How to detect data casting

[chuayupeng]

Is it possible for mariana trench to detect if the data is being casted into (Intent) for example? How would the source definition look like in that case?

[yuhshin-oss]

If I'm understanding the question correctly, a propagation model like this might be what you are looking for:
https://github.com/facebook/mariana-trench/blob/main/configuration/model-generators/propagations/IntentDataFeatureGenerator.json#L3-L22

This specifies that any taint that flows through the first argument of Intent.setData() will taint the this object and a feature called "via-intent-data" will be added to the flow.

And if I've misunderstood the question, could you provide code examples to go along with it just for clarification? Thanks!

[chuayupeng]

Hi @yuhshin-oss, I was thinking more along the lines of detecting something specific like this:

(Intent) extraIntent = getIntent().getParcelableExtra("Extra_Intent")

while excluding instances like this:

(String) extraString = getIntent().getExtras("String")

when my initial source is aimed at getParcelableExtra or getExtras.

Basically, something that would allow me the ability to stop the flow and deem it as a false positive if it was data casted into a class that I do not want.

[chuayupeng]

@yuhshin-oss this might be a bit out of scope I realise, but would like to know how to ensure that taint is propogated only through specific data type castings like above, but unsure of how to write it out

[yuhshin-oss]

Hi @chuayupeng, thanks for the example! Assuming the extraString in the example is the API call like the following:

var extraString = getIntent().getExtras().getString("test");

This type of casting is done explicitly with Bundle (or BaseBundle)'s get[Type](...) methods. This means that you can define models on the methods directly. In this case, adding a propagation feature like "via-bundle-getString" on the flow from "this (Argument(0))" to "return" of BaseBundle.getString() could help. Taint will still be propagated, but any issues found will contain the feature and can be filtered out. This would look something like:

{
  "find": "methods",
  "where": [
    {
      "constraint": "signature",
      "pattern": "Landroid/os/BaseBundle;.getString:(Ljava/lang/String;)Ljava/lang/String;"
    }
  ],
  "model": {
    "propagations": [
      {
        "input": "Argument(0)",
        "output": "Return",
        "features": [
          "via-bundle-getString"
        ]
      }
    ]
  }
}

[chuayupeng]

Hi @yuhshin-oss, what if the data casting is done like this?

(String) extraString = ...

That way, there is no method invocation, so was unsure of how to detect for cases like this

[arthaud]

Could you give another example? (String) is not valid on the left hand side of an assignment.

[chuayupeng]

Hi @arthaud,

I want to differentiate between these 2 lines of code, so I can reduce false positives when detecting intent redirections. Is there any way to detect what the data is casted into?

Intent extraIntent = (Intent) intent.getExtras("...");

and

String extraString = (String) intent.getExtras("...");

[arthaud]

Apparently, this generates a CHECK_CAST v1, Ljava/lang/String; in Dex. We currently ignore those, so there is no way to differentiate these, unfortunately.

[arthaud]

That should be solved with a87023d