Crypto: Updated default flows to use taint tracking (this is needed to fix false positives in the unknown IV/Nonce query). Add the unknown IV/Nonce query and associated test cases. Fix unknown IV/Nonce query to focus on cases where the oepration isn't known or the operation subtype is not encrypt or wrap.

Author: bdrodes

java/ql/lib/experimental/quantum/Language.qll

@@ -230,7 +230,7 @@ module ArtifactFlowConfig implements DataFlow::ConfigSig {
 
 module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
 
-module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
+module ArtifactFlow = TaintTracking::Global<ArtifactFlowConfig>;
 
 // Import library-specific modeling
 import JCA

java/ql/src/experimental/quantum/Analysis/UnknownIVorNonceInitialization.ql

@@ -0,0 +1,36 @@
+/**
+ * @name Unknown nonce/iv source
+ * @id java/quantum/unknown-iv-or-nonce-source
+ * @description A nonce/iv is generated from a source that is not secure. Failure to initialize
+ *              an IV or nonce properly can lead to vulnerabilities such as replay attacks or key recovery.
+ *              IV may be unknown at a decryption operation (IV would be provided alongside the ciphertext).
+ *              These cases are ignored.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::NonceArtifactNode nonce, Crypto::NodeBase op, string msg
+where
+  not exists(nonce.getSourceNode()) and
+  (
+    // Nonce not associated with any known cipher operation, assume unknown as insecure
+    not exists(Crypto::CipherOperationNode o | o.getANonce() = nonce) and
+    op = nonce and
+    msg =
+      "Unknown IV/Nonce initialization source with no observed nonce usage (assuming could be for encryption)."
+    or
+    // Nonce associated cipher operation where the mode is not explicitly encryption
+    op.(Crypto::CipherOperationNode).getANonce() = nonce and
+    (
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TEncryptMode
+      or
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TWrapMode
+    ) and
+    msg = "Unknown IV/Nonce initialization source at encryption operation $@"
+  )
+select nonce, msg, op, op.toString()

java/ql/src/experimental/quantum/Analysis/UnknownIVorNonceSource.ql

@@ -11,7 +11,7 @@ public class InsecureIVorNonceSource {
 
     // BAD: AES-GCM with static IV from a byte array
     public byte[] encryptWithStaticIvByteArrayWithInitializer(byte[] key, byte[] plaintext) throws Exception {
-        byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $Source
+        byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; 
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
@@ -24,20 +24,20 @@ public byte[] encryptWithStaticIvByteArrayWithInitializer(byte[] key, byte[] pla
 
     // BAD: AES-GCM with static IV from zero-initialized byte array
     public byte[] encryptWithZeroStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
-        byte[] iv = new byte[16]; // $Source
+        byte[] iv = new byte[16]; 
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-initialization]
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-source]
         cipher.update(plaintext);
         return cipher.doFinal();
     }
 
     // BAD: AES-CBC with static IV from 1-initialized byte array
     public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
-        byte[] iv = new byte[16]; // $Source
+        byte[] iv = new byte[16]; 
         for (byte i = 0; i < iv.length; i++) {
             iv[i] = 1;
         }
@@ -56,7 +56,7 @@ public byte[] encryptWithOneOfStaticIvs01(byte[] key, byte[] plaintext) throws E
         byte[][] staticIvs = new byte[][] {
             { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 },
             { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 }
-        }; // $Source
+        }; 
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
@@ -72,7 +72,7 @@ public byte[] encryptWithOneOfStaticIvs02(byte[] key, byte[] plaintext) throws E
         byte[][] staticIvs = new byte[][] {
             new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 },
             new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 }
-        }; // $Source
+        }; 
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
@@ -86,15 +86,15 @@ public byte[] encryptWithOneOfStaticIvs02(byte[] key, byte[] plaintext) throws E
     // BAD: AES-GCM with static IV from a zero-initialized multidimensional byte array
     public byte[] encryptWithOneOfStaticZeroIvs(byte[] key, byte[] plaintext) throws Exception {
         byte[][] ivs = new byte[][] {
-            new byte[8], // $Source
-            new byte[16] // $Source
+            new byte[8], 
+            new byte[16] 
         };
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, ivs[1]);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-initialization]
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-source]
         cipher.update(plaintext);
         return cipher.doFinal();
     }
@@ -191,7 +191,7 @@ public byte[] encryptWithGeneratedIvByteArray(byte[] key, byte[] plaintext) thro
     public byte[] generateInsecureRandomBytes(int numBytes) {
         Random random = new Random();
         byte[] bytes = new byte[numBytes];
-        random.nextBytes(bytes); // $Source
+        random.nextBytes(bytes); 
         return bytes;
     }
 

java/ql/test/experimental/library-tests/quantum/node_edges.expected

@@ -0,0 +1,2 @@
+| InsecureIVorNonceSource.java:33:51:33:56 | Nonce | Unknown IV/Nonce initialization source. |
+| InsecureIVorNonceSource.java:97:51:97:56 | Nonce | Unknown IV/Nonce initialization source. |

…eSource/InsecureIVorNonceSource.expected …eSource/InsecureIVorNonceSource.expectedjava/ql/test/experimental/query-tests/quantum/InsecureNonceSource/InsecureIVorNonceSource.expected renamed to java/ql/test/experimental/query-tests/quantum/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.expected java/ql/test/experimental/query-tests/quantum/InsecureNonceSource/InsecureIVorNonceSource.expected renamed to java/ql/test/experimental/query-tests/quantum/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.expected

@@ -0,0 +1,4 @@
+query: experimental/quantum/Analysis/UnknownIVorNonceSource.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql