Rust: Weak hashing query

[geoffw0]

Add a weak hashing query for Rust (rust/weak-sensitive-data-hashing). We already had the necessary cryptography concepts, I recently added a sensitive data library, and @hvitved added the ability to express sources and sinks in MaD - which is everything needed for the query. Most of the new code is closely based on what we have in other languages, e.g. Ruby.

Naturally there are plans to add further models and data flow to catch more of the test cases in future, after the basic query has been merged.

Needs:

• code review
• docs review
• DCA run

[github-actions]

QHelp previews:

rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.qhelp

Use of a broken or weak cryptographic hashing algorithm on sensitive data

A broken or weak cryptographic hash function can leave data vulnerable, and should not be used in security-related code.

A strong cryptographic hash function should be resistant to:

• Pre-image attacks. If you know a hash value h(x), you should not be able to easily find the input x.
• Collision attacks. If you know a hash value h(x), you should not be able to easily find a different input y with the same hash value h(x) = h(y).
• Brute force. For passwords and other data with limited input space, if you know a hash value h(x), you should not be able to find the input x even using a brute force attack (without significant computational effort).
  As an example, both MD5 and SHA-1 are known to be vulnerable to collision attacks.

All of MD5, SHA-1, SHA-2 and SHA-3 are weak against offline brute forcing, so they are not suitable for hashing passwords. This includes SHA-224, SHA-256, SHA-384, and SHA-512, which are in the SHA-2 family.

Since it's OK to use a weak cryptographic hash function in a non-security context, this query only alerts when these are used to hash sensitive data (such as passwords, certificates, usernames).

Recommendation

Ensure that you use a strong, modern cryptographic hash function, such as:

• Argon2, scrypt, bcrypt, or PBKDF2 for passwords and other data with limited input space where a dictionary-like attack is feasible.
• SHA-2, or SHA-3 in other cases.
  Note that special purpose algorithms, which are used to ensure that a message comes from a particular sender, exist for message authentication. These algorithms should be used when appropriate, as they address common vulnerabilities of simple hashing schemes in this context.

Example

The following examples show hashing sensitive data using the MD5 hashing algorithm that is known to be vulnerable to collision attacks, and hashing passwords using the SHA-3 algorithm that is weak to brute force attacks:

// MD5 is not appropriate for hashing sensitive data.
let mut md5_hasher = md5::Md5::new();
...
md5_hasher.update(emergency_contact); // BAD
md5_hasher.update(credit_card_no); // BAD
...
my_hash = md5_hasher.finalize();

// SHA3-256 is not appropriate for hashing passwords.
my_hash = sha3::Sha3_256::digest(password); // BAD

To make these secure, we can use the SHA-3 algorithm for sensitive data and Argon2 for passwords:

// SHA3-256 *is* appropriate for hashing sensitive data.
let mut sha3_256_hasher = sha3::Sha3_256::new();
...
sha3_256_hasher.update(emergency_contact); // GOOD
sha3_256_hasher.update(credit_card_no); // GOOD
...
my_hash = sha3_256_hasher.finalize();

// Argon2 is appropriate for hashing passwords.
let argon2_salt = argon2::password_hash::Salt::from_b64(salt)?;
my_hash = argon2::Argon2::default().hash_password(password.as_bytes(), argon2_salt)?.to_string(); // GOOD

References

• OWASP: Password Storage Cheat Sheet and Transport Layer Security Cheat Sheet .
• GitHub: RustCrypto: Hashes and RustCrypto: Password Hashes .
• The RustCrypto Book: Password Hashing .
• Common Weakness Enumeration: CWE-327.
• Common Weakness Enumeration: CWE-328.
• Common Weakness Enumeration: CWE-916.

[geoffw0]

@hvitved this test is unrelated to the PR, apart from that they both use models-as-data. I think that means we shouldn't be outputting these IDs in the tests?

[hvitved]

We should probably be translating the IDs, like we do in query tests.

[geoffw0]

How is that done?

[hvitved]

We would have to pull out the relevant bits from the ShowProvenance module.

[geoffw0]

Do you want to do this, or shall I do this as a follow-up PR?

[hvitved]

Let's do it on a separate PR.

[geoffw0]

DCA LGTM (uneventful).

[hvitved]

We should probably be translating the IDs, like we do in query tests.

[hvitved]

Do we know why this is missing?

[geoffw0]

I'm not sure exactly. It's the method calls (rather than function calls) where we're having difficulty.
(MethodCallExpr).getResolvedCrateOrigin() and (MethodCallExpr).getResolvedPath() work as expected.

[geoffw0]

Is resolving method call crates / paths and method calls as MAD sources something we expect to work (tested?), or are there known to be missing features here?

[hvitved]

I can take a look.

[hvitved]

The reason it doesn't work is because your logic is restricted to calls where the function is a PathExpr, which is not the case above. In order to extend to the case above, I think we need to know the type of md5_hasher, but that is currently not available.

[geoffw0]

OK, I'll make a note in the issue for improvements to this query that we're waiting for type inference before we can fix that bit by replacing the PathExpr.

[geoffw0]

Thanks.

[mchammer01]

@geoffw0 - Approving this on behalf of Docs ✨
Left a few minor comments/suggestions.

[geoffw0]

Thanks for the reviews.

• all docs suggestions accepted.
• all code suggestions accepted, in discussion above, or both.

[geoffw0]

I think all issues have been resolved, I just need a re-approval (preferably from code).