Crypto: Moving all data flow analyses to taint tracking.

bdrodes · bdrodes · commit 74ce7cd188d4 · 2025-08-28T20:40:05.000-04:00
diff --git a/cpp/ql/lib/experimental/quantum/Language.qll b/cpp/ql/lib/experimental/quantum/Language.qll
@@ -53,7 +53,7 @@ module ArtifactFlowConfig implements DataFlow::ConfigSig {
   }
 }
 
-module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
+module ArtifactFlow = TaintTracking::Global<ArtifactFlowConfig>;
 
 /**
  * An artifact output to node input configuration
diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll
@@ -50,7 +50,7 @@ module KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::
 }
 
 module KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow =
-  DataFlow::Global<KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig>;
+  TaintTracking::Global<KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig>;
 
 module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
@@ -67,7 +67,7 @@ module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataF
 }
 
 module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
-  DataFlow::Global<RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
+  TaintTracking::Global<RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
 
 class OpenSslAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {
   OpenSslAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c | c.getInNode() = this) }
diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AvcFlow.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AvcFlow.qll
@@ -1,4 +1,4 @@
-import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.new.TaintTracking
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
 /**
@@ -18,4 +18,4 @@ module AvcToCallArgConfig implements DataFlow::ConfigSig {
   }
 }
 
-module AvcToCallArgFlow = DataFlow::Global<AvcToCallArgConfig>;
+module AvcToCallArgFlow = TaintTracking::Global<AvcToCallArgConfig>;
diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
@@ -1,6 +1,6 @@
 private import experimental.quantum.Language
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.new.TaintTracking
 // Importing these intializers here to ensure the are part of any model that is
 // using OpenSslOperationBase. This further ensures that initializers are tied to opeartions
 // even if only importing the operation by itself.
@@ -488,7 +488,7 @@ module OperationStepCtxFlowConfig implements DataFlow::ConfigSig {
   }
 }
 
-module OperationStepCtxFlow = DataFlow::Global<OperationStepCtxFlowConfig>;
+module OperationStepCtxFlow = TaintTracking::Global<OperationStepCtxFlowConfig>;
 
 /**
  * A flow from AVC to the first `OperationStep` the AVC reaches as an input.
@@ -514,7 +514,7 @@ module AvcToOperationStepFlowConfig implements DataFlow::ConfigSig {
   }
 }
 
-module AvcToOperationStepFlow = DataFlow::Global<AvcToOperationStepFlowConfig>;
+module AvcToOperationStepFlow = TaintTracking::Global<AvcToOperationStepFlowConfig>;
 
 module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }
@@ -524,7 +524,7 @@ module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
   }
 }
 
-module EncValToInitEncArgFlow = DataFlow::Global<EncValToInitEncArgConfig>;
+module EncValToInitEncArgFlow = TaintTracking::Global<EncValToInitEncArgConfig>;
 
 private Crypto::KeyOperationSubtype intToCipherOperationSubtype(int i) {
   i = 0 and

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ module ArtifactFlowConfig implements DataFlow::ConfigSig {`
`53`	`53`	`}`
`54`	`54`	`}`
`55`	`55`
`56`		`-module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;`
	`56`	`+module ArtifactFlow = TaintTracking::Global<ArtifactFlowConfig>;`
`57`	`57`
`58`	`58`	`/**`
`59`	`59`	`* An artifact output to node input configuration`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ module KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`module KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow =`
`53`		`- DataFlow::Global<KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig>;`
	`53`	`+ TaintTracking::Global<KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig>;`
`54`	`54`
`55`	`55`	`module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {`
`56`	`56`	`predicate isSource(DataFlow::Node source) {`
`@@ -67,7 +67,7 @@ module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataF`
`67`	`67`	`}`
`68`	`68`
`69`	`69`	`module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =`
`70`		`- DataFlow::Global<RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;`
	`70`	`+ TaintTracking::Global<RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;`
`71`	`71`
`72`	`72`	`class OpenSslAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {`
`73`	`73`	`OpenSslAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c \| c.getInNode() = this) }`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import semmle.code.cpp.dataflow.new.DataFlow`
	`1`	`+import semmle.code.cpp.dataflow.new.TaintTracking`
`2`	`2`	`private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers`
`3`	`3`
`4`	`4`	`/**`
`@@ -18,4 +18,4 @@ module AvcToCallArgConfig implements DataFlow::ConfigSig {`
`18`	`18`	`}`
`19`	`19`	`}`
`20`	`20`
`21`		`-module AvcToCallArgFlow = DataFlow::Global<AvcToCallArgConfig>;`
	`21`	`+module AvcToCallArgFlow = TaintTracking::Global<AvcToCallArgConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`private import experimental.quantum.Language`
`2`	`2`	`private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers`
`3`		`-import semmle.code.cpp.dataflow.new.DataFlow`
	`3`	`+import semmle.code.cpp.dataflow.new.TaintTracking`
`4`	`4`	`// Importing these intializers here to ensure the are part of any model that is`
`5`	`5`	`// using OpenSslOperationBase. This further ensures that initializers are tied to opeartions`
`6`	`6`	`// even if only importing the operation by itself.`
`@@ -488,7 +488,7 @@ module OperationStepCtxFlowConfig implements DataFlow::ConfigSig {`
`488`	`488`	`}`
`489`	`489`	`}`
`490`	`490`
`491`		`-module OperationStepCtxFlow = DataFlow::Global<OperationStepCtxFlowConfig>;`
	`491`	`+module OperationStepCtxFlow = TaintTracking::Global<OperationStepCtxFlowConfig>;`
`492`	`492`
`493`	`493`	`/**`
`494`	`494`	* A flow from AVC to the first `OperationStep` the AVC reaches as an input.
`@@ -514,7 +514,7 @@ module AvcToOperationStepFlowConfig implements DataFlow::ConfigSig {`
`514`	`514`	`}`
`515`	`515`	`}`
`516`	`516`
`517`		`-module AvcToOperationStepFlow = DataFlow::Global<AvcToOperationStepFlowConfig>;`
	`517`	`+module AvcToOperationStepFlow = TaintTracking::Global<AvcToOperationStepFlowConfig>;`
`518`	`518`
`519`	`519`	`module EncValToInitEncArgConfig implements DataFlow::ConfigSig {`
`520`	`520`	`predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }`
`@@ -524,7 +524,7 @@ module EncValToInitEncArgConfig implements DataFlow::ConfigSig {`
`524`	`524`	`}`
`525`	`525`	`}`
`526`	`526`
`527`		`-module EncValToInitEncArgFlow = DataFlow::Global<EncValToInitEncArgConfig>;`
	`527`	`+module EncValToInitEncArgFlow = TaintTracking::Global<EncValToInitEncArgConfig>;`
`528`	`528`
`529`	`529`	`private Crypto::KeyOperationSubtype intToCipherOperationSubtype(int i) {`
`530`	`530`	`i = 0 and`