Optimize the document of Quark Script CWE-327

[JerryTasi]

Detect CWE-327 in Android Application

This scenario seeks to find Use of a Broken or Risky Cryptographic Algorithm in the APK file.

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

We analyze the definition of CWE-327 and identify its characteristics.

See CWE-327 for more details.

Code of CWE-327 in InjuredAndroid.apk

We use the InjuredAndroid.apk sample to explain the vulnerability code of CWE-327.

CWE-327 Detection Process Using Quark Script API

Let’s use the above APIs to show how the Quark script finds this vulnerability.

We first design a detection rule useOfCryptographicAlgo.json to spot on behavior using cryptographic algorithms. Then, we use API behaviorInstance.hasString(pattern, isRegex) with a list to check if the algorithm is risky. If YES, that may cause the exposure of sensitive data.

Quark Script CWE-327.py

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "InjuredAndroid.apk"
RULE_PATH = "useOfCryptographicAlgo.json"

WEAK_ALGORITHMS = ["DES", "ARC4", "BLOWFISH"]

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for useCryptoAlgo in quarkResult.behaviorOccurList:

    caller = useCryptoAlgo.methodCaller

    for algo in WEAK_ALGORITHMS:
        if useCryptoAlgo.hasString(algo):
            print(f"CWE-327 is detected in method, {caller.fullName}")

Quark Rule: useOfCryptographicAlgo.json

{
    "crime": "Use of cryptographic algorithm",
    "permission": [],
    "api": [
        {
            "class": "Ljavax/crypto/Cipher;",
            "method": "getInstance",
            "descriptor": "(Ljava/lang/String;)Ljavax/crypto/Cipher"
        },
        {
            "class": "Ljavax/crypto/Cipher;",
            "method": "init",
            "descriptor": "(I Ljava/security/Key;)V"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python3 CWE-327.py
CWE-327 is detected in method, Lb3nac/injuredandroid/k; b (Ljava/lang/String;)Ljava/lang/String;
CWE-327 is detected in method, Lb3nac/injuredandroid/k; a (Ljava/lang/String;)Ljava/lang/String;

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.68%. Comparing base (e1c796b) to head (49fb5af).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #750   +/-   ##
=======================================
  Coverage   80.68%   80.68%           
=======================================
  Files          75       75           
  Lines        6253     6253           
=======================================
  Hits         5045     5045           
  Misses       1208     1208           

Flag	Coverage Δ
unittests	80.68% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zinwang]

LGTM!