1 of 61

code property graphs & joern - simple, precise static code analysis

2 of 61

who am i

  • security research engineer at Qwiet (formerly ShiftLeft)
  • writing software for more than 15 years
  • moved into computer security ~3 years ago, working on static analysis

3 of 61

code property graph

4 of 61

code property graph

directed, edge-labeled, attributed multigraph in which each node carries at least one attribute that indicates its type.

5 of 61

code property graph

directed, edge-labeled, attributed multigraphs in which each node carries at least one attribute that indicates its type.

nodes. represent program constructs and have types

6 of 61

code property graph

directed, edge-labeled, attributed multigraphs in which each node carries at least one attribute that indicates its type.

edges. labeled, directed, represent relations between program constructs

nodes. represent program constructs and have types

7 of 61

code property graph

directed, edge-labeled, attributed multigraphs in which each node carries at least one attribute that indicates its type.

properties. nodes carry key-value pairs

nodes. represent program constructs and have types

edges. labeled, directed, represent relations between program constructs

8 of 61

code property graph

directed, edge-labeled, attributed multigraphs in which each node carries at least one attribute that indicates its type.

Nodes and their types. Nodes represent program constructs.

Labeled directed edges. Edges represent relations between program constructs.

Key-Value Pairs. Nodes carry key-value pairs.

properties. nodes carry key-value pairs

edges. labeled, directed, represent relations between program constructs

nodes. represent program constructs and have types

vulnerabilities are represented by combinations of nodes and edges in code property graphs.

9 of 61

10 of 61

joern

in development for the past 10 years

11 of 61

joern

interactive tool for automated vulnerability discovery based on Scala

in development for the past 10 years

12 of 61

joern

allows analyzing large code bases written in C, C++, Java, Javascript, Kotlin & more

interactive tool for automated vulnerability discovery based on Scala

in development for the past 10 years

13 of 61

joern

provides a query language for Code Property Graphs

allows analyzing large code bases written in C, C++, Java, Javascript, Kotlin & more

interactive tool for automated vulnerability discovery based on Scala

in development for the past 10 years

14 of 61

joern

provides scripting functionality

provides a query language for Code Property Graphs

allows analyzing large code bases written in C, C++, Java, Javascript, Kotlin & more

interactive tool for automated vulnerability discovery based on Scala

in development for the past 10 years

15 of 61

joern

16 of 61

joern

17 of 61

joern

18 of 61

joern

19 of 61

joern

20 of 61

joern

21 of 61

joern

22 of 61

joern

23 of 61

joern

24 of 61

joern

25 of 61

joern

26 of 61

joern

27 of 61

kotlin2cpg

28 of 61

kotlin2cpg

mostly parsing code

29 of 61

kotlin2cpg

mostly parsing code

parser library - IntelliJ’s Program Structure Interface

30 of 61

kotlin2cpg

mostly parsing code

parser library - IntelliJ’s Program Structure Interface

representing 50% of constructs is easy, 80% is hard, 90%+ tricky

31 of 61

kotlin2cpg

mostly parsing code

parser library - IntelliJ’s Program Structure Interface

representing 50% of constructs is easy, 80% is hard, 90%+ tricky

does not require a working build but requires dependencies

32 of 61

kotlin2cpg

mostly parsing code

parser library - IntelliJ’s Program Structure Interface

representing 50% of constructs is easy, 80% is hard, 90%+ tricky

does not require a working build but requires dependencies

other frontends do not require dependencies

33 of 61

a bug, a joern query, another bug

34 of 61

a bug, a joern query, another bug

35 of 61

a bug, a joern query, another bug

36 of 61

a bug, a joern query, another bug

37 of 61

a bug, a joern query, another bug

38 of 61

a bug, a joern query, another bug

39 of 61

a bug, a joern query, another bug

40 of 61

a bug, a joern query, another bug

41 of 61

a bug, a joern query, another bug

42 of 61

a bug, a joern query, another bug

43 of 61

a bug, a joern query, another bug

44 of 61

a bug, a joern query, another bug

45 of 61

a bug, a joern query, another bug

46 of 61

a bug, a joern query, another bug

47 of 61

a bug, a joern query, another bug

48 of 61

a bug, a joern query, another bug

49 of 61

a bug, a joern query, another bug

50 of 61

a bug, a joern query, another bug

51 of 61

a bug, a joern query, another bug

52 of 61

a bug, a joern query, another bug

53 of 61

a bug, a joern query, another bug

54 of 61

a bug, a joern query, another bug

55 of 61

a bug, a joern query, another bug

56 of 61

you can do a lot more with joern

model a stack-based buffer overflow in a c program

57 of 61

you can do a lot more with joern

model a stack-based buffer overflow in a c program

model a directory traversal in a java program

58 of 61

you can do a lot more with joern

model a stack-based buffer overflow in a c program

model a directory traversal in a java program

model a xss in a javascript application

59 of 61

you can do a lot more with joern

model a stack-based buffer overflow in a c program

model a directory traversal in a java program

model a xss in a javascript application

in beta: model vulns in PHP programs

60 of 61

you can do a lot more with joern

model a stack-based buffer overflow in a c program

model a directory traversal in a java program

model a xss in a javascript application

in beta: model vulns in PHP programs

in development: model vulns in Ruby programs

61 of 61

https://github.com/joernio/joern/

https://discord.gg/vv4MH284Hc

@ursachec

https://joern.io