Improve nested type and state machine handling in IL extraction

Normalized nested type names from '/' to '.' for consistency in ILExtractor and method call targets. Added extraction of nested types, including compiler-generated state machines. Updated VulnerableCalls.qll to link iterator/async stub methods to their state machine implementations, improving vulnerability tracking. Updated codeql-extractor.yml to specify dbscheme.

Author: gfs

binary/extractor/cil/Semmle.Extraction.CSharp.IL/ILExtractor.cs

@@ -32,10 +32,6 @@ public void Extract(string dllPath) {
 
       foreach (var module in assembly.Modules) {
         foreach (var type in module.Types) {
-          // Skip compiler-generated types for now
-          if (type.Name.Contains("<") || type.Name.StartsWith("<"))
-            continue;
-
           ExtractType(type);
         }
       }
@@ -64,8 +60,22 @@ private void ExtractType(TypeDefinition type) {
     var typeId = trap.GetId();
     typeIds[type.FullName] = typeId;
 
+    // For nested types, we need to construct proper namespace and name
+    // Cecil uses '/' for nested types (e.g., "Outer/Inner") but the call targets use '.'
+    // So we normalize to dot notation for consistency
+    var fullName = type.FullName.Replace('/', '.');
+    var typeName = type.Name;
+    string typeNamespace;
+    
+    if (type.IsNested && type.DeclaringType != null) {
+      // For nested types, the namespace is the parent type's full name
+      typeNamespace = type.DeclaringType.FullName.Replace('/', '.');
+    } else {
+      typeNamespace = type.Namespace;
+    }
+
     // Write type info
-    trap.WriteTuple("types", typeId, type.FullName, type.Namespace, type.Name);
+    trap.WriteTuple("types", typeId, fullName, typeNamespace, typeName);
 
     foreach (var method in type.Methods) {
       // Skip some special methods
@@ -74,6 +84,13 @@ private void ExtractType(TypeDefinition type) {
 
       ExtractMethod(method, typeId);
     }
+
+    // Extract nested types (includes compiler-generated state machines)
+    if (type.HasNestedTypes) {
+      foreach (var nestedType in type.NestedTypes) {
+        ExtractType(nestedType);
+      }
+    }
   }
 
   private void ExtractMethod(MethodDefinition method, int typeId) {
@@ -146,9 +163,9 @@ private void ExtractMethodBody(MethodDefinition method, int methodId) {
         // Branch target
         trap.WriteTuple("il_branch_target", instrId, targetInstr.Offset);
       } else if (instruction.Operand is MethodReference methodRef) {
-        // Method call - we'll resolve this in a second pass
-        var targetMethodName =
-            $"{methodRef.DeclaringType.FullName}.{methodRef.Name}";
+        // Method call - normalize nested type separators from '/' to '.'
+        var declaringTypeName = methodRef.DeclaringType.FullName.Replace('/', '.');
+        var targetMethodName = $"{declaringTypeName}.{methodRef.Name}";
         trap.WriteTuple("il_call_target_unresolved", instrId, targetMethodName);
         trap.WriteTuple("il_number_of_arguments", instrId, methodRef.Parameters.Count);
         if(methodRef.MethodReturnType.ReturnType.MetadataType is not Mono.Cecil.MetadataType.Void) {

binary/extractor/cil/codeql-extractor.yml

@@ -12,4 +12,5 @@ file_types:
     display_name: C# IL
     extensions:
       - .exe
-      - .dll
+      - .dll
+dbscheme: semmlecode.binary.dbscheme

binary/ql/src/VulnerableCalls/VulnerableCalls.qll

@@ -48,9 +48,44 @@ Function getADirectlyVulnerableMethod(string id) {
   result = getAVulnerableCallFromModel(id).getEnclosingFunction()
 }
 
+/**
+ * Holds if `stub` is an iterator/async stub method and `stateMachine` is its
+ * corresponding state machine implementation (the MoveNext method).
+ * 
+ * Iterator/async methods in C# are compiled to:
+ * 1. A stub method that creates a state machine object
+ * 2. A nested class with a MoveNext method containing the actual implementation
+ * 
+ * The pattern is: method `Foo` in class `Bar` creates `Bar.<Foo>d__N` 
+ * and the impl is in `Bar.<Foo>d__N.MoveNext`
+ */
+private predicate isStateMachineImplementation(Function stub, Function stateMachine) {
+  exists(string stubName, Type stubType, string stateMachineTypeName |
+    stubName = stub.getName() and
+    stubType = stub.getDeclaringType() and
+    stateMachine.getName() = "MoveNext" and
+    // The state machine type is nested in the same type as the stub
+    // and named <MethodName>d__N
+    stateMachineTypeName = stateMachine.getDeclaringType().getName() and
+    stateMachineTypeName.matches("<" + stubName + ">d__%" ) and
+    // The state machine's declaring type's namespace should be the stub's type full name
+    stateMachine.getDeclaringType().getNamespace() = stubType.getFullName()
+  )
+}
+
+/**
+ * Gets the state machine implementation for an iterator/async stub method.
+ */
+Function getStateMachineImplementation(Function stub) {
+  isStateMachineImplementation(stub, result)
+}
+
 /**
  * Gets a method that transitively calls a vulnerable method.
  * This computes the transitive closure of the call graph.
+ * 
+ * Also handles iterator/async methods by linking stub methods to their
+ * state machine implementations.
  */
 Function getAVulnerableMethod(string id) {
   // Direct call to vulnerable method
@@ -63,6 +98,13 @@ Function getAVulnerableMethod(string id) {
     call.getTargetOperand().getAnyDef().(ExternalRefInstruction).getFullyQualifiedName() =
       callee.getFullyQualifiedName()
   )
+  or
+  // Iterator/async: if a state machine's MoveNext is vulnerable, 
+  // the stub method that creates it is also vulnerable
+  exists(Function stateMachine |
+    stateMachine = getAVulnerableMethod(id) and
+    isStateMachineImplementation(result, stateMachine)
+  )
 }
 
 /**