Sunday, 16 June 2013

NDepend Query to visualize call flows

After installing NDepend and writing a first simple CQL query, it was time to try something more interesting, namely a query that could help me write rules to find security vulnerabilities like SQL Injection.

So I decided to write a rule to find out the call flows into/from a particular method, ie ‘Who calls this method and who it calls?’

With NDepend enabled on the source code of TeamMentor/Master , I opened a class and chose this option:

image_thumb[59]

... which opened this Dependency Graph

image_thumb[60]

If I now select a method, an helper tab will appear below:

image_thumb[70]

... which for example, explains how to generate a call graph:

image_thumb[81]

As per the instructions above, to create a call-graph, I select the direct/indirect callers


image_thumb[89]

... which creates a (custom) CQL rule and executes it:

image_thumb[92]

Following the 2nd step of the instructions, I clicked on the ‘Export to Graph’ button, and I got this nice graph:

image_thumb[97]

Changing the query a little bit (from m.DepthOfIsUsing to m.DepthOfIsUsedBy )

image_thumb[98]

Gives us a recursive mapping of all methods called by the original method, ie the call-flow FROM the current method (the first graph gave us the call-flow INTO the current method):

image_thumb[106]

And I got this script right (see below), this is how we get both graphs together:

image_thumb[113]

.... which will create this graph:

image_thumb[112]

Now think of a similar view the attack surface at the top and the vulnerable APIs (like SQL execute) at the bottom :)

And although this would just be a call-flow analysis (vs taint analysis) my experience in doing similar analysis with the O2 Platform has shown that we can find A LOT of vulnerabilities this way (i.e. without needing the full taint analysis engine).
Post a Comment