From 03b8e649f1528905ed1709ce4581e9368337cccf Mon Sep 17 00:00:00 2001 From: tiferet Date: Wed, 23 Nov 2022 10:46:27 -0800 Subject: [PATCH 1/2] Filter endpoints by confidence Select endpoints to score at inference time base purely on their confidence level, and not on whether they fit the historical definition of endpoint filters. --- .../adaptivethreatmodeling/ATMConfig.qll | 21 +++++++++++-------- .../EndpointCharacteristics.qll | 2 +- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll index bce5a3172d6c..8eceff9e3621 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll @@ -80,15 +80,18 @@ abstract class AtmConfig extends string { // characteristics that are specific to this sink type. // TODO: Experiment with excluding all endpoints that have a medium- or high-confidence characteristic that implies // they're not sinks for this sink type (or not sinks for any sink type), not just the EndpointFilterCharacteristics. - exists(EndpointCharacteristics::StandardEndpointFilterCharacteristic standardFilter | - standardFilter.getEndpoints(candidateSink) and - result = standardFilter - ) - or - exists(EndpointCharacteristics::EndpointFilterCharacteristic specificFilter | - specificFilter.getEndpoints(candidateSink) and - specificFilter.getImplications(this.getASinkEndpointType(), false, _) and - result = specificFilter + exists(EndpointCharacteristics::EndpointCharacteristic filter, float confidence | + filter.getEndpoints(candidateSink) and + confidence >= filter.mediumConfidence() and + confidence < filter.highConfidence() and + ( + // Exclude endpoints that have a characteristic that implies they're not sinks for _any_ sink type. + filter.getImplications(any(NegativeType negative), true, confidence) + or + // Exclude endpoints that have a characteristic that implies they're not sinks for _this particular_ sink type. + filter.getImplications(this.getASinkEndpointType(), false, confidence) + ) and + result = filter ) } diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll index 1b305fa0b113..7bd615df1392 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll @@ -462,7 +462,7 @@ abstract class EndpointFilterCharacteristic extends EndpointCharacteristic { * An EndpointFilterCharacteristic that indicates that an endpoint is unlikely to be a sink of any type. * Replaces https://github.com/github/codeql/blob/387e57546bf7352f7c1cfe781daa1a3799b7063e/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/StandardEndpointFilters.qll#LL15C24-L15C24 */ -abstract class StandardEndpointFilterCharacteristic extends EndpointFilterCharacteristic { +abstract private class StandardEndpointFilterCharacteristic extends EndpointFilterCharacteristic { bindingset[this] StandardEndpointFilterCharacteristic() { any() } From 963407de4c20cf613db65183bc935f28145d7c89 Mon Sep 17 00:00:00 2001 From: tiferet Date: Mon, 28 Nov 2022 11:16:06 -0800 Subject: [PATCH 2/2] Update the documentation --- .../adaptivethreatmodeling/ATMConfig.qll | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll index 8eceff9e3621..814037837c15 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll @@ -73,16 +73,23 @@ abstract class AtmConfig extends string { not exists(this.getAReasonSinkExcluded(candidateSink)) } + /** + * Gets the list of characteristics that cause `candidateSink` to be excluded as an effective sink. + */ final EndpointCharacteristics::EndpointCharacteristic getAReasonSinkExcluded( JS::DataFlow::Node candidateSink ) { - // An endpoint is an effective sink if it has neither standard endpoint filter characteristics nor endpoint filter - // characteristics that are specific to this sink type. - // TODO: Experiment with excluding all endpoints that have a medium- or high-confidence characteristic that implies - // they're not sinks for this sink type (or not sinks for any sink type), not just the EndpointFilterCharacteristics. + // An endpoint is an effective sink (sink candidate) if none of its characteristics give much indication whether or + // not it is a sink. Historically, we used endpoint filters, and scored endpoints that are filtered out neither by + // a standard endpoint filter nor by an endpoint filter specific to this sink type. To replicate this behaviour, we + // have given the endpoint filter characteristics medium confidence, and we exclude endpoints that have a + // medium-confidence characteristic that indicates that they are not sinks, either in general or for this sink type. exists(EndpointCharacteristics::EndpointCharacteristic filter, float confidence | filter.getEndpoints(candidateSink) and confidence >= filter.mediumConfidence() and + // TODO: Experiment with excluding all endpoints that have a medium- or high-confidence characteristic that + // implies they're not sinks, rather than using only medium-confidence characteristics, by deleting the following + // line. confidence < filter.highConfidence() and ( // Exclude endpoints that have a characteristic that implies they're not sinks for _any_ sink type.