Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitHub / GitHub Universe 2020: Developer - Secure Development / 10 Dec 2020
GitHub / GitHub Universe 2020: Developer - Secure Development / 10 Dec 2020
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Community-powered security analysis with CodeQL - GitHub Universe 2020

Description

Presented by:
Bas van Schaik, Staff Product Manager, GitHub
Xavier René-Corail, Director of Security Research, GitHub

CodeQL security analysis powers GitHub code scanning and has helped identify and prevent thousands of security vulnerabilities. Through code scanning, it analyzes your pull requests and flags up security issues as early as possible. But who creates these CodeQL queries and how do they know what to look for? For the last two years, a community of security researchers have been contributing to CodeQL queries that formalize their security knowledge. Queries written by independent researchers, enterprise security teams, and everyone in between now help protect all CodeQL users from security vulnerabilities. In this session you'll find out more about this community, the bounty programs, and the tools they use to help you secure your code. And how you can become part of it!

For more from GitHub Universe 2020, visit https://githubuniverse.com

As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub

Thanks!

Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github

About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com

A

Hey everyone good morning, good afternoon, good evening to you all from my home here in oxford, and thank you very much for joining us today. My name is baz.

A

I'm a product manager here at github, and I look after the codeql analysis technology joining me today is my colleague zavier, who is the director of our github security lab sergey and his team use um the qr technology that I look after on a daily basis to hunt for security vulnerabilities and today, we'd like to tell you a bit more about how the security community powers github code scanning through the use of code qr technology for those of you who are new to code scanning new to security, analysis and new to code. Qr.

A

Don't worry, we'll take you through it step by step, but before we continue, I would like to share with you and celebrate with you a very special achievement. A year ago our teams joined github to help secure the world's source code and at universe last year we made codeql freely available to the community and we announced a bounty program for contributions that help secure the open source ecosystem.

A

Last week we exceeded the milestone of one hundred thousand dollars worth and banties to secure the open source ecosystem and those bounties were paid to members of the security community who shared their security knowledge in the form of open source code, qr queries and these security analyses can now be used by by everyone and anyone and they help secure the open source software that we all write. Thank you everybody who contributed and keep up the good work in this talk.

A

I will give you a few examples of such contributions and will tell you a bit more about the impact that they've had and, of course, I will tell you how you can how you can participate yourself in this program.

A

I'll start with an introduction to github code scanning, which is how most people actually see those contributions from security experts. We'll then dive under the hood of code scanning and look at kql a bit more closely and that will include a live demo after that I'll hand over to savier, and he will tell you all about the security research community and how you can be part of it.

A

So github code scanning earlier this year, we announced it and code scanning does exactly what it says on the tin. It scans your code for security, vulnerabilities and any alerts.

B

We.

A

Find in pool requests are automatically flagged up to you so that you can fix them before you merge the code. Changes into your main branch now under the hood code scanning actually supports multiple engines that actually perform the analysis.

A

The most popular code scanning engine is our own code, ql analysis engine which performs deep analysis for a variety of programming languages, and even though code scanning only just came out of beta we're about to hit the milestone of having analyzed two million commits.

A

Now, I've actually already set up code scanning on one of my repositories that I'll show you today. It's a node.js application that uses a better javascript. That's egs templates and express I'll show you the code in a moment, but first I want to show you how code qr and code scanning integrate into your development workflow.

A

So here you see a screenshot of a pull request that I've created on my codebase and in the ci cd status checks. You can see that ktr has flagged up a problem. If I click on the details, I can see exactly what goodql analysis is worried about.

A

Codeql has flagged up a potential server-side template injection vulnerability. Now let me briefly tell you a bit more about this type of vulnerability and server-side. Template injection um or ssti for short, is a type of vulnerability that affects basically any language.

A

Any any code in which you develop a a web application that uses templates to serve web pages to users and injection vulnerabilities in general are vulnerabilities that allow an attacker to inject their own code into your application.

A

The most well-known type of such an attack is cross-site scripting, for example, if you write a javascript application in which you use user control, data like like a form submission get variables from from a url, and you use that data again in the code of your web page in an unsafe way, then an attacker might be able to inject their own javascript into your web page, and that way an attacker might be able to steal the credentials of an unsuspecting user or maybe their cookies.

A

Ssti is a type of injection, but, as the name suggests, it happens on the server side, server side template injection in if a web application is vulnerable to such template injection, an attacker can very easily carry out a cross-site scripting attack, but it can be worse.

A

An attacker might be able to actually take control of your web server and execute arbitrary code there.

A

Now, in a moment, I'll show you why my code was actually vulnerable and how goku analyzed it, but before we do that, I'd like to tell you a bit more about kuqra itself. So we know it's an engine that powers code scanning and it's able to detect a wide variety of security vulnerabilities.

A

But how does it actually work and how does it recognize that particular code patterns could be, for example, a server-side template injection vulnerability when you run codeql, whether that's in code scanning or on your own local machine? The first thing it will do is it extracts all of the source code that you have into a special relational database in a way it's similar to a mysql or a postcards database.

A

It's a very special one, though special purpose-built, read-only one. We call it a ql database and just like with my sql and with postgres, you can run queries against that database and in fact, a code. Ql query looks a bit like a sql query, but it's a lot more powerful I'll show you one in in the live demo that I've got now a code. Qr query is a way to sort of interrogate and explore your source code.

A

A very simple query might, for example, look for a variable called password that you then write to a plain text: log file, more advanced security analysis, more advanced queries do very intricate flow analysis. They track where user control data enters your application. They track it through your application through function, calls and data structures to a location where it might be used in an unsafe way and the ssdi.

B

Analysis.

A

Does exactly that, it tracks untrusted user data that eventually ends up in a template now, in a way, every query captures the security knowledge of a security researcher and by codifying that knowledge, that we can apply it at a massive scale.

A

So, for example, we run kql against hundreds of thousands of repositories, and every single query result that we get is a is an alert in in code scanning. Now, that's that's enough. Talk from me it's time for a live demo, so let me actually share my screen and show you how this works on my computer.

A

You should be able to see my vs code editor now, and this is my unsafe node.js application. It uses ejs express and it does something really quite simple: it generates a form that asks the user for their age and once the user submits their age, it will generate a confirmation page. It will tell the user, it will confirm their age and it will tell the user what time it is, and you see here that I've injected the time value into the template using the special ejs template syntax. But I've accidentally made a mistake.

A

I haven't used that syntax here. That means I'm actually concatenating.

A

The user input their age straight into the template, and if the attacker were to send me their age in a script tag, then they could be executing arbitrary, javascript code on in the user web browser if they know a bit more about how this template here is interpreted and processed by ejs, the damage could be much worse and they might even get control of the web server. Now, like I suggest, like I said, the first thing you need to do with codeql is to create a database.

A

Normally that happens in code scanning, and here I do it uh on my local machine. So I'm going to say, go ql. This is the quick qr command line. Interface click qr database create the language is javascript and I'm going to call it. My new codeql database.

A

And here it now extracts all of the source code that I've written and a few extra bits and bobs that the analysis might need I've already loaded up a database into vs code, there's a good qr extension for vs code, and I can now write my own qr queries right here in vs code. So I've got the database loaded up ready to ask questions.

A

So I'm going to load into vs code, the javascript libraries for kql and I'm going to say well, um let's find out what files that are in the database from all the things that are files in a database.

A

I want to know um the number of lines of code in the file and a bit more information about it. I can right click say, run code, qr query and I get a whole bunch of results right here now. These are all files that are not actually ones that I wrote these are in the database, but I'm not that interested in them. I can actually make my query more precise.

A

I can say well, I want to see those files, but only if those files have an absolute path that matches, for example, um super secure code, which is the name of my uh application.

A

And I run that query again and now I should get there. We go fewer results, so I've made my query more precise.

A

um I can also, for example, ask where, in my code, do I use the egs templating system now, for that I need to use the data.

B

Flow.

A

Libraries- and I want to ask it um well for all from all the places where I do- a call call to a to a function where that call has something to do um import something to do with the egs import.

A

um Give me this all method calls from that, and I would like to know about these calls get the I want to know the esd node, the location in the source code. So now it's going to tell me where, in the source code, I've used ejs functions, and indeed it's flagged at one location in my source code, where I call the render method. That's super useful, so you you sort of get the idea. These queries can get very advanced and very precise, and they can of course, get a little bit more complicated.

A

Luckily, code ql is designed in such a way that you can actually build upon the works, work that others have done for you already and I'm not going to show you the ssdi query. Example that also uses that data flow analysis and it looks for data flow by specifying exactly what flow is interested in by specifying the source. It's interested in any type of remote data and the sync that we're interested in as any call to the render method in ejs, and if I now run that query, I should get exactly the same result here.

A

We are that I got in code scanning earlier. It tells me where the untrusted user data has entered my application through an http request, how it flows through my application and eventually is used in the render method. So now you know what happens under the hood, I've only scratched the surface, but but you get the idea.

A

I will now hand over to xavier who will tell you exactly where these queries come from.

B

Thank you, bass, yeah, thank you for this demo, so yeah. Let's now see who writes these queries that run on your open source projects and you'll be disappointed to know that bass doesn't write all of them but yeah. Okay. So follow me through the original story of the ssti quadco query.

B

There are basically three broad steps when uh writing a query. It usually starts with a bug found by a security researcher after auditing code. The second phase is the variant analysis phase, and this is the core of the query. Writing during this phase, a security researcher will try to find other occurrences of this same bug pattern. This is what we call the variance the code. They they will code the general pattern into the column query. Then they will run it on several code bases and to find similar bugs then.

B

Finally, in the third phase, the community will improve the query, and here it's not only the security community who will improve the query, but also the developers developers will bring in their expertise of the language and of the frameworks.

B

They will either extend the query to find more problems or they will adapt it to reduce false positive, because you know a security researcher wants to find as many bugs as possible. So they don't really care about precision, but this is not ideal for developers. Developers prefer to receive alerts only for real problems.

B

So only when the query is as precise as possible, it will be suitable for continuous integration.

B

Okay, so our first stop is uh in our story is the security research activity and security research know that github has its own team for this activity, which is the github security lab. It's a team of hackers created last year at kitab universe and with this team- and there are thousands of hours of security research github is really committing to help secure the open source ecosystem.

B

What we do we, we audit open source code and we already reported many vulnerabilities. You can see examples in this slide in chrome, angularjs, samba, open ssl, but the most important thing is our approach, our maintenance first approach. We are here to make security easy for developers and a big part of our mission is to share and educate via workshops or articles.

B

We explain vulnerabilities that we found, for example, you can see in the slide here in chrome, ubuntu or recently in germany's kovind knighting contract contact tracing app and because at github we claim that coding is social. We are also building a community of researchers and developers who want to help secure open source.

B

So coming back to our origin story, the first phase is how security researchers or members of our community find a bug. For example, here alvaro munoz from the security lab discovered a high severity ssti in xwiki.

B

This bug allows any user to run arbitrage java code on the xwiki server during the research alvaro identifies the exact bug in the code and he points it out privately to the maintainer. But, having identified the exact faulty code pattern, we can code it into a query, and this is what happens in the second phase. A security researcher will grasp this code pattern from the original vulnerability, possibly found by another researcher, and they will code it into a code called query.

B

You can see here in my example that someone who goes by the github bundle of monkey junkie proposed a pull request for codeq query that detects sstis in popular javascript's, rendering engines look at the query on the left and you will recognize what bus showed you during the live demo applied to egs, but also to other engines.

B

By doing that, monkey junkie amplifies the original research they coded. They make it available for the whole community under executable form. Now, why would monkey junkie? Do that, of course, because contributing to open source software security is a compelling purpose and open source users are eager to share their knowledge for the benefits of the community, but also because github incentivizes the community to write these queries with a bunch of bounty program.

B

So traditional bounty programs reward people who report bugs in our program. We reward people who prevent bugs. They write a code query for the open source community and they contribute to making less bug happen. So monkey junkie on github goes by zelibob on hacker1 and they got 2 300 bounty for their contribution to open source security. As we said in the introduction, github already paid 100 000 for search contribution, and we will continue these incentives, because these queries actually help everyone to be more secure.

B

The last phase of the query: writing is the improvement by the community and this phase never ends. Actually, it starts during the code review and it never ends on the first screenshot. You can see an example of a pull request with a review by a community member. It's interesting because the comment is about the code mpc framework, specifics, its developer knowledge and not security knowledge on the second one.

B

You see an improvement of our ssti query, the one developed by monk chunky here, it's my colleague asghar who is a developer and not a security researcher who extended the original query. He added the support of another popular javascript framework lodash, and there will be more of this improvement in the future.

B

Okay, so we've seen the story of the of a query phase: one security, research phase, two joint analysis and then community improvement. So now, let's wrap up. um First, automated securities analysis is essential. It augments manual code audit and it prevents repetitive mistakes at github. We believe in the power of community. We transform also free activities into social activities, and security analysis makes no exception.

B

We believe that codeql is the perfect enabler for the community to share collaborate, automate and scale. This is why we incentivize the community to contribute to the codeword queries, and this is why codeql and code scanning are free for the open source community, and the last thing I would like you to remember is that codecredit is unique in the sense that it allows security experts and developers to collaborate on the security check they bring in their specific expertises security on one hand and language and framework on the.

B

On the other hand, they collaborate on the same artifact, the query, so nothing is lost in translation and as a developer, you are not just consuming security checks from others. You can be in the driver's seat and contribute to improve the checks for the open source community.

B

So where should you start head to the security lab website? You will find the link here in the slide and you will find pointers to learn codeql with our interactive github learning labs uh to contribute to control, queries and cherry on top when contributing to codeql. If you find potential security vulnerabilities, you can get rewarded thanks to our bounty program. So looking forward to seeing you there. Thank you for listening to us.