Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taint not flowing into a sink in Runnable #125

Open
adityavardhanpadala opened this issue Mar 29, 2023 · 0 comments
Open

Taint not flowing into a sink in Runnable #125

adityavardhanpadala opened this issue Mar 29, 2023 · 0 comments

Comments

@adityavardhanpadala
Copy link

adityavardhanpadala commented Mar 29, 2023
edited

Mariana Trench is not flowing taint into a sink in a runnable. I see an integration test that has a similar code which seems to pass but for some reason in the application that I am analysing it does not work.

I have tried using the default model in the repo for generating model for functions that match loadUrl, which also does not give any results.

Model for the source

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "name",
          "pattern":  "getScanResults"
        }
      ],
      "model": {
        "modes": [
          "skip-analysis"
        ],
        "sources": [
          {
            "kind": "WMScanResult",
            "port": "Return"
          }
        ]
      },
      "verbosity": 1
    }
  ]
}

mariana trench is able to track the flow into callWebInterface, the argument argument is the tainted variable

    public void callWebInterface(String function, String argument) {
        Logger.d(function);
        Logger.d(argument);
        activity.callJavascript(function + "(" + argument + ")");
    }

with the following model for sink, which does not look right since Argument(1) is the correct parameter, for which it fails to detect any issue.

{
    "model_generators": [
        {
            "find": "methods",
            "where": [
                {
                    "constraint": "name",
                    "pattern": "callWebInterface"
                }
            ],
            "model": {
                "modes": [
                    "skip-analysis"
                ],
                 "sinks": [
                    {
                      "kind": "WMLoadUrl",
                      "port": "Argument(0)"
                    }
                ]
            },
            "verbosity": 1
        }
    ]
}

mariana trench fails to track taint to the sink webview.loadUrl call.

    public void callJavascript(final String function) {
        webView.post(new Runnable() { 
            @Override // java.lang.Runnable
            public void run() {
                FullscreenActivity.webView.loadUrl("javascript:" + function + ";");
            }
        });
    }

with the following model for sink

{
    "model_generators": [
        {
            "find": "methods",
            "where": [
                {
                    "constraint": "name",
                    "pattern": "loadUrl"
                }
            ],
            "model": {
                "modes": [
                    "skip-analysis"
                ],
                 "sinks": [
                    {
                      "kind": "WMLoadUrl",
                      "port": "Argument(1)"
                    }
                ]
            },
            "verbosity": 1
        }
    ]
}

rules.json

  {
    "name": "Data flows into Webview",
    "code": 6,
    "description": "Data flows into a Webview loadUrl",
    "sources": [
      "WMScanResult"
    ],
    "sinks": [
      "WMLoadUrl",
      "WebViewLoadGenerator"
    ]
  }

I am using the WebViewLoadGenerator from the repo as sink too.
Log:

INFO Extracting `/home/silverf3lix/projects/theapkproject/apks/brunt.apk`...
INFO Extracted APK into `/tmp/tmpazyzx7qn_apk` and DEX into `/tmp/tmpec9usdqc_dex`
INFO Running Mariana Trench: /home/silverf3lix/projects/dexy/mariana-trench/build/mariana-trench-binary --system-jar-paths /home/silverf3lix/Android/Sdk//platforms/android-30/android.jar --apk-directory /tmp/tmpazyzx7qn_apk --dex-directory /tmp/tmpec9usdqc_dex --rules-paths mariana-trench/configuration/rules.json --repository-root-directory /home/silverf3lix/projects/dexy/ --source-root-directory /home/silverf3lix/projects/dexy/ --apk-path /home/silverf3lix/projects/theapkproject/apks/brunt.apk --output-directory /home/silverf3lix/projects/dexy/output/brunt.apk.results/ --maximum-source-sink-distance 7 --model-generator-configuration-paths /home/silverf3lix/projects/dexy/mariana-trench/configuration/newgen.json --model-generator-search-paths /home/silverf3lix/projects/dexy/mariana-trench/configuration/model-generators --lifecycles-paths /home/silverf3lix/projects/dexy/mariana-trench/configuration/lifecycles.json
Trace settings:
TRACEFILE=
SHOW_TIMESTAMPS=
SHOW_TRACEMODULE=
TRACE_METHOD_FILTER=
2023-03-29 19:16:28 INFO Initializing Redex...
2023-03-29 19:16:28 INFO Redex initialized in 0.29s.
2023-03-29 19:16:28 INFO Storing methods...
2023-03-29 19:16:28 INFO Stored all methods in 0.04s. Memory used, RSS: 0.12GB
2023-03-29 19:16:28 INFO Storing fields...
2023-03-29 19:16:29 INFO Stored all fields in 0.01s. Memory used, RSS: 0.13GB
2023-03-29 19:16:29 INFO Building source index...
2023-03-29 19:16:29 INFO Finding files to index in `/home/silverf3lix/projects/dexy/`...
abort: no repository found in '/home/silverf3lix/projects/dexy' (.hg not found)
2023-03-29 19:16:29 WARNING Source directory is not a mercurial repository. Trying `find` to discover files.
2023-03-29 19:16:29 INFO Found 358 files in 0.16s.
2023-03-29 19:16:29 INFO Indexing classes...
2023-03-29 19:16:29 INFO Indexed 801 top-level classes in 0.00s.
2023-03-29 19:16:29 INFO Indexing method paths...
2023-03-29 19:16:29 INFO Indexed 295 method paths in 0.00s.
2023-03-29 19:16:29 INFO Indexing method lines...
2023-03-29 19:16:29 INFO Indexed 12753 method lines in 0.00s.
2023-03-29 19:16:29 INFO Built source index in 0.17s. Memory used, RSS: 0.13GB
2023-03-29 19:16:29 INFO Building control flow graphs...
2023-03-29 19:16:29 INFO Built control flow graphs in 0.04s. Memory used, RSS: 0.16GB
2023-03-29 19:16:29 INFO Inferring types...
2023-03-29 19:16:29 INFO Reflection analysis 0.01s. Memory used, RSS: 0.16GB
2023-03-29 19:16:30 INFO Global analysis 1.24s. Memory used, RSS: 0.21GB
2023-03-29 19:16:30 INFO Inferred types in 1.25s. Memory used, RSS: 0.21GB
2023-03-29 19:16:30 INFO Building class hierarchies...
2023-03-29 19:16:30 INFO Built class hierarchies in 0.01s. Memory used, RSS: 0.21GB
2023-03-29 19:16:30 INFO Building fields cache...
2023-03-29 19:16:30 INFO Built fields cache in 0.03s. Memory used, RSS: 0.23GB
2023-03-29 19:16:30 INFO Creating life-cycle wrapper methods...
2023-03-29 19:16:30 INFO Created 7 life-cycle methods for classes inheriting from `Landroid/app/Activity;`
2023-03-29 19:16:30 INFO Created 7 life-cycle methods for classes inheriting from `Landroid/app/Fragment;`
2023-03-29 19:16:30 WARNING Could not find type for base class name `Landroidx/fragment/app/Fragment;`. Will skip creating life-cycle methods.
2023-03-29 19:16:30 INFO Created 26 life-cycle methods for classes inheriting from `Landroid/app/Service;`
2023-03-29 19:16:30 WARNING Could not find type for base class name `Landroidx/fragment/app/FragmentActivity;`. Will skip creating life-cycle methods.
2023-03-29 19:16:30 INFO Created lifecycle methods in 0.01s. Memory used, RSS: 0.23GB
2023-03-29 19:16:30 INFO Building override graph...
2023-03-29 19:16:30 INFO Built override graph in 0.07s. Memory used, RSS: 0.24GB
2023-03-29 19:16:30 INFO Building method mappings for shim/model generation over 71597 methods
2023-03-29 19:16:30 INFO Generated method mappings in 0.13s. Memory used, RSS: 0.28GB
2023-03-29 19:16:30 INFO Creating Shims...
2023-03-29 19:16:30 INFO Created Shims in 0.00s. Memory used, RSS: 0.28GB
2023-03-29 19:16:30 INFO Building call graph...
2023-03-29 19:16:31 INFO Built call graph in 0.31s. Memory used, RSS: 0.32GB
2023-03-29 19:16:31 INFO Generating models...
2023-03-29 19:16:31 INFO Found model generator: `WMScanResult`
2023-03-29 19:16:31 INFO Found model generator: `WMLoadUrl`
2023-03-29 19:16:31 INFO Found model generator: `WebViewLoadGenerator`
2023-03-29 19:16:31 INFO Running model generator `WMScanResult` (1/3)
2023-03-29 19:16:31 INFO Method `Landroid/net/wifi/WifiManager;.getScanResults:()Ljava/util/List;` satisfies all constraints in json model generator WMScanResult
2023-03-29 19:16:31 INFO Model generator `WMScanResult` generated 1 models in 0.00s.
2023-03-29 19:16:31 INFO Running model generator `WMLoadUrl` (2/3)
2023-03-29 19:16:31 INFO Method `Landroid/webkit/WebView;.loadUrl:(Ljava/lang/String;Ljava/util/Map;)V` satisfies all constraints in json model generator WMLoadUrl
2023-03-29 19:16:31 INFO Method `Landroid/webkit/WebView;.loadUrl:(Ljava/lang/String;)V` satisfies all constraints in json model generator WMLoadUrl
2023-03-29 19:16:31 INFO Model generator `WMLoadUrl` generated 2 models in 0.00s.
2023-03-29 19:16:31 INFO Running model generator `WebViewLoadGenerator` (3/3)
2023-03-29 19:16:31 INFO Model generator `WebViewLoadGenerator` generated 6 models in 0.00s.
2023-03-29 19:16:31 INFO Generated 9 models and 0 field models in 0.01s. Memory used, RSS: 0.32GB
2023-03-29 19:16:31 INFO Reset MethodToShims and Method Mappings. Memory used, RSS: 0.32GB
2023-03-29 19:16:31 INFO Initializing models...
2023-03-29 19:16:31 INFO Initialized 72103 models and 0 field models in 0.03s. Memory used, RSS: 0.32GB
2023-03-29 19:16:31 INFO Initializing rules...
2023-03-29 19:16:31 INFO Initialized 6 rules in 0.00s. Memory used, RSS: 0.32GB
2023-03-29 19:16:31 INFO Data from ScanResult flows into Webview
2023-03-29 19:16:31 INFO User input flows into WebView load
2023-03-29 19:16:31 INFO User input flows into raw SQL statement
2023-03-29 19:16:31 INFO User input flows into implicitly launched intent
2023-03-29 19:16:31 INFO User input flows into file resolver
2023-03-29 19:16:31 INFO User input flows into code execution sink (RCE)
2023-03-29 19:16:31 INFO Removing unused Kinds
2023-03-29 19:16:31 WARNING Kind `SQLMutation` is not used in any rule! You may want to add one for it.
2023-03-29 19:16:31 WARNING Kind `SensitiveCookieData` is not used in any rule! You may want to add one for it.
2023-03-29 19:16:31 WARNING Kind `ArrayAllocation` is not used in any rule! You may want to add one for it.
2023-03-29 19:16:31 INFO Removed 3 kinds in 0.01s.
2023-03-29 19:16:31 INFO Building dependency graph...
2023-03-29 19:16:31 INFO Built dependency graph in 0.03s. Memory used, RSS: 0.32GB
2023-03-29 19:16:31 INFO Created class properties in 0.14s. Memory used, RSS: 0.32GB
2023-03-29 19:16:31 INFO Building the analysis schedule...
2023-03-29 19:16:31 INFO Built the analysis schedule in 0.05s. Memory used, RSS: 0.32GB
2023-03-29 19:16:31 INFO Analyzing...
2023-03-29 19:16:31 INFO Computing global fixpoint...
2023-03-29 19:16:31 INFO Global iteration 1. Analyzing 72103 methods... (Memory used, RSS: 0.32GB)
2023-03-29 19:16:31 INFO Global iteration 1 completed in 0.38s.
2023-03-29 19:16:31 INFO Global iteration 2. Analyzing 11666 methods... (Memory used, RSS: 0.35GB)
2023-03-29 19:16:32 INFO Global iteration 2 completed in 0.33s.
2023-03-29 19:16:32 INFO Global iteration 3. Analyzing 2242 methods... (Memory used, RSS: 0.35GB)
2023-03-29 19:16:32 INFO Global iteration 3 completed in 0.14s.
2023-03-29 19:16:32 INFO Global iteration 4. Analyzing 914 methods... (Memory used, RSS: 0.36GB)
2023-03-29 19:16:32 INFO Global iteration 4 completed in 0.10s.
2023-03-29 19:16:32 INFO Global iteration 5. Analyzing 596 methods... (Memory used, RSS: 0.36GB)
2023-03-29 19:16:32 INFO Global iteration 5 completed in 0.07s.
2023-03-29 19:16:32 INFO Global iteration 6. Analyzing 333 methods... (Memory used, RSS: 0.36GB)
2023-03-29 19:16:32 INFO Global iteration 6 completed in 0.05s.
2023-03-29 19:16:32 INFO Global iteration 7. Analyzing 476 methods... (Memory used, RSS: 0.36GB)
2023-03-29 19:16:32 INFO Global iteration 7 completed in 0.07s.
2023-03-29 19:16:32 INFO Global iteration 8. Analyzing 172 methods... (Memory used, RSS: 0.36GB)
2023-03-29 19:16:32 INFO Global iteration 8 completed in 0.02s.
2023-03-29 19:16:32 INFO Global iteration 9. Analyzing 67 methods... (Memory used, RSS: 0.36GB)
2023-03-29 19:16:32 INFO Global iteration 9 completed in 0.01s.
2023-03-29 19:16:32 INFO Global iteration 10. Analyzing 23 methods... (Memory used, RSS: 0.36GB)
2023-03-29 19:16:32 INFO Global iteration 10 completed in 0.01s.
2023-03-29 19:16:32 INFO Global iteration 11. Analyzing 4 methods... (Memory used, RSS: 0.36GB)
2023-03-29 19:16:32 INFO Global iteration 11 completed in 0.00s.
2023-03-29 19:16:32 INFO Global fixpoint reached.
2023-03-29 19:16:32 INFO Analyzed 72103 models in 1.19s. Found 0 issues!
2023-03-29 19:16:32 INFO Removing invalid traces due to collapsing...
2023-03-29 19:16:32 INFO Removed invalid traces in 0.04s.
2023-03-29 19:16:32 INFO Augmenting positions...
2023-03-29 19:16:32 INFO Augmented positions in 0.01s.
2023-03-29 19:16:32 INFO Writing models to `/home/silverf3lix/projects/dexy/output/brunt.apk.results/`.
2023-03-29 19:16:32 INFO Wrote models to 8 shards.
2023-03-29 19:16:32 INFO Wrote models in 0.14s.
2023-03-29 19:16:32 INFO Writing metadata to `/home/silverf3lix/projects/dexy/output/brunt.apk.results/metadata.json`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adityavardhanpadala