Optimize the document of Quark Script CWE-338

[JerryTasi]

Detect CWE-338 in Android Application

This scenario seeks to find Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG).

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

We analyze the definition of CWE-338 and identify its characteristics.

See CWE-338 for more details.

Code of CWE-338 in pivaa.apk

We use the pivaa.apk sample to explain the vulnerability code of CWE-338.

CWE-338 Detection Process Using Quark Script API

First, we design a detection rule useMethodOfPRNG.json to spot on behavior that uses Pseudo Random Number Generator (PRNG). Then, we use API methodInstance.getXrefFrom() to get the caller method of PRNG. Finally, we use some keywords such as "token", "password", and "encrypt" to check if the PRNG is for credential usage.

Quark Script CWE-338.py

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "pivaa.apk"
RULE_PATH = "useMethodOfPRNG.json"

CREDENTIAL_KEYWORDS = [
    "token", "password", "account", "encrypt",
    "authentication", "authorization", "id", "key"
]

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for usePRNGMethod in quarkResult.behaviorOccurList:
    for prngCaller in usePRNGMethod.methodCaller.getXrefFrom():
        if any(
            keyword in prngCaller.fullName for keyword in CREDENTIAL_KEYWORDS
        ):
            print("CWE-338 is detected in %s" % prngCaller.fullName)

Quark Rule: useMethodOfPRNG.json

{
    "crime": "Use method of PRNG",
    "permission": [],
    "api": [
        {
            "class": "Ljava/util/Random;",
            "method": "<init>",
            "descriptor": "()V"
        },
        {
            "class": "Ljava/util/Random;",
            "method": "nextInt",
            "descriptor": "(I)I"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python CWE-338.py
CWE-338 is detected in Lcom/htbridge/pivaa/EncryptionActivity$2; onClick (Landroid/view/View;)V

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.68%. Comparing base (64874f1) to head (0d8c756).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #756   +/-   ##
=======================================
  Coverage   80.68%   80.68%           
=======================================
  Files          75       75           
  Lines        6253     6253           
=======================================
  Hits         5045     5045           
  Misses       1208     1208           

Flag	Coverage Δ
unittests	80.68% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.