Problems detecting taint propogation

[chuayupeng]

I have problems trying to write a propogation that can detect this flow of data from the initialisation of the implicit intent to calling it in an activity.

    invoke-direct {v1, v2}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V

    const/16 v2, 0xd5

    invoke-virtual {v0, v1, v2}, Landroid/app/Activity;->startActivityForResult(Landroid/content/Intent;I)V

    goto/16 :goto_2f

I can define the source to be the method that inits the intent, and sink to be the startActivityForResult, but when I write in the rules to link the source to the sink, no issues come up.

INFO Method `Landroid/content/Intent;.<init>:(Ljava/lang/String;)V` satisfies all constraints in json model generator ImplicitIntentAsSource
INFO Method `Landroid/app/Activity;.startActivityForResult:(Landroid/content/Intent;I)V` satisfies all constraints in json model generator ImplicitIntentAsSink

Is there any further way I can debug this? Not sure how to proceed

[chuayupeng]

Source Definition (same as the implicitintentsourcegenerator):

{
    "model_generators": [
      {
        "find": "methods",
        "where": [
          {
            "constraint": "parent",
            "inner": {
              "constraint": "name",
              "pattern": "Landroid/content/Intent;"
            }
          },
          {
            "constraint": "name",
            "pattern": "\\<init\\>"
          },
          {
            "constraint": "not",
            "inner": {
              "constraint": "signature",
              "pattern": ".*Ljava/lang/Class;.*"
            }
          }
        ],
        "model": {
          "sources": [
            {
              "kind": "IntentAsSource",
              "port": "Argument(0)"
            }
            ]
        },
      "verbosity" : 1
      }
    ]
  }

Sink Definition:

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "name",
          "pattern": "startActivityForResult"
        }
      ],
      "model": {
          "sinks": [
            {
                "kind": "IntentAsSink",
                "port": "Argument(1)"
            }
          ]
        },
        "verbosity" : 1
      }
    ]
}
  

rules.json:
{ "name": "IntentImplicitTest", "code":99, "description": "Test", "sources": ["IntentAsSource"], "sinks":["IntentAsSink"] }

[arthaud]

Hi @chuayupeng, thanks for reaching out.
This is because your model defines a source with port Argument(0).
This is something that we did not document well, but:

• A source with a Return port means the source is produced at the call site, i.e:
  x = source(); // x is tainted
• A source with an Argument port means the source is tainted in the body of the function, i.e:
  public void source(String x) { // x is tainted here }

Internally, we do differentiate between sources produced at call sites (called generations) and sources produces in the body (called parameter sources). You can also specify them in JSON.

TL, DR: Using "generations": {"kind": "IntentAsSource", "port": "Argument(0)"} instead of "sources": ... should fix the issue.

[chuayupeng]

Hi @arthaud, thanks for the easy to understand explanation! I changed the definition with the source and it worked like a charm!