgorithmArg()
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getNonceConsumer() { none() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
+    result.asExpr() = super.getMessageArg()
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getSignatureConsumer() {
+    result.asExpr() = super.getSignatureArg()
+  }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
+    result.asExpr() = super.getSignatureOutput()
+  }
+}