
Discovering Critical Vulnerabilities Affecting Macs, iPhones, and iPads - dazhbog
https://semmle.com/news/apple-xnu-kernel-icmp-nfs-vulnerabilities
======
tptacek
Isn't this just a super-vendory marketing version of the blog post Kevin
himself wrote about the ICMP vulnerability earlier this week?

[https://news.ycombinator.com/item?id=18349942](https://news.ycombinator.com/item?id=18349942)

Note that Kevin himself did not claim he had managed to get code execution
from this vulnerability, but rather that he'd just verified heap corruption.
(In terms of evaluating the vulnerability, yes, you should assume kernel heap
corruption is morally equivalent to RCE. In terms of evaluating bragging
rights, which is what this Semmle post seems to be about, the difference is
pretty large.)

------
rgovostes
I've played with Semmle's product, which I think is called QL now, and I was
very impressed. It's a way to write queries about your code, like "show me
lines where the address to a non-packed struct is passed to fwrite() or
send()," for example.

clang-query might be conceptually similar (and open source), but QL has some
sort of graph database captured at compile time that is extremely fast to
query. QL's DSL may also be more intuitive and/or sophisticated than clang's,
but I haven't used either in a while.

Unless they've extended it since, QL does not actually simulate execution, so
it cannot find some of the same bug patterns that other analyzers can.

~~~
Tibbes
The dataflow analysis libraries in QL have significantly improved since 2015,
and were used to find the ICMP vulnerability mentioned in the article. See the
blog post for the query used. [1]

Dataflow analysis is a form of execution simulation that estimates the flow of
control and data from one part of the program to another. Of course, there are
many forms of simulation, and they vary in accuracy and the expense of
computing them.

[1]:
[https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407](https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407)

------
rustcharm
I don't understand. Isn't Mac OSX "Secure By Design" (that's what they say on
their website). How can some ICMP packet take control of every platform they
make? Isn't Mach a Microkernel?

------
tmd83
Is this a static analysis engine essentially?

Does anyone have good recommendation for static analyzer focused on security
specially. Any that really works for java code?

~~~
oegerikus
Disclosure: I’m the founder of Semmle. As noted above, this conversation is a
dup but I wanted to answer the questions that came up. Semmle’s core
technology is an engine for variant analysis - finding all instances of a
mistake that led to an incident, especially for security. Here's how Microsoft
uses Semmle:
[https://blogs.technet.microsoft.com/srd/2018/08/16/vulnerabi...](https://blogs.technet.microsoft.com/srd/2018/08/16/vulnerability-
hunting-with-semmle-ql-part-1/) . The engine does support inter-procedural
data flow analysis and simulates execution in that sense. For examples of such
data flow analysis on Java, see
[https://lgtm.com/blog/apache_struts_CVE-2018-11776-part2](https://lgtm.com/blog/apache_struts_CVE-2018-11776-part2).

