Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dotnet: consider emitting namespace, class, method, and field/property names referenced by an assembly #1013

Closed
mike-hunhoff opened this issue May 3, 2022 · 8 comments
Closed

dotnet: consider emitting namespace, class, method, and field/property names referenced by an assembly #1013

mike-hunhoff opened this issue May 3, 2022 · 8 comments
Labels
dotnet question Further information is requested

Comments

@mike-hunhoff
Copy link
Collaborator

(1) e.g. emit the following for System.IO.File::OpenRead:

- namespace: System.IO
- class: File
- method: OpenRead

(2) be more explicit to avoid FPs resulting from naming conflicts, e.g.:

- namespace: System.IO
- class: System.IO.File
- method: System.IO.File::OpenRead

and for properties, e.g. (more discussion in #939):

- namespace: System.Net
- class: System.Net.WebRequest
- property: System.Net.WebRequest::Method

I like option 2 the best, and I think this would apply to both file and function scopes and both internal and external references.
@mike-hunhoff mike-hunhoff added question Further information is requested dotnet labels May 3, 2022
@mike-hunhoff
Copy link
Collaborator Author

we can then write rules like:

rule:
  meta:
    name: manipulate files in dotnet
    namespace: host-interaction/file-system
    scope: function
  features:
    - and:
      - class: System.IO.File

@mr-tz
Copy link
Collaborator

mr-tz commented May 4, 2022

Do we need the namespace field for (2)? Can you think of rules where we would use that in rules right now?

@mike-hunhoff
Copy link
Collaborator Author

mike-hunhoff commented May 5, 2022
edited
Loading

Including the namespace for imported classes is probably overkill. However, including user-defined namespaces may facilitate malware family detection. I don't have a specific example for the latter.

@mike-hunhoff
Copy link
Collaborator Author

I propose the following:

  • emit class, method, and property/field names for imported classes
  • emit namespace, class, method, and property/field names for user-defined classes

@mr-tz
Copy link
Collaborator

mr-tz commented May 6, 2022

Ah, yeah, that could be neat to detect on namespaces. For simplicity I'd then say we emit namespace, class, method, and property/field names for all classes?!

@mike-hunhoff
Copy link
Collaborator Author

I agree; we should keep it simple by extracting the same for all classes. so, emit the following for all classes referenced at file and function scope:

  • namespace
  • class
  • method/field/property

see #939 for discussion on emitting references to properties/fields.

@mike-hunhoff
Copy link
Collaborator Author

this may require introducing new features, including:

  • namespace
  • class
  • field/property??
  • method??

see #939 for field/property.

unsure if we need method or if we can simply reuse api.

@mike-hunhoff mike-hunhoff mentioned this issue May 19, 2022
Merged
@williballenthin
Copy link
Collaborator

see #939 for property access.
#1030 covers namespace/class/method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dotnet question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@williballenthin @mr-tz @mike-hunhoff