Programming on Shivasurya

CodeQL: Eindhoven Quantifier Notation

Tue, 10 Sep 2024 00:00:00 +0000

Introduction

Recently, I have been thinking about aggregate functionality design for Code PathFinder, opensource alternative to GitHub CodeQL. SQL aggregate functions such as SUM, AVG, MIN, MAX are combined with WHERE and GROUP BY to generate aggregate queries. However, I was wondering if there is a way to generate aggregate queries without using WHERE and GROUP BY. While going through CodeQL design research paper, I came across Eindhoven Quantifier Notation which is quite interesting, easy to understand and can be used to generate aggregate queries. This blog post will discuss about Eindhoven Quantifier Notation adopted by CodeQL.

Sherlock: Automate security code reviews with Cody AI

Thu, 27 Jun 2024 00:00:00 +0000

Intro

Need for semi-autonomous security code reviews

My job as a security engineer (application security context) is to read source code and perform security reviews. Most of the time, mainly corelate the source code with frameworks & libraries, understand context where the code executes and enumerate all security risks. While there are lot of second generation SAST scanning tools in the market which is good at identifying patterns, eliminate false positive, executes and brings up results in minutes. I believe,

Defining Boundaries & Sinks for Inter-procedural Source Sink Analysis - Part 3

Fri, 08 Mar 2024 00:00:00 +0000

This is the third part of the blog post series on building inter-procedural source sink analysis from scratch. In the first part, we have built the intra-procedural source sink analysis. In this blog post, I’ll discuss about defining boundaries, configs and sinks for inter-procedural analysis. ✨ This idea of defining boundaries and sinks is inspired from the CodeQL library and while discussing with my colleague at SWAG lab @ uwaterloo.

Plan

While tools like CodeQL has well-defined support for libraries and framework such as Android CodeQL these libraries has predefined boundaries and sinks. But, start from scratch, we need to define our own boundaries and sinks. The boundaries are the entry points and sinks are the exit points.

Deep dive on Android Java / Kotlin Deserialization Code Execution with Semgrep Detection

Wed, 24 Jan 2024 00:00:00 +0000

Overview

In this post, we will explore code execution using Java & Kotlin Deserialization in Android Application. Additionally, We will discuss the Gadget Chain, Detection and Exploitation technique specific to Android. Achieving code execution in server side application via Java deserialization has higher chance of success than in client side android application. This is due to limitation of variety of loaded classes in android application. For instance com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is available in openJDK but not in Android JDK (but with modification). These limitation can be a blocker for loading arbitrary classes and executing payload (mostly compiled bytecode) in Android application. Well there are lot of deserialization vulnerabilities is published out there such as

Building Inter-procedural Source Sink Analysis from Scratch - Part 2

Fri, 01 Sep 2023 00:00:00 +0000

This is the second part of the blog post series on building inter-procedural source sink analysis from scratch. In the first part, we have built the intra-procedural source sink analysis. In this blog post, we will be building the inter-procedural source sink analysis.

Plan

We’ll be parsing whole java project source code and generate AST using JavaParser. While traversing the AST, we will be collecting the method declaration and method invocation. We will be using graph theory algorithm to find the path from source to sink. The source is the method declaration and the sink is the method invocation. The method declaration is the node and the method invocation is the edge. While classes may contain duplicate method names with different signatures, we will be using the fully qualified method name to uniquely identify the method. The fully qualified method name is the class name + method name + method arguments. The method arguments are used to differentiate the method overloading. The method declaration is the key and method invocation is the value in the hashmap. The hashmap is used to build the graph and find the path from source to sink.

Building A Simple Source-Sink Analysis in Java from Scratch - Part 1

Sun, 27 Aug 2023 00:00:00 +0000

Overview of Source Sink Analysis

Source Sink Analysis is a type of basic static analysis that detects the flow of information from a source to a sink. A source is a place where the information is coming from and a sink is a place where the information is going to. For example, a source can be a user input and a sink can be a database query. If the user input is not sanitized, it can lead to SQL Injection. Apart from source sink techniques, there are other techniques like taint analysis, control flow graph, data flow analysis, etc. which are used to detect vulnerabilities in the code. In this blog post, we will be building a simple source sink analysis in Java from scratch.

From ArcGIS to Mapbox: How Cody AI Made My Web App Shine

Sun, 02 Jul 2023 00:00:00 +0000

Imagine being a newcomer to Canada around 2019, relying on public transit to navigate the Waterloo region. Like many others, I found myself frustrated with the occasional unreliability of Google Maps when searching for public transit options. However, my luck changed when I stumbled upon a cool command line tool developed by a UWaterloo student that predicted the next bus or LRT arrival time within seconds. This discovery led me to GRT.ca, a website providing real-time transit feed updates, allowing me to track the exact location of buses and LRTs. Inspired by this newfound resource, I created a naive map using ArcGIS ESRI Maps, loading location information from the protobuf feed and deploying it on my domain, livemap.shivasurya.me. This map became my go-to tool for finding the precise location of the next bus or LRT.

Binary Search and Hidden Overflow 🪲

Sun, 04 Dec 2022 00:00:00 +0000

Recently I was playing with overflow vulnerabilities help of exploit.education exercise which mostly covers basic heap, buffer overflow, use-after-free vulnerability patterns in a contained qemu based environment. However, I was searching for Integer overflow patterns and articles around it “how to succesfully convert a integer overflow into a remote code execution”. While reading through the vulnerability reports, I started exploring code snippets relevant to integer overflow and this blog post Nearly All Binary Searches and Mergesorts are Broken caught my eyes.