Sunday 16 June 2013

NDepend Query to visualize call flows

After installing NDepend and writing a first simple CQL query, it was time to try something more interesting, namely a query that could help me write rules to find security vulnerabilities like SQL Injection.

So I decided to write a rule to find out the call flows into/from a particular method, ie ‘Who calls this method and who it calls?’

With NDepend enabled on the source code of TeamMentor/Master , I opened a class and chose this option:


... which opened this Dependency Graph


If I now select a method, an helper tab will appear below:


... which for example, explains how to generate a call graph:


As per the instructions above, to create a call-graph, I select the direct/indirect callers


... which creates a (custom) CQL rule and executes it:


Following the 2nd step of the instructions, I clicked on the ‘Export to Graph’ button, and I got this nice graph:


Changing the query a little bit (from m.DepthOfIsUsing to m.DepthOfIsUsedBy )


Gives us a recursive mapping of all methods called by the original method, ie the call-flow FROM the current method (the first graph gave us the call-flow INTO the current method):


And I got this script right (see below), this is how we get both graphs together:


.... which will create this graph:


Now think of a similar view the attack surface at the top and the vulnerable APIs (like SQL execute) at the bottom :)

And although this would just be a call-flow analysis (vs taint analysis) my experience in doing similar analysis with the O2 Platform has shown that we can find A LOT of vulnerabilities this way (i.e. without needing the full taint analysis engine).