Problems detecting taint propogation
Closed this issue · 3 comments
I have problems trying to write a propogation that can detect this flow of data from the initialisation of the implicit intent to calling it in an activity.
invoke-direct {v1, v2}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V
const/16 v2, 0xd5
invoke-virtual {v0, v1, v2}, Landroid/app/Activity;->startActivityForResult(Landroid/content/Intent;I)V
goto/16 :goto_2f
I can define the source to be the method that inits the intent, and sink to be the startActivityForResult, but when I write in the rules to link the source to the sink, no issues come up.
INFO Method `Landroid/content/Intent;.<init>:(Ljava/lang/String;)V` satisfies all constraints in json model generator ImplicitIntentAsSource
INFO Method `Landroid/app/Activity;.startActivityForResult:(Landroid/content/Intent;I)V` satisfies all constraints in json model generator ImplicitIntentAsSink
Is there any further way I can debug this? Not sure how to proceed
Source Definition (same as the implicitintentsourcegenerator):
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "parent",
"inner": {
"constraint": "name",
"pattern": "Landroid/content/Intent;"
}
},
{
"constraint": "name",
"pattern": "\\<init\\>"
},
{
"constraint": "not",
"inner": {
"constraint": "signature",
"pattern": ".*Ljava/lang/Class;.*"
}
}
],
"model": {
"sources": [
{
"kind": "IntentAsSource",
"port": "Argument(0)"
}
]
},
"verbosity" : 1
}
]
}
Sink Definition:
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "name",
"pattern": "startActivityForResult"
}
],
"model": {
"sinks": [
{
"kind": "IntentAsSink",
"port": "Argument(1)"
}
]
},
"verbosity" : 1
}
]
}
rules.json:
{ "name": "IntentImplicitTest", "code":99, "description": "Test", "sources": ["IntentAsSource"], "sinks":["IntentAsSink"] }
Hi @chuayupeng, thanks for reaching out.
This is because your model defines a source
with port
Argument(0)
.
This is something that we did not document well, but:
- A source with a
Return
port means the source is produced at the call site, i.e:
x = source(); // x is tainted
- A source with an
Argument
port means the source is tainted in the body of the function, i.e:
public void source(String x) { // x is tainted here }
Internally, we do differentiate between sources produced at call sites (called generations
) and sources produces in the body (called parameter sources
). You can also specify them in JSON.
TL, DR: Using "generations": {"kind": "IntentAsSource", "port": "Argument(0)"}
instead of "sources": ...
should fix the issue.
Hi @arthaud, thanks for the easy to understand explanation! I changed the definition with the source and it worked like a charm!