Skip to content

Rust: More metrics for tracking taint.#18501

Merged
geoffw0 merged 12 commits intogithub:mainfrom
geoffw0:rustmetrics
Jan 17, 2025
Merged

Rust: More metrics for tracking taint.#18501
geoffw0 merged 12 commits intogithub:mainfrom
geoffw0:rustmetrics

Conversation

@geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Jan 15, 2025

Add more metrics for tracking taint flow in Rust. Prior to this PR we have:

  • taint sources, tracked by rust/summary/taint-sources and rust/summary/summary-statistics.
  • sensitive data (which are also commonly used as taint sources), tracked by rust/summary/sensitive-data and rust/summary/summary-statistics.

Which doesn't give us a very complete picture. This PR adds:

  • query sinks, tracked by rust/summary/query-sinks, rust/summary/query-sink-counts and rust/summary/summary-statistics.
  • cryptographic operations (which are also commonly used as taint sinks), tracked by rust/summary/cryptographic-operations and rust/summary/summary-statistics.
  • taint edges (raw count), tracked by rust/summary/summary-statistics.
  • taint reach, tracked by rust/summary/summary-statistics.

Most of these are soon to be added to our DCA runs (for catching regressions) and our metrics tracking page (to inform future work).

In the past people have raised performance concerns about taint reach, but I've never seen a problem in practice. DCA will confirm.

@geoffw0 geoffw0 added no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code labels Jan 15, 2025
Copilot AI review requested due to automatic review settings January 15, 2025 17:22
Copilot AI reviewed Jan 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (7)
  • rust/ql/src/queries/summary/CryptographicOperations.ql: Language not supported
  • rust/ql/src/queries/summary/QuerySinkCounts.ql: Language not supported
  • rust/ql/src/queries/summary/QuerySinks.ql: Language not supported
  • rust/ql/src/queries/summary/Stats.qll: Language not supported
  • rust/ql/src/queries/summary/SummaryStats.ql: Language not supported
  • rust/ql/src/queries/summary/TaintReach.qll: Language not supported
  • rust/ql/test/query-tests/diagnostics/SummaryStats.expected: Language not supported

Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 15, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 15, 2025
View reviewed changes
hvitved
hvitved reviewed Jan 16, 2025
View reviewed changes
rust/ql/src/queries/summary/TaintReach.qll
private module TaintReachConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }

predicate isSink(DataFlow::Node node) { any() }
Copy link
Contributor

@hvitved hvitved Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This certainly looks like something that will not perform very well...

Copy link
Contributor Author

@geoffw0 geoffw0 Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, though:

  • we don't compute a path graph for this config.
  • we never had any real issues with the same code in Swift.
  • even on our largest database (windows-rs) with a slightly warmed up cache, quick eval-ing getTaintReach() takes 2 seconds. With vast amounts of fake sources etc added to increase reach beyond what I think is ever plausible, 24s.

I'm guessing execution time is roughly linear in the number of nodes reached??? I'd be interested to hear your thoughts, concerns and suggestions - even if this means changing what we measure.

Copy link
Contributor

@hvitved hvitved Jan 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, let's leave it as-is for now then.

paldepind
paldepind reviewed Jan 16, 2025
View reviewed changes
paldepind
paldepind reviewed Jan 16, 2025
View reviewed changes
paldepind
paldepind reviewed Jan 16, 2025
View reviewed changes
geoffw0 and others added 2 commits January 16, 2025 16:14
@geoffw0 @paldepind
Apply suggestions from code review
5f9e1c3 
Co-authored-by: Simon Friis Vindum <paldepind@github.com>
@geoffw0
Rust: Make QL-for-QL happy (part 2).
e5faf92
paldepind
paldepind approved these changes Jan 16, 2025
View reviewed changes
Copy link
Contributor

@paldepind paldepind left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Really great to have these additional measures 👍

@geoffw0 geoffw0 merged commit 2d0c73a into github:main Jan 17, 2025
10 checks passed
@geoffw0 geoffw0 deleted the rustmetrics branch September 26, 2025 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paldepind paldepind paldepind approved these changes

@hvitved hvitved hvitved left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@geoffw0 @paldepind @hvitved