Reasons for failing to find target api using codeql

August 10, 2020

As a new practical tool to search bugs in target programs, codeql is more and more popular among software security researchers. A crucial step using codeql is to find target api, then you can define your own violation check. However, due to many possible factors, users may fail to find target api. Here I present a simple guide to find reasons.

we assume the target api is tgt_api() in code.c.

step 1. check whether object file exists

First of all, we need to figure out if code.c is compiled or not. Under linux, the object file of code.c can be code.o. So run find ./ -name code.o in program root directory. If it does not exist, you need to think about compile course. The reasons may lead to fail to output object files can be found in my another blog post. If code.o does exist, do next step.

step 2. find target api in source file and check conditional compilation around it

If situation appears like this:

#ifdef HAVE_SQLITE3
tgt_api()
#endif

it’s not surprised that when you don’t hit HAVE_SQLITE3, you can not find target api using codeql query. If you are pretty sure that target api is not surrounded by conditional compilation statements (sometimes they are far from target api) , do next step.

step 3. check api defination and make sure you are using proper query sentence

Sometimes, especially using three-party library such as openssl, your target api is not a function call while it seems like. See this:

 #define tgt_api(x) x*x

If you are not familiar with tgt_api, maybe query sentence is written like:

from FunctionCall fc
where fc.getTarget().hasQualifiedName("tgt_api")
select fc.getLocation()

You can not find tgt_api by aforementioned one, use this instead:

from MacroInvocation mi
where mi.getMacroName() = "tgt_api"
select mi.getLocation()

Hope my tips can give you some inspiration!