Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

規則撰寫問題請教 #20

Closed
william31212 opened this issue Oct 22, 2022 · 11 comments
Closed

規則撰寫問題請教 #20

william31212 opened this issue Oct 22, 2022 · 11 comments

Comments

@william31212
Copy link

william31212 commented Oct 22, 2022
edited

  • 預計分析源碼
package com.tmh.vulnwebview;

import android.os.Bundle;
import android.webkit.WebView;
import android.webkit.WebViewClient;
import androidx.appcompat.app.AppCompatActivity;

/* loaded from: classes.dex */
public class RegistrationWebView extends AppCompatActivity {
    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(C0816R.layout.activity_registration_web_view);
        setTitle("Registration page");
        loadWebView();
    }

    private void loadWebView() {
        // source: webView
        WebView webView = (WebView) findViewById(C0816R.C0819id.webview);
        webView.setWebViewClient(new WebViewClient());
        
        // sink: setAllowFileAccess
        webView.getSettings().setAllowFileAccess(true);
        
        if (getIntent().getExtras().getBoolean("is_reg", false)) {
            // sink: load file:///
            webView.loadUrl("file:///android_asset/registration.html");
        } else {
            webView.loadUrl(getIntent().getStringExtra("reg_url"));
        }
    }
}
  • 預期分析結果希望 getsettings -> setAllowFileAccess -> loadUrl的流程,實際實作時卻被切分成兩個了
  • 以下是我的規則
{
    "WebView": {
        "SliceMode": true,
        "traceDepth": 8,
        "desc": {
            "name": "Webview setAllowFileAccess",
            "category": "webview",
            "detail": "Webview setAllowFileAccess(true) and loadurl",
            "wiki": "",
            "possibility": "4",
            "model": "middle"
        },
        "source": {
            "Return": [
                "<*: android.view.View findViewById(*)>",
            ],
            "NewInstance": [
                "android.webkit.WebView"
            ]
        },
        "sink": {
            "<android.webkit.WebView: android.webkit.WebSettings getSettings(*)>": {
                "TaintCheck": [
                    "@this"
                ]
            },
            "<android.webkit.WebSettings: * setAllowFileAccess(boolean)>": {
                "TaintCheck": [
                    "@this"
                ],
                "p0": [
                    "0"
                ]
            },
            "<android.webkit.WebView: * loadUrl(java.lang.String)>": {
                "TaintCheck": [
                    "@this"
                ],
                "p0": [
                    "file:///*"
                ]
            }
        }
    }
}
@nkbai
Copy link
Collaborator

nkbai commented Oct 24, 2022
edited

預期分析結果希望 getsettings -> setAllowFileAccess -> loadUrl的流程,實際實作時卻被切分成兩個了

如果你的期望是这样,那么你的source应该是return of getsettings, sink是loadUrl,但是你的规则中的source是findViewById或者NewInstance of WebView,

@william31212
Copy link
Author

這邊改用getSettings()作為source,但call stack, call details的輸出都是空的

  • 規則
{
    "WebView": {
        "SliceMode": true,
        "traceDepth": 8,
        "desc": {
            "name": "Webview setAllowFileAccess",
            "category": "webview",
            "detail": "Webview setAllowFileAccess(true) and loadurl",
            "wiki": "",
            "possibility": "4",
            "model": "middle"
        },
        "source": {
            "Return": [
                "<android.webkit.WebView: android.webkit.WebSettings getSettings(*)>"
            ]
        },
        "sink": {
            "<android.webkit.WebSettings: * setAllowFileAccess(boolean)>": {
                "TaintCheck": [
                    "@this"
                ],
                "p0": [
                    "1"
                ]
            },
            "<android.webkit.WebView: void loadUrl(java.lang.String)>": {
                "TaintCheck": [
                    "@this"
                ]
            }
        },
        "sanitize" : {
        }
    }
}

image

另外想請教產生出來的result.json要如何從中獲取call stack的code,因為內容似乎只含有com.tmh.vulnwebview.RegistrationWebView: void loadWebView()>->$r4,有沒有對於 jimple 源碼有相關定位方式
image

@nkbai
Copy link
Collaborator

nkbai commented Oct 24, 2022

因为你的source和sink是同一个变量,所以target只有一行

@william31212
Copy link
Author

不好意思,我用以下此圖來說明好了
我預期想要的行為是從webview宣告object開始定位
並追蹤
webView.getSettings().setAllowFileAccess(true);
webView.loadUrl("file:///android_asset/registration.html");

預期是想要 sink 紅框中這幾個 method,並在輸出的html看到
image

@nkbai
Copy link
Collaborator

nkbai commented Oct 24, 2022

appshark进行的是数据流分析,目前没有办法像你说的一下,精确地给出你想要的路径。 appshark给出的是最短的传播路径,否则路径就太多了

@william31212
Copy link
Author

好,那我想要請教兩個問題

  1. sink 的部分是只要符合其中一條 result.json 出現嗎
  2. sink 的 TaintCheck 是不是不能寫 return

@nkbai
Copy link
Collaborator

nkbai commented Oct 25, 2022
edited

好,那我想要請教兩個問題

  1. sink 的部分是只要符合其中一條 result.json 出現嗎

不是,具体的某个source,sink有多条路径时,选择其中最短的哪条。 source,sink只要有一个不同,就认为是完全不相关的路径。

  1. sink 的 TaintCheck 是不是不能寫 return

10d2119 提交了支持return作为sink,但是还没有发布版本,你可以从源码编译尝试一下。

@william31212
Copy link
Author

針對第一點詢問
所以假設sink設定三項規則,輸出的部分會是同時有經過這三項規則的才會輸出嗎
因為自己實驗下來的結果是有符合兩項的結果就輸出了

{
    "WebView": {
        "SliceMode": true,
        "traceDepth": 8,
        "desc": {
            "name": "Webview setAllowFileAccess",
            "category": "webview",
            "detail": "Webview setAllowFileAccess(true) and loadurl",
            "wiki": "",
            "possibility": "4",
            "model": "middle"
        },
        "source": {
            "Return": [
                "<*: android.view.View findViewById(*)>"
            ]
        },
        "sink": {
            "<android.webkit.WebView: android.webkit.WebSettings getSettings()>": {
                "TaintCheck": [
                    "@this"
                ]
            },
            "<android.webkit.WebSettings: * setAllowFileAccess(boolean)>": {
                "TaintCheck": [
                    "return"
                ],
                "p0": [
                    1
                ]
            },
            "<android.webkit.WebView: void loadUrl(java.lang.String)>": {
                "TaintCheck": [
                    "@this"
                ],
                "p0": [
                    "file:///*"
                ]
            }
        },
        "sanitize" : {
        }
    }
}

image

@nkbai
Copy link
Collaborator

nkbai commented Oct 26, 2022

所以假設sink設定三項規則,輸出的部分會是同時有經過這三項規則的才會輸出嗎
不会,sink点之间是独立的,不同sink之间没有关系,我们也不会要求一条路径必须经过所有的sink才认为是有效的路径。

@william31212
Copy link
Author

好的,謝謝您的回覆
因為個人的需求是想要sink到所有的路徑去偵測webview,確實有做設定的行為以及loadurl
如果我想要新增這項需求會建議從哪個部分的code下手

@nkbai
Copy link
Collaborator

nkbai commented Oct 26, 2022

建议好好看看TaintPathFinder,这个类是找路径的,你需要的是一个完全不同的路径查找算法。

@nkbai nkbai closed this as completed Nov 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nkbai @william31212