Add CIL vulnerable call detection framework

Introduces a new CodeQL pack for detecting calls to known-vulnerable methods in CIL binaries specified with data extensions. Adds abstract callable interfaces, CIL-specific implementations, query and summarization logic, model extension support, and example model data for vulnerability identification.

Author: gfs

binary/ql/lib/semmle/code/binary/Callable.qll

@@ -0,0 +1,80 @@
+/**
+ * Provides abstract classes for representing callable entities and call sites
+ * across different binary formats (CIL, x86, etc.).
+ *
+ * This module defines a common interface that allows queries to work uniformly
+ * across binary types while allowing format-specific implementations.
+ */
+
+/**
+ * An abstract callable entity (method, function, etc.) in a binary.
+ * Subclasses provide format-specific implementations.
+ */
+abstract class Callable extends string {
+  Callable() { this = this.getIdentifier() }
+
+  /**
+   * Gets a unique identifier for this callable.
+   * For CIL, this is the fully qualified method name.
+   * For x86, this might be a symbol name or address.
+   */
+  abstract string getIdentifier();
+
+  /**
+   * Gets a human-readable name for this callable.
+   */
+  abstract string getName();
+
+  /**
+   * Gets the location of this callable in the source/binary.
+   */
+  abstract Location getLocation();
+
+  /**
+   * Gets a call site within this callable that calls another callable.
+   */
+  abstract CallSite getACallSite();
+
+  /**
+   * Holds if this callable is publicly accessible (exported, public, etc.).
+   */
+  abstract predicate isPublic();
+}
+
+/**
+ * An abstract call site - a location where one callable invokes another.
+ */
+abstract class CallSite extends string {
+  CallSite() { this = this.getIdentifier() }
+
+  /**
+   * Gets a unique identifier for this call site.
+   */
+  abstract string getIdentifier();
+
+  /**
+   * Gets the callable containing this call site.
+   */
+  abstract Callable getEnclosingCallable();
+
+  /**
+   * Gets the target of this call, if it can be resolved.
+   * Returns the identifier that can be matched against models.
+   */
+  abstract string getCallTargetIdentifier();
+
+  /**
+   * Gets the location of this call site.
+   */
+  abstract Location getLocation();
+}
+
+/**
+ * Holds if `caller` directly calls `callee` (by identifier).
+ */
+predicate directlyCallsIdentifier(Callable caller, string calleeIdentifier) {
+  exists(CallSite cs |
+    cs.getEnclosingCallable() = caller and
+    cs.getCallTargetIdentifier() = calleeIdentifier
+  )
+}

binary/ql/lib/semmle/code/binary/cil/CilCallable.qll

@@ -0,0 +1,126 @@
+/**
+ * Provides CIL-specific implementations of the Callable framework.
+ * This module bridges CIL instructions and methods to the abstract Callable interface.
+ */
+
+private import binary
+private import semmle.code.binary.ast.internal.CilInstructions
+
+/**
+ * A CIL type (class, struct, interface, etc.).
+ */
+class CilType extends @type {
+  string toString() { result = this.getName() }
+
+  /** Gets the full name of this type (e.g., "System.Collections.Generic.List`1"). */
+  string getFullName() { types(this, result, _, _) }
+
+  /** Gets the namespace of this type (e.g., "System.Collections.Generic"). */
+  string getNamespace() { types(this, _, result, _) }
+
+  /** Gets the simple name of this type (e.g., "List`1"). */
+  string getName() { types(this, _, _, result) }
+
+  /** Gets a method declared in this type. */
+  CilMethodExt getAMethod() { result.getDeclaringType() = this }
+}
+
+/**
+ * A CIL method with enhanced metadata for the Callable framework.
+ * Extends the base CilMethod with type information and qualified names.
+ */
+class CilMethodExt extends CilMethod {
+  /** Gets the type that declares this method. */
+  CilType getDeclaringType() { methods(this, _, _, result) }
+
+  /**
+   * Gets the fully qualified name of this method in the format:
+   * "Namespace.ClassName.MethodName"
+   */
+  string getFullyQualifiedName() {
+    exists(CilType t | t = this.getDeclaringType() |
+      result = t.getFullName() + "." + this.getName()
+    )
+  }
+
+  /**
+   * Holds if this method matches the given namespace, class name, and method name.
+   */
+  predicate hasFullyQualifiedName(string namespace, string className, string methodName) {
+    exists(CilType t | t = this.getDeclaringType() |
+      t.getNamespace() = namespace and
+      t.getName() = className and
+      this.getName() = methodName
+    )
+  }
+
+  /** Holds if this method is publicly accessible. */
+  predicate isPublic() {
+    // TODO: Check actual visibility flags when available in dbscheme
+    // For now, we can't determine visibility from IL alone
+    any()
+  }
+
+  /** Gets the location of this method. */
+  Location getMethodLocation() {
+    result = this.getInstruction(0).getLocation()
+    or
+    not exists(this.getInstruction(0)) and
+    result instanceof EmptyLocation
+  }
+}
+
+/**
+ * A CIL call instruction with enhanced target resolution.
+ */
+class CilCallExt extends CilCall {
+  CilCallExt() { any() }
+
+  /**
+   * Gets the fully qualified name of the call target.
+   * This is extracted from il_call_target_unresolved.
+   */
+  string getCallTargetFullyQualifiedName() { result = this.getExternalName() }
+
+  /**
+   * Holds if this call targets a method matching the given fully qualified components.
+   * The external name format is "Namespace.ClassName.MethodName" (e.g., "System.Console.WriteLine").
+   */
+  predicate targetsMethod(string namespace, string className, string methodName) {
+    exists(string target | target = this.getExternalName() |
+      // Format: Namespace.ClassName.MethodName
+      // We need to find the last two dots to split namespace, class, and method
+      exists(int lastDot, int secondLastDot, string nsAndClass |
+        lastDot = max(int i | target.charAt(i) = ".") and
+        methodName = target.suffix(lastDot + 1) and
+        nsAndClass = target.prefix(lastDot) and
+        secondLastDot = max(int i | nsAndClass.charAt(i) = ".") and
+        namespace = nsAndClass.prefix(secondLastDot) and
+        className = nsAndClass.substring(secondLastDot + 1, nsAndClass.length())
+      )
+    )
+  }
+
+  /** Gets the enclosing method with extended metadata. */
+  CilMethodExt getEnclosingMethodExt() { result = this.getEnclosingMethod() }
+}
+
+/**
+ * Holds if `caller` contains a call to a method identified by `(namespace, className, methodName)`.
+ */
+predicate hasCallTo(CilMethodExt caller, string namespace, string className, string methodName) {
+  exists(CilCallExt call |
+    call.getEnclosingMethodExt() = caller and
+    call.targetsMethod(namespace, className, methodName)
+  )
+}
+
+/**
+ * Holds if `caller` contains a call to a method with the given fully qualified target name.
+ */
+predicate hasCallToTarget(CilMethodExt caller, string targetFqn) {
+  exists(CilCallExt call |
+    call.getEnclosingMethodExt() = caller and
+    call.getCallTargetFullyQualifiedName() = targetFqn
+  )
+}

binary/ql/src/VulnerableCalls/VulnerableCalls.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Call to vulnerable method
+ * @description Calling a method with a known security vulnerability may expose the application
+ *              if the relevant dependency is not updated.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id binary/vulnerable-calls
+ */
+
+import VulnerableCalls
+
+from VulnerableMethodCall call, string id
+where call.getVulnerabilityId() = id
+select call, "This call is potentially vulnerable to " + id

binary/ql/src/VulnerableCalls/VulnerableCalls.qll

@@ -0,0 +1,105 @@
+/**
+ * Provides predicates for finding calls that transitively make a call to a
+ * known-vulnerable method in CIL (C# IL) binaries.
+ */
+
+private import binary
+import semmle.code.binary.cil.CilCallable
+
+/**
+ * Holds if any call identified by `(namespace, className, methodName)` should be flagged
+ * as potentially vulnerable, for reasons explained by the advisory with the given `id`.
+ *
+ * This is an extensible predicate - values are provided via YAML data extensions.
+ */
+extensible predicate vulnerableCallModel(
+  string namespace, string className, string methodName, string id
+);
+
+/**
+ * A method call that has been marked as vulnerable by a model.
+ */
+class VulnerableMethodCall extends CilCallExt {
+  string vulnerabilityId;
+
+  VulnerableMethodCall() {
+    exists(string namespace, string className, string methodName |
+      vulnerableCallModel(namespace, className, methodName, vulnerabilityId) and
+      this.targetsMethod(namespace, className, methodName)
+    )
+  }
+
+  /** Gets the vulnerability ID associated with this call. */
+  string getVulnerabilityId() { result = vulnerabilityId }
+
+  /** Gets the enclosing method. */
+  CilMethodExt getEnclosingVulnerableMethod() { result = this.getEnclosingMethodExt() }
+}
+
+/**
+ * Gets a call that a model has marked as vulnerable for the reason given by `id`.
+ */
+VulnerableMethodCall getAVulnerableCallFromModel(string id) { result.getVulnerabilityId() = id }
+
+/**
+ * Gets a method that directly contains a vulnerable call.
+ */
+CilMethodExt getADirectlyVulnerableMethod(string id) {
+  result = getAVulnerableCallFromModel(id).getEnclosingVulnerableMethod()
+}
+
+/**
+ * Gets a method that transitively calls a vulnerable method.
+ * This computes the transitive closure of the call graph.
+ */
+CilMethodExt getAVulnerableMethod(string id) {
+  // Direct call to vulnerable method
+  result = getADirectlyVulnerableMethod(id)
+  or
+  // Transitive: method calls another method that is vulnerable
+  exists(CilCallExt call, CilMethodExt callee |
+    call.getEnclosingMethodExt() = result and
+    callee = getAVulnerableMethod(id) and
+    call.getCallTargetFullyQualifiedName() = callee.getFullyQualifiedName()
+  )
+}
+
+/**
+ * Gets a public method that transitively calls a vulnerable method.
+ */
+CilMethodExt getAPublicVulnerableMethod(string id) {
+  result = getAVulnerableMethod(id) and
+  result.isPublic()
+}
+
+/**
+ * Module for exporting vulnerable method information in a format suitable for
+ * model generation or further analysis.
+ */
+module ExportedVulnerableCalls {
+  /**
+   * Holds if `(namespace, className, methodName)` identifies a method that
+   * leads to a vulnerable call identified by `id`.
+   */
+  predicate pathToVulnerableMethod(
+    string namespace, string className, string methodName, string id
+  ) {
+    exists(CilMethodExt m |
+      m = getAVulnerableMethod(id) and
+      m.hasFullyQualifiedName(namespace, className, methodName)
+    )
+  }
+
+  /**
+   * Holds if `(namespace, className, methodName)` identifies a public method
+   * that leads to a vulnerable call identified by `id`.
+   */
+  predicate publicPathToVulnerableMethod(
+    string namespace, string className, string methodName, string id
+  ) {
+    exists(CilMethodExt m |
+      m = getAPublicVulnerableMethod(id) and
+      m.hasFullyQualifiedName(namespace, className, methodName)
+    )
+  }
+}

binary/ql/src/VulnerableCalls/VulnerableCallsSummarize.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Methods that call vulnerable code
+ * @description Lists all methods that transitively call a vulnerable method,
+ *              useful for generating models or understanding impact.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id binary/vulnerable-calls-summarize
+ */
+
+import VulnerableCalls
+
+from CilMethodExt method, string id, string namespace, string className, string methodName
+where
+  method = getAVulnerableMethod(id) and
+  method.hasFullyQualifiedName(namespace, className, methodName)
+select method,
+  "Method " + namespace + "." + className + "." + methodName +
+    " transitively calls vulnerable code (" + id + ")"

binary/ql/src/VulnerableCalls/codeql-pack.lock.yml

@@ -0,0 +1,14 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/controlflow:
+    version: 2.0.21
+  codeql/dataflow:
+    version: 2.0.21
+  codeql/ssa:
+    version: 2.0.13
+  codeql/typetracking:
+    version: 2.0.21
+  codeql/util:
+    version: 2.0.24
+compiled: false

binary/ql/src/VulnerableCalls/models/.gitkeep

@@ -0,0 +1,9 @@
+# Model files go here
+# Example format:
+#
+# extensions:
+#   - addsTo:
+#       pack: binary/vulnerable-calls
+#       extensible: vulnerableCallModel
+#     data:
+#       - ["System.Net.Http", "HttpClient", "GetAsync", "CVE-2024-XXXX"]

binary/ql/src/VulnerableCalls/models/test-model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: binary/vulnerable-calls
+      extensible: vulnerableCallModel
+    data:
+      - ["System", "Console", "WriteLine", "TEST-VULN-001"]

binary/ql/src/VulnerableCalls/qlpack.yml

@@ -0,0 +1,7 @@
+name: binary/vulnerable-calls
+version: 0.0.1
+dependencies:
+  microsoft/binary-all: "*"
+extractor: cil
+dataExtensions:
+  - models/**/*.yml