Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

C++: Experimental query for implementation of a cryptographic primitive #14972

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Nov 30, 2023

Adds an experimental query for detecting custom implementations of a cryptographic primitive (i.e. covering https://mas.owasp.org/MASTG/General/0x04g-Testing-Cryptography/#custom-implementations-of-cryptography
and parts of https://cwe.mitre.org/data/definitions/1240.html).

Currently @precision medium, because it flags established library encryption implementations just as happily as custom implementations and entirely custom algorithms. Though probably none of these should be in a database unless it's a database for a cryptography library.

Developed during a hackathon. Needs more work to be production quality - in particular it currently lacks:

  • qhelp / examples
  • more non-crypto unit tests --- I have added a few more test cases that should not be flagged.
  • more crypto unit tests --- I have added a couple of 'homebrew' algorithms in the test that should be flagged.
  • and perhaps some more testing in the wild and refinement. --- further refinement: we now reject results that appear to be in encryption libraries.

@geoffw0 geoffw0 added the C++ label Nov 30, 2023
@geoffw0 geoffw0 requested a review from a team as a code owner November 30, 2023 15:25
@geoffw0
Copy link
Contributor Author

geoffw0 commented Dec 5, 2023

I've just replaced (via a rebase) the examples copied from Wikipedia with code I wrote myself. This is because I had a chat with some legal + open source people and there was a bit of uncertainty - nobody was 100% sure what I was doing was definitely OK. In any case the new tests are entirely written by me. It's slightly sad they're a bit less authentic but they work fine as tests.

Also the latest commit is new - I've added s? to the end of a couple of patterns to match names slightly better.

Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@geoffw0
Copy link
Contributor Author

geoffw0 commented Dec 6, 2023

(I'm not sure what's wrong with the failing check, but it doesn't appear to be this PR at fault)

Are you happy to have an experimental query that's missing .qhelp? I can't remember which rules apply to experimental. If this is OK I'll merge it now and write up an issue with the things (including writing .qhelp) I think we'd need to do to promote it.

@MathiasVP
Copy link
Contributor

MathiasVP commented Dec 6, 2023

(I'm not sure what's wrong with the failing check, but it doesn't appear to be this PR at fault)

Yeah, that's not your fault. It was presumably caused by #15003 (which has now been reverted).

Are you happy to have an experimental query that's missing .qhelp? I can't remember which rules apply to experimental. If this is OK I'll merge it now and write up an issue with the things (including writing .qhelp) I think we'd need to do to promote it.

That's probably fine, yeah 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants