Information regarding taint analysis

[computereasy]

Hello!

I am trying to learn about the technical details of taint analysis launched by CodeQL. I am familiar with another tool, Joern. Basically the so-called taint analysis launched by Joern is a two-step approach:

• offline analysis: static def-use chain analysis during static parsing, with "over-tainting“ taken in mind.
• online analysis: when processing a query, it makes use of def-use chain results obtained during the offline phase and fine-tune the results with respect to the taint source and taint sink specified in the processed query.

In that sense, def-use chain is the basis of Joern's taint analysis (though I humbly doubt that def-use chain is better to describe data flow, rather than information flow).

From what I can see, CodeQL seems to do conceptually the similar thing? https://github.com/github/codeql/tree/10d6803b05613a9ab24e692a0f761d0b2dad7809/cpp/ql/lib/semmle/code/cpp/dataflow

Personally, I have experience implementing static/dynamic program analysis tools, so to my knowledge, static taint analysis is hard to be implemented in a sound and scalable way, if at all possible. In that sense, CodeQL is really doing an outstanding job here!

In short, would anyone shed some lights on how taint analysis is really conducted in CodeQL? Or is there any document that we can refer to? Thank you very much!

[adityasharad]

Glad to hear of your interest! Please refer to https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis, which provides an overview of CodeQL's data flow and taint tracking analysis, as well as links to language-specific guides for data flow analysis on each language supported by CodeQL.

If you have further questions after that, please continue to ask here, or join the community in the GitHub Security Lab Slack.

[computereasy]

thank you very much for the prompt reply and all the information!