►
Description
CodeQL is GitHub's expressive language and engine for code analysis, which allows you to explore source code to find bugs and security vulnerabilities. During this beginner-friendly Workshop, you'll learn to write queries in CodeQL to find use-after-free (UAF) vulnerabilities in open source C/C++ code. Difficulty level = Intermediate (200)
For more from GitHub Universe 2020, visit https://githubuniverse.com
As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub
Thanks!
Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github
About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com
A
A
Hello,
everyone
and
welcome
to
this
github
universe
workshop
on
finding
security
vulnerabilities
in
cnc
plus
plus
code
with
codeql,
we're
very
happy
to
have
you
here
today.
My
name
is
aditya
sharad,
I'm
the
engineering
manager
for
the
codeql
core
technology.
Here
at
github
with
me,
I
have
my
colleagues
andrew
eisenberg,
who
also
works
on
codeql
core
technology,
mathias
peterson,
who
works
on
codeqlc
and
c,
plus,
plus
analysis
and
jeffrey
white,
who
also
works
on
codeql,
cnc,
plus
plus
analysis.
A
We
are
here
to
take
you
through
some
of
the
basic
features
of
codeql
and
what
makes
it
exciting
as
a
technology
for
finding
security
vulnerabilities
in
source
code,
we
will
show
you
the
basics,
an
overview
of
what
codeql
is
a
little
bit
about
the
create
language,
and
then
we
will
go
into
an
interactive
part
of
the
workshop
where,
based
on
the
materials
that
you've
seen
shared
already,
I
will
take
you
through
a
series
of
exercises
that
help
us
find
interesting.
Security.
A
Vulnerabilities
of
a
particular
category
in
in
some
example
code
and
you'll,
learn
how
to
use
the
codeql
tools
to
develop
those
queries
navigate
the
different
features
that
they
provide.
Identify
patterns
in
source
code
and
then
use
those
to
find
security
vulnerabilities
so
for
we'll
spend
about
10
minutes
on
a
quick
series
of
introductions.
Hopefully,
the
basic
idea
of
what
code
ql
is
will
already
be
familiar
to
you,
but
we'll
take
you
through
our
perspective
on
what
it's
for
what
the
motivation
is
and
what
it
looks
like
and
then
we'll
go.
A
A
How
does
this
happen?
We've
spoken
a
lot
about
finding
vulnerabilities
in
code
analyzing
it.
What
does
that
mean?
The
main
premise
is
that
source
code
can
be
treated
as
data
specifically
relational
data,
which
stores
information
in
the
form
of
tables
and
cll
is
able
to
understand
a
number
of
common
programming
languages
and
extract
the
information
from
that
code.
A
Taking
that
information
from
the
language,
the
parser,
the
compiler
and
the
build
and
putting
that
into
the
form
of
a
database,
then
this
database
is
a
reusable
artifact
that
you
can
query
to
get
information
about
the
code
from
to
get
this
information.
Codeql
has
an
expressive.
Query
language.
This
is
a
logical
programming
language,
where
you
declare
the
patterns
that
you
want
to
find
in
the
source
code
and
the
codeql
engine
figures
out
how
to
evaluate
that
to
get
the
information
that
you
want
from
the
database.
A
The
nice
thing
about
having
this
information
in
the
form
of
query
is
that
it's
reusable.
This
is
a
program
that
represents
your
security
knowledge
as
a
security
researcher
or
as
someone
who's
knowledgeable
about
a
particular
code
base
in
a
form
that
can
be
shared
with
your
colleagues
describes
what
you
want
to
find
and
executed
to
find
similar
vulnerabilities
in
the
same
code
or
elsewhere
in
different
projects.
A
The
focus
of
this
workshop
will
not
be
about
creating
ql
databases.
There
are
plenty
of
tools
and
documentation
for
that,
particularly
the
qlcli
and
github
code
scanning
for
open
source
projects,
which
will
allow
you
to
run
codeq
analysis
on
your
code.
What
we
will
focus
on
here
is
the
process
of
writing
a
query,
so
we're
going
to
get
into
some
of
the
details
of
the
query
language,
the
different
features
and
some
of
the
libraries
available
for
cnc
plus
plus.
A
This
is
an
example
query
for
analyzing,
cnc,
plus
plus
code.
It
has
a
simple
fromware
select
style
which,
if
you're
familiar
with
sql,
will
also
look
familiar,
maybe
the
wrong
way
around
the
from
declares
some
variables,
the.
Where
declares
some
conditions
on
those
variables
and
the
select
chooses
what
the
output
of
our
query
is
in
order
to
have
meaningful
modeling
of
the
source
programming
language,
we
have
imports
that,
let
us
reuse
logic
that
is
defined
in
other
libraries.
So
here
this
is
an
import
of
the
standard
library
for
coql
that
analyzes
cnc.
A
Having
done
that
import,
we
can
then
use
things
like
the
type
function.
Call
the
predicate,
which
is
the
equivalent
of
a
function
in
ql
get
target,
has
named
these
other
building
blocks
of
the
library
that
describe
the
patterns
in
the
target
programming
language.
We
are
analyzing,
so
we
have
here
a
simple
query
that
looks
for
function.
Calls
where
the
function
being
called
has
the
name
free
and
we
output
that
call
together
with
a
message
that
says
this:
freeze
memory.
A
There
are
two
major
building
blocks
for
a
query
that
we
will
use
in
this
workshop
and
that
you
will
use
as
you
are
writing
new
patterns
in
future.
The
first
is
predicates
in
a
traditional
programming
language.
You
may
be
used
to
functions
or
methods
as
you're
building
blocks
of
reusable
logic,
because
codeql
is
a
logic,
programming,
language
that
operates
on
databases.
A
A
Predicates
allow
us
to
describe
reusable
pieces
of
logic
and
name
it
so
that
we
can
call
it
again
on
the
left
here
we
will
have
the
example
that
we
saw
on
the
previous
slide.
The
same
simple
query.
That
looks
for
a
very
simple
pattern.
By
name,
if
we
factor
out
this
logic
into
a
predicate,
it
would
look
something
like
this.
We
could
write
a
predicate
based
on
the
from
where
select
part
of
the
the
query
that
is
named
is
free
call.
This
predicate
asserts
some
logical
properties
about
a
given
function.
A
A
Having
defined
such
a
predicate,
we
can
use
it
in
a
query
by
saying
that
there
is
a
function,
call
it
satisfies
this
predicate
and
then
we
output
the
column.
So
these
two
queries
are
more
or
less
equivalent.
It's
just
a
different
style
of
writing
the
same
logic
and
something
that
you
will
see
with
codeql
is
often
there
are
many
equivalent
ways
of
writing
the
same
piece
of
logic.
This
is
perfectly
fine.
There
is
no
significant
cost
to
writing
in
one
form
or
the
other.
A
A
The
second
building
block
that
we
will
encounter
here
are
classes
classes
can
be
thought
of
in
ql
as
a
set
of
values.
Codeql
is
object,
oriented,
unlike
some
database
languages,
and
the
object
orientation
allows
us
to
define
hierarchies
and
reusable
pieces
of
logic.
This
is
nice
when
you're
modeling
standard
patterns
in
the
programming
language,
we
don't
want
you,
as
a
code,
qr
writer,
to
have
to
think
about
every
single
feature
of
the
target
language
that
you're
analyzing.
A
A
However,
it
is
also
possible
to
write
your
own
that
refine
or
extend
these
here
in
the
left.
We
have
the
same
predicate
example
we
had
before
we
factored
out
a
predicate
that
defines
free
calls
on
the
right.
We
can
have
something
equivalent
using
a
class.
A
class
has
a
name
in
this
case.
It
is
free
call,
it
may
have
some
super
types
in
this
case
function.
Call
and
you
can
think
of
the
set
of
values
in
the
class
as
starting
with
the
set
of
values
in
the
intersection
of
all
the
super
types.
A
In
this
case,
there
is
only
one
and
then
we
might
want
to
refine
it
further.
Here
we
are
not
concerned
with
all
function.
Calls
we
care
about
a
particular
subset
of
function,
calls
that
have
a
target
whose
name
is
free,
and
so
we
define
that
logic.
In
a
predicate
that
kind
of
looks
like
a
constructor.
It
has
the
same
name
as
the
class.
We
call
this
the
characteristic
predicate
that
defines
the
class
so
now
we've
defined
a
subset
of
function
calls
called
free
call
and
we
use
it
in
a
query.
A
You're
not
here
to
listen
to
me.
Talk
about
the
features
themselves.
You
are
here
to
write
some
code
ql,
so
keep
these
building
blocks
in
mind,
predicates
and
classes,
and
the
fact
that
we
are
querying
a
database
with
information
about
the
source
code
and,
let's
move
to
the
interactive
part
of
the
workshop.
A
A
The
database
that
we
are
using
for
this
workshop
has
there's
a
link
in
the
workshop
document
and
the
readme.
You
can
install
it
using
the
download
database
feature
and
it
looks
something
like
this
once
you've
got
an
import.
Please
make
sure
you
set
it
as
your
current
database
so
that
we
can
query
it.
A
The
workshop
document
that
I
am
following
is
also
visible
in
the
repo.
So
if
you
prefer
to
follow
along
with
that
text,
please
do
so.
I
will
talk
you
through
each
step.
We
will
go
through
them
and
I'll
pause
for
between
one
and
three
minutes
at
each
step
that
to
allow
you
time
to
write
the
answers
to
those
parts
before
we
see
the
solution
and
move
forward.
A
A
A
Now
the
system
is
free
to
use
that
memory.
However,
it
sees
fit
once
it's
been
freed,
but
holding
on
to
a
pointer
to
that
freed
memory
is
dangerous,
because
if
we
try
to
use
or
dereference
that
pointer
again,
we
might
be
accessing
memory
that
we
shouldn't
have
had
access
to
crashing
the
program
getting
unexpected
behavior,
unexpected
values
corrupting
the
data
that
some
other
process
is
using
or
executing
something
that
might
be
controlled
by
an
attack.
A
But
the
general
pattern
is
that
freeing
some
memory
that's
referenced
and
then
using
that
that
same
pointer
again
without
zeroing
out
the
pointer
or
resetting
its
value,
so
that
it
is
no
longer
pointing
to
that
old
freed
memory
is
dangerous.
That
is
a
vulnerability
and
it's
useful
when
we're
looking
for
ql
results
to
try
and
phrase
the
vulnerabilities,
we're
looking
for
in
this
precise
form.
A
Another
way
to
think
about
it
using
security
terminology
might
be
that
when
memory
is
freed,
it
is
a
source
of
tainted
data
right,
it's
pointing
to
something
we
no
longer
fully
control
and
when
that
memory
that
that
source
reaches
or
flows
to
some
use
that
might
dereference
it.
That
is
a
sink
for
a
use
after
free
vulnerability.
A
A
I'll
skip
over
the
instructions
here,
assuming
that
you
have
reached
the
state
and
have
a
working
extension
with
this
repository,
but
please
ask
in
the
channel,
if
you're
having
trouble
getting
set
up
to
begin
with,
though,
before
we
dive
into
the
specific
vulnerability.
Let
me
run
a
query
so
in
this
workshop
there
is
an
example
query.
It
looks
something
like
this:
it
just
looks
for
block
statements
denoted
by
braces
and
the
number
of
statements
within
them.
We
can
run
this
query
from
the
right-click
context,
menu
run
query
or
the
command
palette
using
the
command
code.
A
Once
we've
got
the
results
of
a
query,
you
can
click
on
them
to
navigate
the
source
code,
and
so
here
you
can
look
at
all
the
blocks
in
the
program.
If
you
so
wish,
a
useful
thing
to
do
once
you
have
the
source
files
open
from
the
database.
You're
looking
at
is
the
ast
viewer.
It's
useful
to
see
how
code
qr
models,
the
different
patterns
that
are
present
within
the
code
we
saw
function
call
in
the
example.
I
showed
you
before
we're
going
to
encounter
some
more
patterns.
A
A
This
is
an
expression
statement
which
contains
a
function
call,
and
I
can
look
for
it.
I
can
see
that
there
are
ways
to
get
its
arguments
and
which,
what
elements
of
the
program
they
point
to
we're
going
to
keep
making
this
relation
between
the
structure
of
the
program
and
the
way
it
is
modeled
in
codeql,
so
use
the
ast
viewer
as
your
guide
to
understand
how
to
describe
the
patterns
you're.
Seeing
in
the
code
that
you're
familiar
with
in
the
form
of
the
code,
qr
libraries.
A
A
A
A
A
A
A
A
So
to
identify
the
first
argument
of
the
call
arguments
tend
to
be
expressions
so
we'll
use
the
extra
type
from
the
library
and
we
will
add
a
where
condition
that
says.
The
argument
is
the
calls.
Let's
look
for.
I
could
get
an
argument.
I
could
get
a
specific
argument
at
a
numbered
index.
That's
probably
what
I
want.
I
want
the
zero
index
for
the
first
argument
and
then
I
can
select
a
call.
I
can
select
the
call
and
the
argument.
A
To
this
point,
we're
just
navigating
the
structure
of
the
program,
kind
of
matching
what
we
saw
in
the
ast
viewer,
and
we
can
look
for
things
like
call.
First
argument
call
first
argument
and
so
on
now
I
care.
I
said
I
care
about
free
and
maybe
now
is
the
time
to
filter
down
to
only
those
calls
to
the
free
function.
A
Let's
use
the
autocomplete
to
guide
us
if
we
look
for
sometimes
we
can
look
for
the
callee
depending
on
the
library
and
how
it's
named
this.
This
predicate
in
the
cnc
first
plus
libraries,
it's
a
target,
so
if
we
call
call
dot
get
target,
we
will
get
the
function
that
this
call
points
to,
and
then
that
might
have
a
name.
A
In
some
cases
we
free
is
often
in
the
global
namespace
or
in
the
standard
namespace.
And
so,
if
we
look
for
things
like
has
global
or
standard
name,
we
can
check
whether
it's
called
free
in
a
global
sense,
so
either
these
should
be
fine.
For
the
purposes
of
your
query
here
in
this
example,
to
be
more
general,
we'll
use
the
more
general
version
which
is
has
global
standard.
A
A
Now,
what
we're
building
up
to
is
we're
going
to
try
and
find
sources
and
sinks
and
wire
them
up
together.
So
it's
useful
to
have
reusable
pieces
of
logic
a
little
bit
like
you
saw
on
the
introductory
slides.
So
next
I'd
like
you
to
factor
this
logic
out
from
the
fromware
select
format
into
a
predicate.
Now,
this
predicate
will
have
the
same
logic,
but
it
will
define
its
own
variable
and
it
will
allow
us
to
reuse
this
in
other
parts
of
the
query.
A
A
The
keyword
that
we
will
need
to
use
here
that
we
haven't
seen
before
in
codeql
is
exists
so
with
exists.
We
are
allowed
to
declare
some
variables
here,
much
like
here
in
the
body,
the
declaration
of
the
predicate
or
in
the
from
clause,
and
then
we
have
a
vertical
bar
or
such
that
and
then
we
say
something
about
those
variables.
A
We
define
some
logic
that
we
must
assert
so
again
I'll.
Give
you
a
minute,
try
and
translate
what
we
have
here
in
the
from
where
select
into
in
exists.
If
you
want
to
check
that
your
predicate
is
working,
you
can
make
sure
your
query
compiles
and
then
run
quick
evaluation
from
the
right
click
menu
to
evaluate
only
that
predicate
in
isolation.
A
A
A
I
don't
really
need
this
anymore
I'll,
just
put
something
here
to
keep
the
compiler
happy
and
save
my
query.
So
it
looks
nicer
so
now,
we've
written
the
same
logic
effectively.
We've
said
an
expression
is
a
source
of
a
potentially
free
value.
If
there
is
some
function,
call
whose
first
argument
is
this
expression
we
are
talking
about,
and
that
call
is
a
call
to
free.
A
And
make
sure
it
finds
what
we
care
about.
Now
I
don't
have
the
function,
call
as
one
of
the
parameters
of
my
predicate,
so
it
doesn't
show
up
in
the
output.
It's
just
the
the
argument,
but
that's
probably
fine,
because
I
know
how
to
find
that
if
I
need
it.
So
if
I
look
through
these,
I
find
hopefully
the
same
set
of
results
as
before.
I've
not
changed
the
logic
of
my
query.
A
A
We
are
going
to
track
the
flow
of
information
from
this,
so
we
call
this
data
flow
analysis
in
program
analysis
terms.
Data
flow
analysis
helps
us
answer.
Some
questions
like
does
this
expression
here
in
a
sink
that
might
be
dangerous,
ever
hold
a
value
that
originated
from
somewhere
else
in
the
program
that
was
untrusted
or
attacker-controlled
or
otherwise
unsafe.
A
You've
seen
how
to
navigate
the
program
syntax
structure
here,
the
ast
viewer
gives
you
a
good
representation
of
that
and
we've
been
querying
some
patterns
in
the
syntax
we've
been
looking
at
calls
they're
targets
which
comes
from
the
compiler,
the
names
of
those
targets
which
comes
from
name
binding
now
this.
So
that
is
a
tree
structure
now
think
of
each
program
element
that
might
have
a
value.
A
Where
an
edge
says
information
might
flow
from
this
node
to
this
node,
perhaps
through
an
assignment,
perhaps
through
a
call
that
passes
a
parameter
so
to
get
started
with
using
this
library.
We
must
use
the
types
from
it
so
bring
in
an
import
of
the
dataflow
library.
It
looks
something
like
this
import
this
path
here,
saml
code,
cpp,
dataflow
dataflow.
Please
pay
attention
to
the
case,
and
then
I
like
you
to
change
your
predicate
so
that,
instead
of
expression,
your
argument
has
type
data
flow.
A
A
So
if
I
change
the
type
in
a
straightforward
way
here-
and
I
use
the
class
data
flow
node,
I
get
a
compiler
of
this
equality
because
the
left
hand
side
here
calls
arguments
are
expressions.
They
are
part
of
the
syntax
of
the
program,
and
I've
now
said
arg
is
a
data
flow
node.
This
is
part
of
the
semantics
of
the
program.
This
is
a
different
structure.
A
A
A
Late
for
now,
we
know
that
what
we're
looking
for
is
an
expression
so
we'll
convert
it
into
an
expression,
and
you
can
always
jump
to
the
definition
and
read
the
documents
around
them
to
see
the
meaning
of
these
different
types
of
node.
Why
is
it
we
model
these
different
patterns?
What
are
they?
This
is
all
on
the
class
data
flow
node.
A
A
Now,
let's
think
about
this
now
that
we're
thinking
about
semantics
rather
than
syntax,
let's
think
about
what
it
means
for
information
to
flow
out
of
memory
that
was
freed
or
out
of
a
free
call
free,
is
sort
of
special
in
terms
of
how
it
handles
its
argument.
The
argument
is
passed
by
a
reference.
It
is
a
pointer
and
before
the
free
function
runs.
So
if
we
have
some
code
that
looks
like
let's
find
one
of
these
examples
that
looks
like
this
before
free
runs.
A
This
value
s
is
a
pointer
to
some
memory
after
free
runs.
We
still
have
this
s.
We
can
then
use
it
afterwards,
but
it
no
longer
points
to
the
same
memory.
It
is
free
it,
or
rather
you
can
say
that
it
points
to
the
same
memory,
but
the
the
nature
of
what
we
expect
to
get
from
that
memory
is
different.
So,
from
the
purposes
of
our
modeling
of
the
flow
of
data,
it's
kind
of
a
different
value.
A
We
don't
care
about
the
real
values
that
went
in
before
they
were
free.
Those
are
perfectly
safe
if
we
reuse
them,
but
what
we
consider
dangerous
is
if
that
value
after
it's
been
freed,
now
points
to
who
knows
what
comes
back
out
and
reaches
somewhere
dangerous.
So
this
is
a
slightly
subtle
distinction
and
part
of
the
tricks
of
writing
code.
A
So
we
want
to
distinguish
between
these
two
values
and
you
saw
the
different
types
of
data
flow
node
in
my
autocomplete
suggestion
earlier.
So
I'd
like
you
to
look
at
those
possibilities
and
give
yourself
a
minute
to
try
and
figure
out
how
to
change
this
predicate
so
that
it
references
the
value
after
it's
been
freed
not
before.
A
In
fact,
actually,
let's,
let's
just
look
at
what
the
documentation
is
telling
us
as
expert,
gets
the
expression
corresponding
to
this
node,
okay
and
for
data
flowing
out
of
an
expression
such
as
when
something
has
been
freed,
and
we
want
the
resulting
effect
like
when
argument
is
passed
by
reference
use
as
defining
argument
instead
of
as
expert
okay.
Let's
look
at
as
defining
argument
and
see
whether
that
means
what
we
need.
A
A
So,
let's
use
as
defining
argument
the
rest
of
this
stays
the
same,
because
we're
still
looking
for
the
same
kinds
of
function
calls
we
still
have
the
same
structural
relationship
between
the
call
and
its
first
argument,
but
the
nature
of
the
data
flow
node
that
we
have
modeled
in
code,
ql
separately
from
the
structure
of
the
program,
is
a
little
bit
different.
So
there
are
two
we're
taking
the
one
that
happens
after
the
free
has
completed
this
insight
subtle
if
you're
not
familiar
with
language.
A
It
is,
however,
perhaps
the
most
complicated
concept
that
we're
going
to
look
at
here.
So
if
you're
feeling
comfortable
with
this,
you
should
be
in
good
shape
to
validate
that.
This
is
not
dramatically
changing.
What
you're?
Finding
quick
evaluate
this
predicate
again,
the
locations
that
you
find
should
be
the
same,
even
though
the
conceptual
data
flow
nodes
that
we
care
about
are
a
little
bit
different,
and
you
can
see
that
there's
a
difference
in
how
they're
printed.
A
We
now
identify
the
fact
that
there
are
reference
arguments
after
they
were
called
same
set
of
locations,
because
the
syntactic
expression
is
the
same,
but
it's
a
different
node
conceptually
because
it
happens
later
in
the
execution
of
the
program.
It
is
after
the
free,
rather
than
before,
the
frame.
A
The
next
step
that
we
can
go
from
here
is
that
if
this
memory
reaches
a
dereference,
it's
dangerous,
so
we'd
like
to
find
out
how
to
wire
those
up
together.
I'll
pause
for
five
minutes
here.
Give
you
a
time
to
surface
any
questions.
Ask
any
questions
in
the
chat
before
we
move
on
to
finding
de-references
and
then
tracking,
the
two
of
them
together
using
dataflow
analysis.
B
A
That's
right
here,
so
I
I
think
so
jeffrey
mathias
will.
I
imagine.
Beyonce
in
the
details
is
the
c
plus
libraries.
Each
language
has
a
slightly
different
set
of.
I
call
them
like
special
types
of
data,
fluid
node
that
you
can
expect
to
look
for
expression,
nodes
and
parameter
nodes
are
fairly
standard
across
all
the
languages,
but
things
like
as
defining
arguments,
these
definition
by
reference
nodes
are
indeed
only
for
languages
that
make
that
distinction
between
pass
by
value
and
pass
by
reference.
A
Uninitialized
variable
nodes
are
only,
I
think,
in
cnc,
plus
plus,
if
you're
analyzing,
if
I
remember
correctly,
go
and
javascript.
For
example,
they
have
a
much
richer
set
of
of
nodes
that
correspond
to
the
structure
of
the
program,
so
you
have
things
like
call
nodes
and
function
nodes.
This
is
particularly
interesting
for
dynamic
languages,
because
then
you
there,
everything
is
about
data
flow.
There
you
care
about
modeling.
Most
of
the
program
has
data
flow,
because
even
to
know
what
function
is
being
called,
you've
got
to
track
where
it
came
from
in
the
program.
B
B
B
A
A
A
A
To
describe
sync
you'll
have
to
use
something
like
sync
as
expert
to
talk
about
this
link
as
an
expression
and
then
see
if
you
can
identify
some
places
in
the
program
in
the
example
code
that
are
dereferencing
the
value
that's
passed
to
give
that
a
go
share.
Your
solutions,
if
you
feel
so
confident
in
the
channel
and
we'll
bring
it
together
by
finding
a
consistent
way
of
identifying
all
of
these
together.
A
Now
there
are
many
possible
ways
we
might
want
to
do
this.
If
I
look
around
the
source
code
a
little
bit,
what
are
the
places
that
uses?
We
have
these
s,
printf
calls
which
take
these
values,
and
you
know
concatenate
them
into
strings.
We
have
those
seem
to
be
the
main
ones.
Maybe
you
might
have
pointer
d
references,
let's
see
what
the
libraries
have
and
we'll
use
exists
in
order
to
declare
some
variables.
Something
like
this.
Let's
say
what
types
do
we
have
that?
A
A
A
A
A
A
Okay,
this
is
a
bunch.
This
example
code
seems
to
use
s
printf
as
the
main
way
of
demonstrating
that
these
are
that
these
are
possible
problems.
There's
some
other
stuff
here,
there's
right
buff.
I
guess
that's
in
its
definition,
if
I
jump
to
its
definition,
that
will
also
do
a
right
somewhere
under
the
hood,
so
this
is
kind
of
an
imperfect
modeling.
This
is
very
frustrating.
I
don't
want
to
try
and
describe
every
possible
case
that
might
exist
in
the
crc
plus
language
to
model
possibility
references.
A
A
If
we
search
for
dereferenced,
we
see
that
the
standard
library
in
codeql
has
a
predicate
called
dereferenced,
which
has
a
heuristic
for
whether
e
is
going
to
be
dereference
after
being
evaluated,
and
it
has.
If
I
jump
further
through
the
definitions,
it
covers
a
bunch
of
cases,
things
like
pointer
d,
references
array,
expressions,
increment
operations,
taking
the
address,
doing
arithmetic,
doing
calls
that
dereference.
A
A
A
So,
let's
you
know,
keep
keep
reminding
ourselves
of
what
we're
looking
for
and
where
we
are
currently
we're.
Looking
for
places
where
memory
is
freed
and
then
used
without
being
reassigned
or
cleared,
we
have
described
a
predicate
is
source
to
find
the
data
flow
nodes.
Where
memory
is
freed,
we
defined
a
predicate
is
sync:
where
memory
is
dereferenced
or
used,
not
necessarily
with
any
relationship
to
whether
it's
been
freed
or
not.
It's
just
all
the
places
that
might
use
memory.
A
A
A
These
are
happening
within
the
same
function,
so
we
will
be
able
to
detect
this
kind
of
pattern
with
a
simple
form
of
analysis,
something
that
says
we
have
these
data
flow
nodes.
These
nodes
are
in
the
same
function.
We
followed
the
data,
flow
edges
or
successes
within
that
function.
Until
we
reach
a
place
where
it
is
dereferenced,
that's
local
data
flow
analysis.
A
It's
a
good
starting
point.
It's
useful
for
many
problems.
It's
often
not
enough!
Now.
Why
isn't
it
always
enough?
Because
we
might
have
some
levels
of
indirection
where
data
might
flow
across
function?
Boundaries?
If
we
look
at
this
example
code
at
free
buff,
this
is
a
function
that
takes
a
pointer
and
then
freeze
it.
Okay,
so
far,
reasonable
seems
like
a
thing
you
might
write,
but
if
we
use
an
analysis
that
is
only
capable
of
reasoning
within
the
scope
of
a
single
function,
it's
not
going
to
figure
out
what's
happening
here.
A
We'd
have
to
write
something
fairly
complicated
to
work
out
that
this
is
also
kind
of
a
free
call,
because
it
calls
free
and
then
you
end
up
having
to
recurse,
because
maybe
you
you
call
a
function
that
calls
a
function
that
calls
free
and
so
on.
This
sounds
quite
complicated
to
model.
I
don't
want
to
be
sitting
and
writing
that
kind
of
analysis
manually.
A
The
fact
that
there
are
these
function,
boundaries
in
the
middle
should
not
get
in
the
way
of
the
results
that
I'm
interested
in
finding
here.
Fortunately,
coql
is
pretty
capable
of
doing
this.
We
call
this
global
data
flow
analysis
and
there
is
a
little
bit
of
a
template.
Some
boilerplate
that
you'll
have
to
write
in
order
to
wire
these
things
up
and
we'll
go
through
that
here,
a
little
bit
about
what
it
means
and
how
to
write.
A
So,
to
begin
with,
we'll
add
some
metadata
to
our
query.
This
doesn't
change
the
results
or
the
meaning
of
what
we're
finding
it
does
change
how
the
results
are
formatted
and
presented,
and
we'll
see
that
it's
quite
useful
when
we
have
this
in
place.
So
I
encourage
you
if
you
haven't
already
to
put
in
this
metadata,
you
can
copy
it
straight
from
the
the
workshop
document,
if
necessary,
make
sure
you
have
this
kind
path
problem.
A
A
We
have
our
source
nursing
predicate
from
before
we're
going
to
use
them
in
a
moment,
but
there's
a
template
here,
so
you
feel
free
to
follow
along
with
me
as
I'm
writing
this
feel
free
to
take
the
template
and
then
modify
it.
What
we're
going
to
do
is
create
this
configuration
template
and
move
over
the
logic
that
we've
already
written
in
the
previous
steps
into
this
template.
A
A
A
My
class,
if
you
remember
the
example
from
the
slides
right
at
the
beginning,
needs
to
have
a
characteristic
predicate,
which
says
what
it
means
to
be
a
value
within
the
class
configurations
are
really
just
strings,
so
we
just
need
to
give
it
a
unique
name.
So
I'll
say
something
like
this
equals
after
free.
A
Now
the
compiler
is
unhappy
with
me.
Let
us
see
what
is
asking
me
to
do.
A
configuration
must
have
at
least
two
of
these
methods.
It
must
have
is
source,
it
must
have
is
sync:
we
go
to
the
definition
of
a
configuration
we
can
see
how
they're
defined
in
the
abstract
a
source
is
a
source
of
data
information.
A
sync
is
a
place
that
might
do
something
dangerous.
We
need
to
define
those
okay.
Well
conveniently
we
have
them
already.
A
A
Now
the
compiler
is
happy.
I
have
a
data
flow
configuration.
I
have
a
source
predicate.
I
have
a
sync
predicate.
When
you
are
developing
queries
in
feature,
you
can
feel
free
to
use
this
template
to
start
with.
We
don't
necessarily
have
to
go
through
the
steps
that
we
did
to
build
up
the
source
and
things
predicates
directly.
A
It's
probably
going
to
end
up
in
this
format.
Most
security
analysis
tend
to
looks
like
that
tends
to
look
like
this
there's
a
configuration
that
describes
the
problem.
We
have
sources,
we
have
things
as
you're
writing.
This
rely
on
quick
evaluation
as
your
debugging
tool,
it's
fairly
easy
to
add
some
unnecessary
information
that
or
miss
some
information
that
will
make
your
queries,
meaning
incorrect.
A
Quick
evaluation
will
tell
you
whether
that
piece
of
logic
is
correct
or
not,
and
allow
you
to
debug
that
without
trying
to
figure
out
why
your
entire
query
is
not
finding
the
information
that
you
care
about.
So
in
this
case,
supposing
I've
done
this
silly
thing?
I
will
get
no
results,
try
and
understand
why
I
can
also
quickly
evaluate
individual
lines.
If
I
want
to
and
I'll
put
it
back
the
way
it
was
so
now
we
have
this
boilerplate
I've
not
changed
the
meaning
from
what
we
wrote.
A
A
A
I
can
see
whether
it
has
flow
between
the
source
and
sync.
I
can
see
whether
it
has
flow
and
render
a
certain
path.
Let's
use
that
I
can
look
for
the
flow
of
information
from
one
to
the
other
and
I'll
select
a
particular
output
format.
Again,
you
can
choose
any
output
format
you
like,
but
if
you
put
it
in
this
order
somewhere
to
place
the
location
in
this
case,
let's
choose
the
sink,
the
pair
of
source
and
sync
and
then
a
message.
A
So
this
kind
of
boilerplate
is
not
something
you
should
be
expected
to.
Remember
use
the
document
as
a
guide
use
the
existing
codeql
security
queries
as
a
guide-
if
you
are
writing
similar
things
of
your
own,
but
remember
that
most
dataflow
queries
tend
to
look
a
bit
like
this.
You
import
the
dataflow
library,
you
import
the
path
graph,
add
some
metadata.
A
So
it's
a
path
problem
create
a
configuration
that
extends
the
base,
configuration
with
some
name,
add
a
source
predicate
and
a
sync
predicate
that
describes
the
endpoints
of
the
problem
that
you
are
interested
in
you
as
a
security
researcher
or
developer,
have
the
insight
into
what
is
a
security
problem.
We
are
just
providing
you
the
structure,
to
write
it
in
this
api.
A
B
A
A
A
A
So
I
think
the
answer
to
that
question
is
that
it's
it
will
handle
different
kinds
of
function,
call
find
because
we'll
model
things
like
virtual
calls
correctly,
but
it's
dependent
on
looking
at
the
body
of
that
function
to
understand
what
the
body
of
the
function
is
actually
doing
with
the
parameter
that's
passed
to.
So
it's
doing
its
own
data
flow
analysis
and
control
flow
analysis
in
a
way.
A
I
think,
and
maybe
mathias
and
jeffrey
will
will
you
know,
know
more
of
the
details
than
I
do
that
it's
possible.
There
are
cases
that
this
doesn't
account
for
it's
possible
that
if
we
don't
have
the
precise
call
graph
where
we
know
which
function
we're
going
to
in
the
case
of
virtual
functions,
you
might
get
some
misses
here,
but
it's
a
generally
with
the
information
that
we
have
it's
as
precise
as
we
can
try
it
again.
B
A
I
believe
it
does
need
to
be
fully
compilable
well,
it
needs
to
be
compilable
enough
that
we
will
not
get
errors
while
extracting
the
source
good.
So
most
extractors
are
robust
to
some
extent
to
certain
kinds
of
errors
that
they
will
log
them
and
carry
on,
but
it
needs
to
be
compatible
enough
that
all
of
the
interesting
source
elements
that
you
care
about
are
recognized
in
the
database.
A
Another
strategy
for
a
small
test
case
like
this
might
also
be
to
use
the
the
ql
test
functionality.
So
if
you
are
in
the
test
explorer-
which
I
think
is
this
one
and
you
define
codeql
unit
tests,
these
allow
you
you
can
look
at
the
examples
that
we
have
in
the
repo.
These
allow
you
to
define.
Let's
find
one.
A
A
A
A
A
A
A
We
identify
sources,
we
identify
sinks,
we
wire
them
together
using
the
data
flow
libraries.
We
use
the
path
graph
functionality
to
allow
a
nice
presentation
of
results,
and
that's
it.
That's
a
query
that
finds
legitimate
security
vulnerabilities
here,
we're
only
looking
at
a
target
code
base
that
we
created
to
demonstrate
this
problem,
but
you
can
fairly
easily
put
this
query
to
real-world
code
basis.
A
There
will
be
some
other
things
to
consider
and
we
can
talk.
We
have
some
time
to
talk
about
the
details
of
how
to
refine
this
and
what
editions
might
be
necessary
for
other
real
world
code,
but
this
is
already
a
solid
starting
point
for
you
to
find
these
kinds
of
vulnerabilities
and
adapt
to
write
your
own.
A
B
A
A
A
Test
0,
500.,
and
so
that's
a
good
sign
that
suggests
that
our
data
flow
analysis,
the
way
that
we
phrased
it.
The
fact
that
we're
using
the
standard
library
has
allowed
us
to
be
robust
to
things
like
reassignment,
because
the
value
has
changed.
The
dataflow
library
is
smart
enough
to
know
that
this
value
that
gets
used
is
no
longer
the
same
as
the
one
that
was
freed.
It's
now
pointing
to
zero.
Instead.
B
A
A
A
There
is
an
underlying
graph
and
there's
actually
a
couple
more
predicates
that
it
exposes
there's
the
select,
which
is
the
final
output
that
you
wrote,
there's
a
nodes
table
which
is
the
list
of
all
the
data
flow
nodes
that
might
have
a
value
and
there's
an
edges
table
which
describes
all
the
data
flow
edges.
We
see
information
starts
here
and
goes
here,
so
this
is
somewhat
informative.
A
If
you
want
to
poke
around
and
see
where
information
is
flowing
in
the
program,
it's
often
quite
large,
which
is
why
it's
not
useful
to
look
at
directly
all
the
time,
but
it's
there
if
you
need
to
look
at
it
now,
when
we
have
all
this
metadata
for
a
path
problem,
query
this
kind,
this
output
format
and
an
edges
relation.
We
must
have
a
predicate
that
defines
the
edges.
Then
the
the
tool
chain
is
able
to
combine
that
information
into
this
nicely.
Formatted
path
results.
A
So
again,
this
is
not
about
the
meaning
of
the
query
that
you're
writing,
because
that
is
the
same.
This
is
about
how
we
surface
the
alerts
in
a
tabular
format
so
that
it
can
be
processed
for
you
to
understand
it
can
be
a
little
tricky
as
you're.
Writing
these
queries.
If
you
forget
one
of
these
steps,
it's
a
little
inconvenient
because,
as
you
might
have
encountered,
there's
no
nicely
formatted
results.
A
And
we're
open
to
feedback
here.
I
think
this
is
definitely
something
that's
conceptually
a
little
confusing
and
maybe
something
that
we
can
expose
better
in
the
tools
to
make
it
easier
for
you
to
find
your
nice
path
results
and
harder
for
you
to
make
simple
omissions
that
will
prevent
you
from
getting
that
information.
A
A
A
Excellent
questions:
let's
have
a
look
at
the
dataflow
configuration
class
and
see
the
other
hooks
that
are
present
that
we
haven't
touched
on
so
far,
so
we've
seen
sources
and
syncs
and
you've
you've
heard
me
talk
about
that
for
quite
some
time.
If
you
look
at
the
remaining
predicates
that
are
available,
there
are
notions
of
barriers.
A
We
also
have
a
notion
of
adding
additional
flow
steps,
so
if
sometimes
the
data
flow
analysis
most
of
the
time,
it's
really
smart,
it
it
handled
these
kind
of
flows
out
of
functions
through
reference
parameters
perfectly
fine
out
of
the
box.
I
didn't
have
to
teach
you
anything
extra
in
order
to
figure
that
out.
Sometimes
it
needs
a
little
help.
It
might
not
know
something
about
a
particular
code
base
that
you're
using
about
certain
functions
that
return
values,
and
so
it's
helpful
to
be
able
to
add
extra
steps.
A
A
Something
about
it,
that's
a
straightforward
form
of
barrier
that
says:
if
you
encounter
this
kind
of
node,
stop
information
will
not
flow
through
here
we
will
not
wire
parts
that
go
through
those
when
barriers
are
conditions.
This
is
a
little
bit
harder.
So
if
you
have
something
like,
if
some
condition
then
there's
a
conditional
value,
that's
assigned
or
changed
based
on
the
truth
of
that
condition,
barrier
guards
allow
you
to
describe
that
one.
A
Those
are
a
little
bit
more
subtle
to
define.
I
encourage
you
to
look
at
the
documentation
here
and
also
on
our
health
pages,
which
gives
a
pretty
thorough
explanation
of
barrier
gods,
we're
happy
to
answer
questions
about
it,
but
I
think
I
won't
try
and
take
you
through
all
the
details
of
how
to
define
them
just
yet
broadly
know
that
there
are
two
ways
of
doing
this:
you
can
define
a
barrier
for
just
stopping
at
a
particular
node,
usually
an
expression.
A
A
A
The
api
is
similar
just
conceptually
a
little
bit
different.
The
primary
difference
between
data
flow
and
taint
tracking
is
that
data
flow
is
completely
precise.
It
cares
about
the
exact
same
value
going
all
the
way
through
the
code.
Taint
tracking
is
a
little
bit
more
general.
So
if
you
do
something
like
string,
concatenation
or
arithmetic
operation,
that
still
has
a
tainted
value,
but
maybe
not
the
exact
same
tainted
value.
That's
where
change
tracking
is
your
friend
if
you're
not
sure
which
one
to
use
you
can
start
with
state
tracking
and
if
you're
getting
imprecise.
B
A
B
A
Yeah,
so
I
think
a
barrier
guard
here,
a
guard
condition
is
the
the
whole
expression
that
is
present
within
the
if
within
the
condition,
and
if
that
is
satisfied
or
not
satisfied,
if
that
evaluates
to
true
or
false,
we
then
make
a
decision
about
which
branch
to
follow.
So,
in
that
case,
you'd
have
to
check
the
entire
condition.
A
It
might
be
a
little
bit
trickier
if
you
have
many
possibilities
there,
because
then
you've
got
you
know
is
one
condition
satisfied
both
not
satisfied
if
you're
trying
to
do
conditional
logic
for
your
sanitizer,
based
on
those
things
I
off
the
top
of
my
head.
Imagine
it
might
be
trickier,
but
I
think
the
barrier
guard
api
will
allow
you
to
detect
those
compound
expressions.
You
just
treat
the
entire
expression
as
the
as
the
guard.
A
A
A
A
What
this
means
is
that
the
compiler
has
to
ban
logic
that
you
write
that
will
have
a
negative
cycle,
so
that
would
mean
that
values
grow
and
then
shrink
and
we're
not
guaranteed
to
terminate.
So
if
you're
writing
a
logic
that
uses
negations
not
or
other
patterns
that
are
implicitly
about
negating
and
the
compiler
detects
such
a
cycle
that
doesn't
have
an
even
number
of
negations
to
cancel
each
other
out,
it'll
throw
an
error.
So
this
is
called
a
non-monotonic
expression
when
you
have
something
like
data
flow
analysis.
A
A
A
It
might
be
possible,
however,
to
imagine
some
other
security
problem
where
you
say
that
something
is
only
a
sink
or
actually
dangerous
if
it's
getting
in
untrusted
information
from
the
source,
but
also
maybe
it's
reachable
from
some
attack
surface
like
an
http
request,
and
so
you
might
have
this
case
where
you've
got
two
data
flow
configurations
around
one
that
says,
information
goes
from
the
source
to
the
sync
another.
That
shows
information
goes
from
a
different
kind
of
input
to
the
sync
and
you
care
about
both
of
those
possibilities
being
true
for
a
particular
thing.
A
Now
these
configurations
in
kind
of
in
a
rough
sense.
What
this
means
is
that
you
can't
have
this
this
dependency
without
potentially
creating
this
kind
of
negative
cycle,
because
we
don't
want
to
show
you
data
flow
paths
when
there
is
no
corresponding
vulnerability,
and
so
we're
looking
for
ways
to
make
this
more
modular
in
the
code
qr
language,
those
are
fairly
significant
language
design
problems
and
we
don't
want
to
make
it
more
complicated
than
necessary
so
having
multiple
copies
of
the
dataflow
library
is
kind
of
a
stop
gap
for
that.
A
A
B
A
One
is
tricky:
there
are
possible,
there
are
a
number
of
strategies
that
you
can
use.
It
is
correct
that
this
api
is
not
particularly
suited
for
such
intermediate
steps
right.
It
looks
resources
and
things
and
reachability.
That's
a
straightforward
problem,
it's
harder
to
say
and
is
reachable
where
it
has
to
go
through
such
a
node.
A
What
you
could
do
in
the
situation
is,
you
might
have
two
configurations,
you
wire
them
up.
That's
probably
the
simplest
way
other
languages.
I
think
java
and
c
c,
plus
plus
don't
have
this
for
codeql,
but
javascript
and
python
and
possibly
go
do
you
might
have
labels
on
your
dataflow
edges.
Now
a
label
gives
you
a
slightly
richer
set
of
information
where
it
says
I
am
a
certain
kind
of
taint
and
what
this
allows
you
to
do
is
modify
the
label
of
the
taint
based
on
what
structures
you
go
into.
A
A
That's
not
just
useful
for
data
structures.
It
might
also
be
useful
here
for
this
kind
of
flow
through
an
intermediate
element
where
you
say
I
have
standard
tainted
data.
If
it
goes
through
from
a
if
it
reaches
a
b,
then
I
have
special
b
tainted
data
and
then
once
it
reaches
c,
I
I
have
a
vulnerability
overall.
If
it
was
special,
be
tainted
data.
A
There
are
apis
for
this.
You
can
see
flow
labels
and
the
other
data
for
libraries.
Again,
it's
somewhat
involved.
So
it's
worth
experimenting
with
the
two
configuration
approach,
as
well
as
the
label
approach
to
see
what
is
available
for
the
language
that
you
are
analyzing
and
what
works
for
the
pattern
that
you're
trying
to
find.
A
I'll
also
point
out
that
there
are
significant
limitations
of
this
query.
If
you
try
it
on
a
larger
real
world
code
base,
I
expect
that
you
will
see
some
false
positives,
but
there
are
strategies
to
handle
them.
Adding
sanitizers,
as
we
discussed,
adding
barriers
is
a
way
to
remove
false
positives
from
a
query.
We
can
recognize
the
patterns
that
prevent
that
cause,
something
to
be
safe.
A
Despite
the
fact
that
we
flagged
it
refine
the
query
to
make
sure
that
we're
not
catching
those
patterns,
it
may
be
worth
looking
at
other
ways
to
find
dereferenced
operations,
as
somebody
asked
about
it
may
be
worth
finding
other
ways
to
identify
how
memory
is
freed
and
combine.
These
maybe
add
additional
10
steps
based
on
your
knowledge
of
the
code
base
and
how
information
flows
within
it
combine
these
different
intuitions
and
you
can
take
this
query
start
with
a
set
of
results.
B
A
I
believe
that
so
think
of
the
cultural
libraries
as
building
on
each
other,
so
we
have
the
basic
abstract
syntax
tree.
We
have
a
call
graph,
that's
usually
built
on
that.
We
have
a
control
flow
graph.
That's
built
on
that
on
those
two
things
we
have
a
data
flow
graph,
that's
built
on
all
of
the
above,
and
so
this
is
virtual
function,
calls
and
how
they're
handled
is
often
for
a
compiled
language
handled
at
the
call
graph
level
right
we're
trying
to
understand
which
functions
are
called
by
which
call
expressions.
A
My
understanding
is
that
for
for
these
compile
languages
in
particular,
we
try
very
hard
to
model
virtual
function.
Calls
with
the
information
we
have
from
the
compiler,
where
possible.
Static
analysis
is
not
100
precise.
There
are
some
patterns
that
we
cannot
find
that
we
might
fail
to
get
that
we
might
not
get
from
the
build
of
the
compilation,
so
there
are
potential
gaps,
but
we
try
very
hard
to
model
those
as
much
as
possible.
A
A
So
if
you
look
at
these-
and
you
think
the
call
graph
has
not
figured
this
out
or
I
need
to
add
some
more
virtual
information
which
it
might
be
present
in
some
overrides,
but
not
other
overrides-
that's
the
right
place
to
put
it
in
or
that's
a
good
place
to
put
it
in.
In
order
to
teach
you
about
that
information,
I
think
that
the
way
virtual
calls
are
handle
is
a
little
bit
different
between
the
different
languages,
so
I
won't
try
and
make
that
a
completely
general
answer.
A
A
A
You
can
generally
see
most
of
us
working
on
the
github
codeql
open
source
repositories
so
feel
free
to
open
issues
there
and
ask
questions.
But
discussions
is
a
good
way
to
have
a
more
structured
format,
plenty
of
code,
qr
learning
resources,
there's
help
for
the
vs
code.
Extension,
the
cli,
there's
github,
learning
labs,
which
are
like
interactive
tutorials
that
you
can
watch
and
recordings
of
workshops
like
these-
that
you
are
welcome
to
follow
lots
of
different
formats,
depending
on
the
way
that
you
think
you
learn
best.
Please
try
out
whatever
is
relevant.
A
A
A
Also,
the
qr
queries
and
standard
libraries
are
open
source.
So,
if
you're
identifying
new
vulnerabilities
improvements
to
our
existing
vulnerabilities,
we
welcome
contributions.
Please
feel
free
to
browse
what
others
have
contributed
already
contribute
your
own.
We
we
welcome
additions.
There
they're
part
of
the
security
lab
about
boundary
programs
as
well.
A
A
Great
with
that,
let's
wrap
up
here,
I'd
like
to
thank
you
all
for
your
time,
and
we
appreciate
you
joining
us
and
participating
and
trying
out
our
technology
and
asking
great
questions.
Please
continue
to
use
it.
Let
us
know
what
you
find
useful.
Let
us
know
things
that
you
think
we
can
improve
and
look
forward
to
hearing
from
you.
Thank
you.