Full Report
The authors of this post were reviewing OpenVP2 when faced with a difficult challenge: it had over 2.5K compiler warnings. Could some of these be security issues though? Their goal was to limit these errors to only the ones that matter. They decided to tackle a single class of issues: numerical conversions. C's relaxed type system allows for implicit numerical conversions. Not all conversions are security issues but some of them can be. Signedness, truncation and overflows are all issues that can arise from this. With this problem defined, they decided to build a CodeQL query to identify potentially problematic areas. After performing all of this analysis, they determined that none of the conversions led to real issues. It's interesting to see the usage of more niche CodeQL queries to perform useful flow analysis. Good blog post!
Analysis Summary
# Research: Taming 2,500 compiler warnings with CodeQL, an OpenVPN2 case study
## Metadata
- **Authors:** Paweł Płatek, Jay Little
- **Institution:** Trail of Bits
- **Publication:** Trail of Bits Blog / Technical Case Study
- **Date:** September 25, 2025
## Abstract
During a security review of OpenVPN2, researchers were confronted with over 2,500 compiler warnings related to implicit numerical conversions. Because manual triage of such a high volume is impractical, the researchers developed a custom, multi-staged CodeQL query to filter out benign conversions and isolate those with high security risk. By applying data flow analysis and range constraints, they reduced the findings to 20 high-priority cases. While no exploitable vulnerabilities were ultimately found in OpenVPN2, the research provides a reusable framework for auditing C type-safety issues at scale.
## Research Objective
The research addresses the "noise" problem in static analysis: how to distinguish between thousands of benign implicit C type conversions (truncation, reinterpretation, widening) and the small subset that could lead to memory corruption or logic errors.
## Methodology
### Approach
The researchers used an iterative refinement process to build a CodeQL query:
1. **Baseline Analysis:** Compared results from standard compilers (GCC/Clang) and existing CodeQL queries.
2. **Filtering:** Created a custom query to identify implicit conversions (assignment, promotion, arithmetic).
3. **Range Analysis:** Implemented "Integer Range Analysis" to ignore conversions where the value's range is mathematically guaranteed to fit in the target type.
4. **Known API Modeling:** Hardcoded bounds for known safe APIs (e.g., OpenSSL’s `EVP_CIPHER_key_length`).
5. **Taint Tracking:** Focused only on conversions involving user-controlled inputs.
### Dataset/Environment
- **Software:** OpenVPN2 (specifically analyzed during a security audit).
- **Compilers:** GCC 14.2.0 and Clang 19.1.7.
### Tools & Technologies
- **CodeQL:** For semantic code analysis and taint tracking.
- **GitHub:** For hosting the resulting open-source queries.
## Key Findings
### Primary Results
1. **Noise Reduction:** The custom CodeQL query reduced the number of potential issues from ~2,500 compiler warnings to 20 manual review candidates—a **99.2% reduction**.
2. **Security Verdict:** None of the 20 prioritized findings in OpenVPN2 were found to be exploitable vulnerabilities.
3. **Query Efficacy:** Standard CodeQL queries (like `av-rule-180`) were found to be either too broad (6,750+ findings) or too narrow for comprehensive security auditing.
### Supporting Evidence
- **GCC Warnings:** 2,698 (`-Wconversion -Wsign-conversion -Wsign-compare`).
- **Initial CodeQL Stage:** 1,326 findings.
- **Final Refined Stage:** 20 findings.
### Novel Contributions
- Developed a **context-aware integer conversion query** that accounts for C-specific nuances (widening vs. truncation).
- Demonstrated a method for **whitelisting specific API return values** within CodeQL to suppress false positives in cryptographic contexts.
## Technical Details
The researchers categorized data alteration into three primary risks:
- **Truncation:** High-order bits are lost (e.g., `uint32_t` to `uint8_t`).
- **Reinterpretation:** Sign bit changes (e.g., `uint32_t` to `int32_t`).
- **Widening:** Smaller types are expanded, potentially leading to unexpected sign extension.
The technical innovation lies in **Step 4 (Custom Range Modeling)**, where they defined a `ConstantBound` class in CodeQL to manually bound the output of functions like `EVP_MD_size` to [0, 32768], effectively telling the analyzer that these values will never overflow a standard `int`.
## Practical Implications
### For Security Practitioners
- Large-scale audits of legacy C codebases should shift from "finding all bugs" to "finding all reachable/tainted bugs" using advanced static analysis.
### For Defenders
- Incorporate the [provided CodeQL query](https://github.com/trailofbits/codeql-queries/blob/18bceaadb084390e31f313eff4d061d91199bf4c/cpp/src/security/UnsafeImplicitConversions/UnsafeImplicitConversions.ql) into CI/CD pipelines.
- Treat `-Wconversion` and `-Wsign-compare` as errors only after the codebase has been cleaned of legacy noise.
### For Researchers
- This work demonstrates that "Niche" CodeQL queries focusing on specific data-flow patterns are more effective for professional auditing than "out-of-the-box" general rules.
## Limitations
- **False Negatives:** By focusing strictly on user-controlled input (taint tracking), the analysis might miss "internal" logic errors that could still lead to crashes or instability.
- **Manual Effort:** The methodology requires manual modeling of external library APIs (like OpenSSL) to be truly effective.
## Comparison to Prior Work
Unlike standard compiler flags which are "stateless" (looking only at the immediate line of code), this approach uses **global data flow**, allowing the tool to understand where a variable came from and what its maximum possible value could be before flagging it as a risk.
## Real-world Applications
- **Infrastructure Security:** Auditing VPNs, kernels, and embedded firmware where C is the primary language.
- **Legacy Refactoring:** Systematically removing technical debt in projects with thousands of compiler warnings.
## Future Work
- Expanding the library of pre-modeled common C APIs (standard library, POSIX, OpenSSL) to further automate the "Step 4" range analysis.
- Refining the query to detect vulnerability patterns in "integer promotion" specifically.
## References
- [Trail of Bits CodeQL Queries GitHub](https://github.com/trailofbits/codeql-queries/)
- [OpenVPN2 Security Review Report](https://github.com/trailofbits/publications/blob/master/reviews/2022-12-openvpn-openvpn2-securityreview.pdf)