Add CWE-338 Script

[devgofer]

Detect CWE-338 in Android Application (pivva.apk)

This scenario aims to detect the Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). See CWE-338 for more details.

To demonstrate how the Quark script finds this vulnerability, we will use the pivaa APK file and the above APIs.

First, we design a detection rule useMethodOfPRNG.json to spot on behavior that uses Pseudo Random Number Generator (PRNG). Then, we use API getXrefFrom() to get the caller method of PRNG. Finally, we use some keywords such as “token”, “password”, and “encrypt” to check if the PRNG is for credential usage.

Quark Script CWE-338.py

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "pivaa.apk"
RULE_PATH = "useMethodOfPRNG.json"

CREDENTIAL_KEYWORDS = [
    "token", "password", "account", "encrypt",
    "authentication", "authorization", "id", "key"
]

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for usePRNGMethod in quarkResult.behaviorOccurList:
    for prngCaller in usePRNGMethod.methodCaller.getXrefFrom():
        if any(keyword in prngCaller.fullName
               for keyword in CREDENTIAL_KEYWORDS):
            print("CWE-338 is detected in %s" % prngCaller.fullName)

useMethodOfPRNG.json

{
    "crime": "Use method of PRNG",
    "permission": [],
    "api": [
        {
            "class": "Ljava/util/Random;",
            "method": "<init>",
            "descriptor": "()V"
        },
        {
            "class": "Ljava/util/Random;",
            "method": "nextInt",
            "descriptor": "(I)I"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python CWE-338.py  
CWE-338 is detected in Lcom/htbridge/pivaa/EncryptionActivity$2; onClick (Landroid/view/View;)V

[codecov-commenter]

Codecov Report

Patch and project coverage have no change.

Comparison is base (b3d8b0b) 78.76% compared to head (ba56c3b) 78.76%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #475   +/-   ##
=======================================
  Coverage   78.76%   78.76%           
=======================================
  Files          63       63           
  Lines        4850     4850           
=======================================
  Hits         3820     3820           
  Misses       1030     1030           

Flag	Coverage Δ
unittests	78.76% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[sidra-asa]

@Commuter95

Thanks for the PR. Welcome.
However, I don't understand why the function of quark script CWE-338.py will detect the PRNG.
Would you add additional information about how it works?

Also, here are some suggestions for quark script.

1. It should follow the pep8 blank lines convention.
2. We use Lower Camel Case naming style for quark script.

[sidra-asa]

@Commuter95

It seems that there is some conflict happening.
Please make sure all the files changed are fine.

[sidra-asa]

LGTM