Swift: Copy WeakPasswordHashing query from csharp.

Author: geoffw0

swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll

@@ -0,0 +1,59 @@
+/**
+ * Provides a taint tracking configuration to find use of inappropriate
+ * cryptographic hashing algorithms on passwords.
+ */
+
+import csharp
+import semmle.code.csharp.security.SensitiveActions
+import semmle.code.csharp.dataflow.DataFlow
+import semmle.code.csharp.dataflow.TaintTracking
+
+/**
+ * A taint tracking configuration from password expressions to inappropriate
+ * hashing sinks.
+ */
+module WeakHashingPasswordConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof PasswordExpr }
+
+  predicate isSink(DataFlow::Node node) { node instanceof WeakPasswordHashingSink }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+
+  predicate isBarrierOut(DataFlow::Node node) {
+    // make sinks barriers so that we only report the closest instance
+    isSink(node)
+  }
+}
+
+module WeakHashingFlow = TaintTracking::Global<WeakHashingPasswordConfig>;
+
+// TODO: rewrite with data extensions in mind, ref the Swift implementation
+class WeakPasswordHashingSink extends DataFlow::Node {   
+  string algorithm;
+
+  WeakPasswordHashingSink() {
+    // a call to System.Security.Cryptography.MD5/SHA*.ComputeHash/ComputeHashAsync/HashData/HashDataAsync
+    exists(MethodCall call, string name |
+      (
+        call.getTarget().getName() = name
+        and name in ["ComputeHash", "ComputeHashAsync", "HashData", "HashDataAsync"]
+      )
+      // with this as the first argument - not arg 0, since arg 0 is 'this' for methods
+      and call.getArgument(0) = this.asExpr()
+      and
+      // the call is to a method in the System.Security.Cryptography.MD* class
+      // or the System.Security.Cryptography.SHA* classes
+      (
+        call.getQualifier().getType().getName() = algorithm
+        and algorithm.matches(["MD%","SHA%"])
+      )
+    )
+  }
+
+  string getAlgorithm() {
+    result = algorithm
+  }
+}

swift/ql/src/queries/Security/CWE-328/WeakPasswordHashing.qhelp

@@ -0,0 +1,100 @@
+<!DOCTYPE qhelp PUBLIC
+        "-//Semmle//qhelp//EN"
+        "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            Using a insufficiently computationally hard hash function can leave data
+            vulnerable, and should not be used for password hashing.
+        </p>
+
+        <p>
+            A strong cryptographic hash function should be resistant to:
+        </p>
+        <ul>
+            <li>
+                <strong>Pre-image attacks</strong>. If you know a hash value <code>h(x)</code>,
+                you should not be able to easily find the input <code>x</code>.
+            </li>
+            <li>
+                <strong>Collision attacks</strong>. If you know a hash value <code>h(x)</code>,
+                you should not be able to easily find a different input
+                <code>y</code>
+                with the same hash value <code>h(x) = h(y)</code>.
+            </li>
+            <li>
+                <strong>Brute force</strong>. If you know a hash value <code>h(x)</code>,
+                you should not be able to find an input <code>y</code> that computes to that hash value
+                using brute force attacks without significant computational effort.
+            <li>
+        </ul>
+
+        <p>
+            All of MD5, SHA-1, SHA-2 and SHA-3 are weak against offline brute forcing, since they are not computationally hard.
+        </p>
+
+        <p>
+            Password hashing algorithms are designed to be slow and/or memory intenstive to compute, which makes brute force attacks more difficult.
+        </p>
+
+    </overview>
+    <recommendation>
+
+        <p>
+            Ensure that for password storage you should use a computationally hard cryptographic hash function, such as:
+        </p>
+
+        <ul>
+            <li>
+                Argon2
+            </li>
+            <li>
+                scrypt
+            </li>
+                bcrypt
+            <li>
+                PBKDF2
+            </li>
+        </ul>
+
+    </recommendation>
+    <example>
+
+        <p>
+            The following examples show a function that hashes a password using a cryptographic hashing algorithm.
+
+            In the first case the SHA-512 hashing algorithm is used. It is vulnerable to offline brute force attacks:
+        </p>
+        <sample src="WeakPasswordHashingBad.csharp"/>
+        <p>
+
+            Here is the same function using Argon2, which is suitable for password hashing:
+        </p>
+        <sample src="WeakPasswordHashingGood.csharp"/>
+
+    </example>
+    <references>
+        <li>
+            OWASP:
+            <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">Password Storage
+                Cheat Sheet
+            </a>
+        </li>
+        <li>
+            nuget: <a href="https://www.nuget.org/packages/Konscious.Security.Cryptography.Argon2/">Konscious.Security.Cryptography.Argon2</a>
+        </li>
+        <li>
+            nuget: <a href="https://www.nuget.org/packages/Isopoh.Cryptography.Argon2">Isopoh.Cryptography.Argon</a>
+        </li>
+        <li>
+            libsodium: <a href="https://doc.libsodium.org/bindings_for_other_languages#bindings-programming-languages">libsodium bindings for other languages</a>
+        </li>
+        <li>
+            nuget: <a href="https://www.nuget.org/packages/BCrypt.Net-Core/">BCrypt.Net-Core</a>
+        </li>
+        <li>
+            nuget: <a href="https://www.nuget.org/packages/CryptSharpOfficial/">Scrypt and PBKDF2</a>
+        </li>
+    </references>
+
+</qhelp>

swift/ql/src/queries/Security/CWE-328/WeakPasswordHashing.ql

@@ -0,0 +1,28 @@
+/**
+ * @name Use of an inappropriate cryptographic hashing algorithm on passwords
+ * @description Using inappropriate cryptographic hashing algorithms with passwords can compromise security.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id csharp/weak-password-hashing
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-328
+ *       external/cwe/cwe-916
+ */
+
+import csharp
+import WeakPasswordHashingQuery
+import WeakHashingFlow::PathGraph
+
+from
+  WeakHashingFlow::PathNode source, WeakHashingFlow::PathNode sink, string algorithm,
+  PasswordExpr expr
+where
+  WeakHashingFlow::flowPath(source, sink) and
+  algorithm = sink.getNode().(WeakPasswordHashingSink).getAlgorithm() and
+  expr = source.getNode().asExpr()
+select sink.getNode(), source, sink,
+  "Insecure hashing algorithm (" + algorithm + ") depends on $@.", source.getNode(),
+  "password (" + expr + ")"

swift/ql/src/queries/Security/CWE-328/WeakPasswordHashingBad.swift

@@ -0,0 +1,3 @@
+using var sha512 = System.Security.Cryptography.SHA512.Create();
+
+var data = sha512.ComputeHash(Encoding.UTF8.GetBytes(content));    // BAD

swift/ql/src/queries/Security/CWE-328/WeakPasswordHashingGood.swift

@@ -0,0 +1,51 @@
+using System.Security.Cryptography;
+using Konscious.Security.Cryptography;  // use NuGet package Konscious.Security.Cryptography.Argon2
+
+// See https://github.com/kmaragon/Konscious.Security.Cryptography#konscioussecuritycryptographyargon2
+
+public class Argon2Hasher
+{
+    public byte[] ComputeHash(byte[] password, byte[] salt)
+    {
+        // choose Argon2i, Argon2id or Argon2d as appropriate
+        using var argon2 = new Argon2id(password);
+        argon2.Salt = salt;
+
+        // read the Argon2 documentation to understand these parameters, and reference:
+        // https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
+        argon2.DegreeOfParallelism = 4;  // number of threads you can spawn on your system - the higher, the better
+        argon2.Iterations = 5;           // set as high as your system can manage, within time constraints
+        argon2.MemorySize = 1024 * 2048; // 2GB RAM, for example - set this as high as you can, within memory limits on your system
+
+        return argon2.GetBytes(32);                
+    }
+
+    // use a fixed-time comparison to avoid timing attacks
+    public bool Equals(byte[] hash1, byte[] hash2) => CryptographicOperations.FixedTimeEquals(hash1, hash2);
+
+    // generate a salt securely with a cryptographic random number generator
+    public static byte[] GenerateSalt()
+    {
+        var buffer = new byte[32];
+        using var rng = new RNGCryptoServiceProvider();
+        rng.GetBytes(buffer);
+        return buffer;
+    }
+}
+
+var argon2 = new Argon2Hasher();
+
+// Create the hash
+var bytes = Encoding.UTF8.GetBytes("this is a password");    // it should not be hardcoded in reality, but this is just a demo
+var salt = Argon2Hasher.GenerateSalt();                      // salt is kept with hash; it is not secret, just unique per hash
+var hash = argon2.ComputeHash(bytes, salt);
+
+// Check the hash - this will trivially always pass, but in reality you would have to retrieve the hash for the comparison
+if(argon2id.Equals(argon2.ComputeHash(bytes, salt), hash))
+{
+    Console.WriteLine("PASS");
+}
+else
+{
+    Console.WriteLine("FAIL");
+}