GithubHelp home page GithubHelp logo

facebook / mariana-trench Goto Github PK

View Code? Open in Web Editor NEW
1.0K 33.0 134.0 16.37 MB

A security focused static analysis tool for Android and Java applications.

Home Page: https://mariana-tren.ch/

License: MIT License

Java 7.51% Python 2.62% Shell 0.03% C++ 87.61% C 0.19% Common Lisp 0.78% CMake 1.18% Kotlin 0.09%

mariana-trench's Introduction

Mariana Trench

logo

MIT License .github/workflows/tests.yml

Mariana Trench is a security focused static analysis platform targeting Android.

This guide will walk you through setting up Mariana Trench on your machine and get you to find your first remote code execution vulnerability in a small sample app. These instructions are also available at our website.

Prerequisites

Mariana Trench requires a recent version of Python. On MacOS you can get a current version through homebrew:

$ brew install python3

On a Debian flavored Linux (Ubuntu, Mint, Debian), you can use apt-get:

$ sudo apt-get install python3 python3-pip python3-venv

This guide also assumes you have the Android SDK installed and an environment variable $ANDROID_SDK pointed to the location of the SDK.

For the rest of this guide, we assume that you are working inside of a virtual environment. You can set this up with

$ python3 -m venv ~/.venvs/mariana-trench
$ source ~/.venvs/mariana-trench/bin/activate
(mariana-trench)$

The name of the virtual environment in front of your shell prompt indicates that the virtual environment is active.

Installing Mariana Trench

Inside your virtual environment installing Mariana Trench is as easy as running

(mariana-trench)$ pip install mariana-trench

Note: pip install is not currently supported for Apple silicon Macs, you can build from source using the instructions in the Developer's Guide.

Running Mariana Trench

We'll use a small app that is part of our documentation. You can get it by running

(mariana-trench)$ git clone https://github.com/facebook/mariana-trench
(mariana-trench)$ cd mariana-trench/

We are now ready to run the analysis

(mariana-trench)$ mariana-trench \
  --system-jar-configuration-path=$ANDROID_SDK/platforms/android-32/android.jar \
  --model-generator-configuration-paths=configuration/default_generator_config.json \
  --lifecycles-paths=configuration/lifecycles.json \
  --rules-paths=configuration/rules.json \
  --apk-path=documentation/sample-app/app/build/outputs/apk/debug/app-debug.apk \
  --source-root-directory=documentation/sample-app/app/src/main/java \
  --model-generator-search-paths=configuration/model-generators/

# ...
INFO Analyzed 68937 models in 7.47s. Found 9 issues!
# ...

The analysis has found 9 issues in our sample app. The output of the analysis is a set of specifications for each method of the application.

Post Processing

The specifications themselves are not meant to be read by humans. We need an additional processing step in order to make the results more presentable. We do this with SAPP PyPi installed for us:

(mariana-trench)$ sapp --tool=mariana-trench analyze .
(mariana-trench)$ sapp --database-name=sapp.db server --source-directory=documentation/sample-app/app/src/main/java
# ...
2021-05-12 12:27:22,867 [INFO]  * Running on http://localhost:13337/ (Press CTRL+C to quit)

The last line of the output tells us that SAPP started a local webserver that lets us look at the results. Open the link and you will see the 4 issues found by the analysis.

Exploring Results

Let's focus on the remote code execution issue found in the sample app. You can identify it by its issue code 1 (for all remote code executions) and the callable void MainActivity.onCreate(Bundle). With only 4 issues to see it's easy to identify the issue manually but once more rules run, the filter functionality at the top right of the page comes in handy.

Single Issue Display

The issue tells you that Mariana Trench found a remote code execution in MainActivity.onCreate where the data is coming from Activity.getIntent one call away, and flows into the constructor of ProcessBuilder 3 calls away. Click on "Traces" in the top right corner of the issue to see an example trace.

The trace surfaced by Mariana Trench consists of three parts.

The source trace represents where the data is coming from. In our example, the trace is very short: Activity.getIntent is called in MainActivity.onCreate directly. Trace Source

The trace root represents where the source trace meets the sink trace. In our example this is the activitie's onCreate method. Trace Root

The final part of the trace is the sink trace: This is where the data from the source flows down into a sink. In our example from onCreate, to onClick, to execute, and finally into the constructor of ProcessBuilder. Trace Sink

Configuring Mariana Trench

You might be asking yourself, "how does the tool know what is user controlled data, and what is a sink?". This guide is meant to quickly get you started on a small app. We did not cover how to configure Mariana Trench. You can read more about that at our website under Configuration.

Contributing

For an in-depth guide on building from source and development on Mariana Trench, see the Developer's Guide at our website.

License

Mariana Trench is licensed under the MIT license.

mariana-trench's People

Contributors

0xedward avatar 0xflotus avatar agampe avatar amyreese avatar antonk52 avatar arthaud avatar dkgi avatar drhill-meta avatar facebook-github-bot avatar iambrosie avatar jknoxville avatar lisroach avatar mir597 avatar ntillmann avatar pkesseli avatar shannonzhu avatar simranvirk avatar ssj933 avatar the-storm avatar thesavior avatar wsanville avatar yfeldblum avatar yuhshin-oss avatar yuxuanchen1997 avatar zertosh avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

mariana-trench's Issues

Query on propagating inputstream to buffer

Hello, I'm trying to write a rule to detect a flow from an external directory source to an outputstream.

String filePath = Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS).toString() + "/" + userInputFile;
File f = new File(filePath);
InputStream is = new FileInputStream(f);
byte[] buffer = new byte[size];
while((n = is.read(buffer)) > 0) {
     os.write(buffer, 0, n);
}

How do I propagate the taint from the inputstream to the buffer, such that when the outputstream uses the buffer, the ouputstream itself become tainted. I tried propagation and it didn't work. Is it possible to do such propagation?

Propagation:

{
            "find": "methods",
            "where": [
                {
                    "constraint": "parent",
                    "inner": {
                        "constraint": "extends",
                        "inner": {
                            "constraint": "name",
                            "pattern": "Ljava/io/InputStream"
                        }
                    }
                },
                {
                    "constraint": "name",
                    "pattern": "read.*"
                }
            ],
            "model": {
                "propagation": [
                    {
                        "input": "Argument(0)",
                        "output": "Argument(1)"
                    }
                ]
            }
}

Source:

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "name",
          "pattern": "getExternal.*"
        }
      ],
      "model": {
        "generations": [{
          "kind": "ExternalSource",
          "port": "Return"
        }]
      }
    }
  ]
}

Sink:

{
    "model_generators": [
        {
            "find": "methods",
            "where": [
                {
                    "constraint": "parent",
                    "inner": {
                        "constraint": "extends",
                        "inner": {
                            "constraint": "name",
                            "pattern": "Ljava/io/OutputStream"
                        }
                    }
                },
                {
                    "constraint": "name",
                    "pattern": "write"
                }
            ],
            "model": {
                "for_all_parameters": [
                    {
                        "variable": "x",
                        "where": [
                            {
                                "constraint": "name",
                                "pattern": "\\[B"
                            }
                        ],
                        "sinks": [
                            {
                                "kind": "OutputWriteSink",
                                "port": "Argument(x)"
                            }
                        ]
                    }
                ]
            }
        }
    ]
}

Edit: included the model for my source and sink

I also have another question regarding multi-source and partial sink as I see some of the default source/sink has it but it is not documented. I would like to enquire about the use case.

Query on writing sanitizers

Hello! Just a question on how to write flows for sanitizers. Have done some modifications and I want to sanitize the taint analysis and remove any explicit intents from the result set, instead of just added a feature to it. Tried doing it like so, but was unable to remove the finding that still had a setClass within the taint analysis. Appreciate any help to guide me on this issue, or any documentation about sanitizers that you might have!

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "parent",
          "inner": {
            "constraint": "name",
            "pattern": "Landroid/content/Intent;"
          }
        },
        {
          "constraint": "any_of",
          "inners": [
            {
              "constraint": "name",
              "pattern": "setClass.*"
            },
            {
              "constraint": "name",
              "pattern": "setComponent"
            },
            {
              "constraint": "name",
              "pattern": "setPackage"
            }
          ]
        }
      ],
      "model": {
        "sanitizers": [
          {"sanitize": "propagations"}
        ]
      }
    }
  ]
}

How to add an Life-cycle Method

Hello, Dear Developer

I want to use --lifecycles-paths feature to define some special callees. I referenced the example in mariana-trench/configuration/lifecycles.json and wrote the following

[
  {
    "base_class_name": "Landroid/os/AsyncTask;",
    "method_name": "asynctask_lifecycle_wrapper",
    "callees": [
      {
        "method_name": "onPreExecute",
        "return_type": "V",
        "argument_types": []
      }
    ]
  }
]

Obviously, I want to add a method with the signature "Landroid/os/AsyncTask;->onPreExecute()V";
Also, in my target apk, there are subclasses that override this method.

But from the log output, it looks like I didn't succeed in adding lifecycle-methods

INFO Building source index...
INFO Built source index in 0.02s.
INFO Inferring types...
INFO Inferred types in 0.03s.
INFO Created class properties in 0.00s.
INFO Building class hierarchies...
INFO Built class hierarchies in 0.01s.
INFO Building fields cache...
INFO Built fields cache in 0.02s.
INFO Creating life-cycle wrapper methods...
INFO Created 0 life-cycle methods for classes inheriting from `Landroid/os/AsyncTask;`
INFO Created lifecycle methods in 0.00s.
INFO Building override graph...
INFO Built override graph in 0.10s.

Unfortunately, I didn't find any documentation on the use of the lifecycle-method, so I hope you can add some, or tell me how to add it.

Sapp browser view is not working.

Screenshot 2021-11-01 at 4 31 21 PM
Screenshot 2021-11-01 at 4 31 08 PM

As per the attached image, the browser view of sapp is not working for mariana-trench. Kindly help me with the same.

Looking forward to hearing from you.
Thanks in advance.

Need help to create new sources / sinks

Hello everyone, I need some help because I cannot detect a simple data flow (doing it just as an exercise to learn Mariana-trench).

I have this piece of source code:

@Override // android.support.v4.app.FragmentActivity, android.app.Activity
    public void onActivityResult(int i, int i2, Intent intent) {
        super.onActivityResult(i, i2, intent);
        if (i == LOAD_CONTENT_ACTIVITY_REQUEST_CODE && i2 == -1) {
            Boolean valueOf = Boolean.valueOf(intent.getBooleanExtra("use_base_url", false));
            String stringExtra = intent.getStringExtra("base_url");
            String stringExtra2 = intent.getStringExtra("html_content");
            if (valueOf.booleanValue()) {
                this.webview.loadDataWithBaseURL(stringExtra, stringExtra2, "text/html", "UTF-8", stringExtra);
            } else {
                this.webview.loadData(stringExtra2, "text/html", "UTF-8");
            }
        }
    }

What i am trying to do is creating a source as the first parameter of the getStringExtra method and a sink as the loadDataWithBaseURL method. So, I created two file, the following for the source and the other one for the sink:

IntentSourceGenerator.json:

{
    "model_generators": [
        {
            "find": "methods",
            "where": [
                {
                "constraint": "name",
                "pattern": "getStringExtra"
                }
            ],
            "model": {
                "sources": [
                    {
                        "kind": "TestSensitiveUserInput",
                        "port": "Argument(1)"
                    }
                ]
            }
        }]
}

TestWebViewLoadGenerator.json :

{
  "model_generators": [
      {
          "find": "methods",
          "where": [
              {
              "constraint": "name",
              "pattern": "loadDataWithBaseURL"
              }
          ],
          "model": {
              "sinks": [
                  {
                      "kind": "WebViewLoadContent",
                      "port": "Argument(1)"
                  }
              ]
          }
      }]
}

Here the rule added to the rules.json file:

{
    "name": "Test",
    "code": 9,
    "description": "test",
    "sources": [
      "TestSensitiveUserInput"
    ],
    "sinks": [
      "WebViewLoadContent"
    ]
  }

I don't know what I am doing wrong, but I got the following results. Can someone explain me what I should do?

...
...
INFO Running model generator `taint_in_taint_out` (15/21)
INFO Running model generator `taint_in_taint_this` (16/21)
INFO Running model generator `WebViewLoadGenerator` (17/21)
INFO Running model generator `TestWebViewLoadGenerator` (18/21)
INFO Running model generator `BypassableHostCheckSinkGenerator` (19/21)
INFO Method `Ljava/lang/String;.contains:(Ljava/lang/CharSequence;)Z` satisfies all constraints in json model generator BypassableHostCheckSinkGenerator
INFO Method `Ljava/lang/String;.endsWith:(Ljava/lang/String;)Z` satisfies all constraints in json model generator BypassableHostCheckSinkGenerator
INFO Running model generator `ReflectionSinkGenerator` (20/21)
INFO Running model generator `IntentSourceGenerator` (21/21)
INFO Generated 74062 models and 0 field models in 0.84s.
INFO Initializing models...
INFO Initialized 67126 models and 0 field models in 0.09s.
INFO Initializing rules...
INFO Initialized 9 rules in 0.00s.
INFO Removing unused Kinds
WARNING Kind `SQLMutation` is not used in any rule! You may want to add one for it.
WARNING Kind `ArrayAllocation` is not used in any rule! You may want to add one for it.
INFO Removed 2 kinds in 0.02s.
....
....
INFO Analyzed 67126 models in 3.02s. Found 0 issues!
....

[FR] Support multiple source code directories

Support multiple source code directories

Hello good people !

Is your feature request related to a problem? Please describe.
I am trying to run mariana-trench on an application that contains its source code in multiple directories and an external package. I ran into this problem while trying to integrate mariana trench into a build pipeline for mobile applications, but I think this feature also makes sense for scanning non-Android projects.

Repository structure example:

./app
├── config
├── docs
├── gradle
├── app-common
│   └── src
├── app-external
│   └── src
├── externalSDK.java
├── app-login
│   └── src
└── app-test
    └── src

Describe the solution you'd like
I would like to execute something similar to:

(mariana-trench)$ mariana-trench \  
--system-jar-configuration-path=$ANDROID_SDK/platforms/android-30/android.jar  
--apk-path=app-debug.apk \  
--source-root-directory=./app/app-common/src/main/java
--source-root-directory=./app/app-external/src/main/java
--source-root-directory=./app/app-login/src/main/java
--source-root-directory=./app/externalSDK.java/src/main/java

Additional context
I discussed this issue with some people from Facebook's bounty team, who presented Mariana Trench during BountyConEdu and it was suggested, that I open an issue here so that it gets handled by the software team responsible.

Any clarification required, let me know.

Regards,
Giannis

Error to build mariana-trench by source

Bug

Bug description
Failed to complied the mariana-trench

Reproduction steps
All the steps according to https://mariana-tren.ch/docs/contribution/

Expected behavior
Success to build mariana-trench by source

Logs

lzy@lzy:~/tools/mariana-trench/build$ make -j4
[  3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/AnalysisEnvironment.cpp.o
[  3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Access.cpp.o
[  3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ArtificialMethods.cpp.o
[  4%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CallGraph.cpp.o
[  6%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CallPositionFrames.cpp.o
[  8%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CalleeFrames.cpp.o
[  8%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CanonicalName.cpp.o
[  9%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ClassHierarchies.cpp.o
[ 11%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ClassProperties.cpp.o
[ 11%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Constants.cpp.o
[ 12%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Context.cpp.o
[ 14%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Dependencies.cpp.o
[ 16%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/EventLogger.cpp.o
/home/lzy/tools/mariana-trench/source/EventLogger.cpp: In static member function ‘static void marianatrench::EventLogger::log_event(const string&, const string&, int)’:
/home/lzy/tools/mariana-trench/source/EventLogger.cpp:14:24: warning: unused parameter ‘event’ [-Wunused-parameter]
   14 |     const std::string& event,
      |     ~~~~~~~~~~~~~~~~~~~^~~~~
/home/lzy/tools/mariana-trench/source/EventLogger.cpp:15:24: warning: unused parameter ‘message’ [-Wunused-parameter]
   15 |     const std::string& message,
      |     ~~~~~~~~~~~~~~~~~~~^~~~~~~
/home/lzy/tools/mariana-trench/source/EventLogger.cpp:16:15: warning: unused parameter ‘value’ [-Wunused-parameter]
   16 |     const int value) {}
      |     ~~~~~~~~~~^~~~~
/home/lzy/tools/mariana-trench/source/EventLogger.cpp: In function ‘void marianatrench::init_event_logger(const marianatrench::Options*)’:
/home/lzy/tools/mariana-trench/source/EventLogger.cpp:18:39: warning: unused parameter ‘options’ [-Wunused-parameter]
   18 | void init_event_logger(const Options* options) {}
      |                        ~~~~~~~~~~~~~~~^~~~~~~
[ 16%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Feature.cpp.o
[ 17%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FeatureMayAlwaysSet.cpp.o
[ 19%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FeatureSet.cpp.o
[ 19%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Features.cpp.o
[ 20%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Field.cpp.o
[ 22%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FieldCache.cpp.o
[ 24%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FieldModel.cpp.o
[ 24%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FieldSet.cpp.o
[ 25%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Fields.cpp.o
[ 27%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Frame.cpp.o
[ 27%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FrameSet.cpp.o
[ 29%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/FulfilledPartialKindState.cpp.o
[ 30%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Highlights.cpp.o
[ 30%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Interprocedural.cpp.o
[ 32%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Issue.cpp.o
[ 33%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/JsonValidation.cpp.o
[ 35%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Kind.cpp.o
[ 35%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Kinds.cpp.o
[ 37%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/LifecycleMethod.cpp.o
[ 38%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/LifecycleMethods.cpp.o
[ 38%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/LocalPositionSet.cpp.o
[ 40%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Log.cpp.o
[ 41%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MarianaTrench.cpp.o
[ 43%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MemoryLocation.cpp.o
[ 43%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Method.cpp.o
[ 45%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MethodContext.cpp.o
[ 46%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MethodSet.cpp.o
[ 46%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Methods.cpp.o
[ 48%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Model.cpp.o
[ 50%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ModelGeneration.cpp.o
[ 51%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/MultiSourceMultiSinkRule.cpp.o
[ 51%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/NamedKind.cpp.o
[ 53%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/OperatingSystem.cpp.o
[ 54%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Options.cpp.o
[ 54%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Overrides.cpp.o
[ 56%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/PartialKind.cpp.o
[ 58%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Position.cpp.o
[ 59%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Positions.cpp.o
[ 59%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/PostprocessTraces.cpp.o
[ 61%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Propagation.cpp.o
[ 62%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/RE2.cpp.o
[ 62%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Redex.cpp.o
[ 64%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Registry.cpp.o
[ 66%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Rule.cpp.o
[ 66%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Rules.cpp.o
[ 67%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Sanitizer.cpp.o
[ 69%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Scheduler.cpp.o
[ 70%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/SourceSinkRule.cpp.o
[ 70%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Statistics.cpp.o
[ 72%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/StronglyConnectedComponents.cpp.o
[ 74%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/TaintV1.cpp.o
[ 74%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/TaintV2.cpp.o
[ 75%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Transfer.cpp.o
[ 77%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/TriggeredPartialKind.cpp.o
[ 79%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Types.cpp.o
[ 79%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/UnusedKinds.cpp.o
[ 80%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/BuilderPatternGenerator.cpp.o
[ 82%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ContentProviderGenerator.cpp.o
[ 82%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/FieldConstraints.cpp.o
[ 83%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/FieldModelTemplate.cpp.o
[ 85%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/IntegerConstraint.cpp.o
/home/lzy/tools/mariana-trench/source/model-generator/FieldConstraints.cpp: In member function ‘virtual bool marianatrench::IsStaticFieldConstraint::satisfy(const marianatrench::Field*) const’:
/home/lzy/tools/mariana-trench/source/model-generator/FieldConstraints.cpp:17:74: warning: suggest parentheses around comparison in operand of ‘==’ [-Wparentheses]
   17 |   return (field->dex_field()->get_access() & DexAccessFlags::ACC_STATIC) > 0 ==
      |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
[ 87%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/JoinOverrideGenerator.cpp.o
[ 87%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/JsonModelGenerator.cpp.o
[ 88%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/MethodConstraints.cpp.o
[ 90%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ModelGenerator.cpp.o
[ 90%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ModelGeneratorConfiguration.cpp.o
[ 91%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ModelTemplates.cpp.o
[ 93%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ReturnsThisAnalyzer.cpp.o
[ 93%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/ServiceSourceGenerator.cpp.o
[ 95%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/TaintInTaintOutGenerator.cpp.o
[ 96%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/TaintInTaintThisGenerator.cpp.o
[ 98%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/model-generator/TypeConstraints.cpp.o
[ 98%] Linking CXX static library libmariana-trench-library.a
[ 98%] Built target mariana-trench-library
[ 98%] Building CXX object CMakeFiles/mariana-trench-binary.dir/source/Main.cpp.o
[100%] Linking CXX executable mariana-trench-binary
/usr/bin/ld: libmariana-trench-library.a(MarianaTrench.cpp.o): in function `marianatrench::MarianaTrench::run(boost::program_options::variables_map const&)':
MarianaTrench.cpp:(.text+0x46c4): undefined reference to `marianatrench::EventLogger::init_event_logger(marianatrench::Options const*)'
collect2: error: ld returned 1 exit status

Additional context
Add any other context about the problem here.

Error: Exit Code 1

When trying to make an analysis on an APK the following error arraises:

INFO Generating models...
error: Model generator(s) join_override_generator do not exist.
CRITICAL Analysis binary exited with exit code 1.

Trace view error

When clicking on SAPP UI Trace view, I get a blank screen and the below errors (x2) in the JS console.

I dont get any errors in the CLI tool output (except for in debug mode, see below). For reference I built mariana-trench from source to bump dex ver to 38 from 37 (38 is supported by redex, tho 39 not supported so its pretty limited), and everything appears to work fine except this Trace view.

Tool was run in a directory with decompiled (d2j and procyon) .java files. When tool is run outside of the directory with the decompiled output, the Trace template view renders fine (though naturally empty as lacking source). Please let me know if you need extra info.

JS Console Error

Source.js:40 
        
       Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'slice')
    at main.455a0275.chunk.js:1
    at main.455a0275.chunk.js:1
    at Array.map (<anonymous>)
    at te (main.455a0275.chunk.js:1)
    at ne (main.455a0275.chunk.js:1)
    at $i (2.2d91596b.chunk.js:2)
    at Ia (2.2d91596b.chunk.js:2)
    at mc (2.2d91596b.chunk.js:2)
    at ls (2.2d91596b.chunk.js:2)
    at cs (2.2d91596b.chunk.js:2)

When running sapp server with --debug:

2021-10-06 14:42:18,211 [ERROR] Traceback (most recent call last):
  File "/home/usr/.local/lib/python3.9/site-packages/graphql/execution/executor.py", line 452, in resolve_or_error
    return executor.execute(resolve_fn, source, info, **args)
  File "/home/usr/.local/lib/python3.9/site-packages/graphql/execution/executors/sync.py", line 16, in execute
    return fn(*args, **kwargs)
  File "/home/usr/.local/lib/python3.9/site-packages/graphene/relay/connection.py", line 136, in connection_resolver
    resolved = resolver(root, info, **args)
  File "/home/usr/.local/lib/python3.9/site-packages/sapp/ui/schema.py", line 243, in resolve_next_trace_frames
    return trace.next_frames(
  File "/home/usr/.local/lib/python3.9/site-packages/sapp/ui/trace.py", line 290, in next_frames
    session.query(
  File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/query.py", line 2391, in join
    return self._join(
  File "<string>", line 2, in _join
  File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/base.py", line 227, in generate
    fn(self, *args[1:], **kw)
  File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/query.py", line 2587, in _join
    self._join_left_to_right(
  File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/query.py", line 2611, in _join_left_to_right
    ) = self._join_determine_implicit_left_side(left, right, onclause)
  File "/home/usr/.local/lib/python3.9/site-packages/sqlalchemy/orm/query.py", line 2747, in _join_determine_implicit_left_side
    raise sa_exc.InvalidRequestError(
graphql.error.located_error.GraphQLLocatedError: Can't determine which FROM clause to join from, there are multiple FROMS which can join to this entity. Please use the .select_from() method to establish an explicit left side, as well as providing an explcit ON clause if not present already to help resolve the ambiguity.

Problems detecting taint propogation

I have problems trying to write a propogation that can detect this flow of data from the initialisation of the implicit intent to calling it in an activity.

    invoke-direct {v1, v2}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V

    const/16 v2, 0xd5

    invoke-virtual {v0, v1, v2}, Landroid/app/Activity;->startActivityForResult(Landroid/content/Intent;I)V

    goto/16 :goto_2f

I can define the source to be the method that inits the intent, and sink to be the startActivityForResult, but when I write in the rules to link the source to the sink, no issues come up.

INFO Method `Landroid/content/Intent;.<init>:(Ljava/lang/String;)V` satisfies all constraints in json model generator ImplicitIntentAsSource
INFO Method `Landroid/app/Activity;.startActivityForResult:(Landroid/content/Intent;I)V` satisfies all constraints in json model generator ImplicitIntentAsSink

Is there any further way I can debug this? Not sure how to proceed

Error to build mariana-trench by source

Bug

Bug description
Failed to complied the mariana-trench

Reproduction steps
All the steps according to https://mariana-tren.ch/docs/contribution/

Expected behavior
Success to build mariana-trench by source

Logs

👻  ~/S/A/m/build> make -j4                                           
Consolidate compiler generated dependencies of target mariana-trench-library
[  3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/ClassProperties.cpp.o
[  3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/CanonicalName.cpp.o
[  3%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Context.cpp.o
[  7%] Building CXX object CMakeFiles/mariana-trench-library.dir/source/Features.cpp.o
/Users/x/tmpp/mariana-trench/source/Features.cpp:31:39: error: invalid operands to binary expression ('const char [11]' and 'const std::string_view')
  return factory_.create("via-value:" + via_value);
                         ~~~~~~~~~~~~ ^ ~~~~~~~~~
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/__iterator/wrap_iter.h:278:21: note: candidate template ignored: could not match '__wrap_iter' against 'basic_string_view'
__wrap_iter<_Iter1> operator+(typename __wrap_iter<_Iter1>::difference_type __n, __wrap_iter<_Iter1> __x) _NOEXCEPT
                    ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/__iterator/move_iterator.h:172:1: note: candidate template ignored: could not match 'move_iterator' against 'basic_string_view'
operator+(typename move_iterator<_Iter>::difference_type __n, const move_iterator<_Iter>& __x)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/__iterator/reverse_iterator.h:221:1: note: candidate template ignored: could not match 'reverse_iterator' against 'basic_string_view'
operator+(typename reverse_iterator<_Iter>::difference_type __n, const reverse_iterator<_Iter>& __x)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4269:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(const basic_string<_CharT, _Traits, _Allocator>& __lhs,
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4282:1: note: candidate template ignored: could not match 'basic_string' against 'basic_string_view'
operator+(const _CharT* __lhs , const basic_string<_CharT,_Traits,_Allocator>& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4294:1: note: candidate template ignored: could not match 'basic_string' against 'basic_string_view'
operator+(_CharT __lhs, const basic_string<_CharT,_Traits,_Allocator>& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4306:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(const basic_string<_CharT, _Traits, _Allocator>& __lhs, const _CharT* __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4318:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(const basic_string<_CharT, _Traits, _Allocator>& __lhs, _CharT __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4332:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(basic_string<_CharT, _Traits, _Allocator>&& __lhs, const basic_string<_CharT, _Traits, _Allocator>& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4340:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(const basic_string<_CharT, _Traits, _Allocator>& __lhs, basic_string<_CharT, _Traits, _Allocator>&& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4348:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(basic_string<_CharT, _Traits, _Allocator>&& __lhs, basic_string<_CharT, _Traits, _Allocator>&& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4356:1: note: candidate template ignored: could not match 'basic_string' against 'basic_string_view'
operator+(const _CharT* __lhs , basic_string<_CharT,_Traits,_Allocator>&& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4364:1: note: candidate template ignored: could not match 'basic_string' against 'basic_string_view'
operator+(_CharT __lhs, basic_string<_CharT,_Traits,_Allocator>&& __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4373:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(basic_string<_CharT, _Traits, _Allocator>&& __lhs, const _CharT* __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/string:4381:1: note: candidate template ignored: could not match 'basic_string<type-parameter-0-0, type-parameter-0-1, type-parameter-0-2>' against 'char const[11]'
operator+(basic_string<_CharT, _Traits, _Allocator>&& __lhs, _CharT __rhs)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/complex:527:1: note: candidate template ignored: could not match 'complex<type-parameter-0-0>' against 'char const[11]'
operator+(const complex<_Tp>& __x, const complex<_Tp>& __y)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/complex:537:1: note: candidate template ignored: could not match 'complex<type-parameter-0-0>' against 'char const[11]'
operator+(const complex<_Tp>& __x, const _Tp& __y)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/complex:547:1: note: candidate template ignored: could not match 'complex' against 'basic_string_view'
operator+(const _Tp& __x, const complex<_Tp>& __y)
^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk/usr/include/c++/v1/complex:728:1: note: candidate function template not viable: requires single argument '__x', but 2 arguments were provided
operator+(const complex<_Tp>& __x)
^
/Users/x/tmpp/mariana-trench/source/CanonicalName.cpp:61:32: error: use of undeclared identifier 'str_copy'
      std::string class_name = str_copy(
                               ^
/Users/x/tmpp/mariana-trench/source/CanonicalName.cpp:65:33: error: use of undeclared identifier 'str_copy'
      std::string method_name = str_copy(method->get_name());
                                ^
1 error generated.
make[2]: *** [CMakeFiles/mariana-trench-library.dir/source/Features.cpp.o] Error 1
make[2]: *** Waiting for unfinished jobs....
2 errors generated.
make[2]: *** [CMakeFiles/mariana-trench-library.dir/source/CanonicalName.cpp.o] Error 1
In file included from /Users/x/tmpp/mariana-trench/source/Context.cpp:11:
/Users/x/tmpp/mariana-trench/build/header-tree/mariana-trench/ClassProperties.h:84:3: error: unknown type name 'StringStorage'
  StringStorage strings_;
  ^
In file included from /Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:17:
/Users/x/tmpp/mariana-trench/build/header-tree/mariana-trench/ClassProperties.h:84:3: error: unknown type name 'StringStorage'
  StringStorage strings_;
  ^
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:60:68: error: member reference type 'DexEncodedValue *const' is a pointer; did you mean to use '->'?
          dynamic_cast<DexEncodedValueArray*>(element.encoded_value.get());
                                              ~~~~~~~~~~~~~~~~~~~~~^
                                                                   ->
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:60:69: error: no member named 'get' in 'DexEncodedValue'
          dynamic_cast<DexEncodedValueArray*>(element.encoded_value.get());
                                              ~~~~~~~~~~~~~~~~~~~~~ ^
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:126:10: error: no matching function for call to 'get_privacy_decision_number_from_annotations'
  return get_privacy_decision_number_from_annotations(
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:99:28: note: candidate function not viable: no known conversion from 'const vector<DexAnnotation *>' to 'const vector<std::unique_ptr<DexAnnotation>>' for 1st argument
std::optional<std::string> get_privacy_decision_number_from_annotations(
                           ^
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:340:31: error: no matching function for call to 'get_privacy_decision_number_from_annotations'
    privacy_decision_number = get_privacy_decision_number_from_annotations(
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:99:28: note: candidate function not viable: no known conversion from 'const vector<DexAnnotation *>' to 'const vector<std::unique_ptr<DexAnnotation>>' for 1st argument
std::optional<std::string> get_privacy_decision_number_from_annotations(
                           ^
1 error generated.
In file included from /Users/x/tmpp/mariana-trench/source/ClassProperties.cpp:17:
/Users/x/tmpp/mariana-trench/build/header-tree/mariana-trench/ClassProperties.h:84:17: warning: private field 'strings_' is not used [-Wunused-private-field]
  StringStorage strings_;
                ^
1 warning and 5 errors generated.
make[2]: *** [CMakeFiles/mariana-trench-library.dir/source/Context.cpp.o] Error 1
make[2]: *** [CMakeFiles/mariana-trench-library.dir/source/ClassProperties.cpp.o] Error 1
make[1]: *** [CMakeFiles/mariana-trench-library.dir/all] Error 2
make: *** [all] Error 2

Additional context
MacOS 12.3.1

Report issues in JSON format

Read the docs.

Could not find how to export findings in JSON format.

Only found and tried this using filters

Tried this:

sapp --tool=mariana-trench analyze .
sapp --tool=mariana-trench filter  import ../../configuration/filters/

Then:


sapp --database-name sapp.db filter issues 1 ../../configuration/filters/ --output-format sarif
2022-01-03 15:36:09,958 [INFO] Applying `Input in exported components flows into injection sink` to run `1` resulted in 1 issues
2022-01-03 15:36:09,974 [INFO] Applying `Input in exported components flows into implicit intent launcher` to run `1` resulted in 1 issues
2022-01-03 15:36:09,988 [INFO] Applying `test` to run `1` resulted in 1 issues
2022-01-03 15:36:09,988 [INFO] Total number of issues after filtering: 2
{
  "version": "2.1.0",
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Pysa",
          "informationUri": "https://github.com/facebook/pyre-check/",
          "rules": []
        }
      },
      "results": [
        {
          "ruleId": "1",
          "level": "warning",
          "message": {
            "text": "User input flows into code execution sink (RCE): Values from user-controlled source may eventually flow into code execution sink"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "com/example/myapplication/MainActivity.java"
                },
                "region": {
                  "startLine": 25,
                  "startColumn": 1,
                  "endColumn": 2
                }
              }
            }
          ]
        },
        {
          "ruleId": "3",
          "level": "warning",
          "message": {
            "text": "User input flows into implicitly launched intent: Values from user-controlled source may eventually flow into an implicit intent and intent launcher"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "com/example/myapplication/MainActivity.java"
                },
                "region": {
                  "startLine": 35,
                  "startColumn": 1,
                  "endColumn": 2
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

However, this does not export all the 6 issues found.

Questions

  1. Why the tool is "Pysa" not "mariana-trench"? Little bit confused here

  2. How do I make a filter to show all the 6 issues (in the app), always show all the issues in the sample-app-debug.apk or other apks?

Thanks,

How to detect data casting

Is it possible for mariana trench to detect if the data is being casted into (Intent) for example? How would the source definition look like in that case?

How to handle message?

@OverRide
protected void onCreate(@nullable Bundle savedInstanceState) {
Intent data = getIntent();
Handler handler = this.y;
Message message = Message.obtain(handler, 1);
message.obj = data;
this.y.sendMessageDelayed(message, 100L);
}

private Handler y = new Handler(Looper.getMainLooper()) {
@OverRide
public final void handleMessage(Message message) {
super.handleMessage(message);
Object obj = message.obj;
ShareTransActivity.this.startActivity((Intent) obj);
}
};

Hey, can I increase the “Propagation” or sth. to check out this path?

False Negative when a taint propagation to static field

Bug

Bug description
I found a false negative can be reproduced stably.
When a taint is passed into a static field variable, it is not stored efficiently, causing the scanner to fail to detect this efficient propagation path when this taint variable is referenced again.

I create a demo to show this issue. I tried to read the code and imagine how to solve this problem. Details are all in the attachment.

Reproduction steps
test case:

public class Test {

    // a taint source method, regard its return as a taint;
    public String source() {
        return "taint";
    }


    // a taint sink method, regard its first parameter as the sink;
    public void sink(String s) {
        Log.e("N1rv0us","I see "+s);
    }

    // merge 2
    public void merge2() {
        String foo = source();
        MyCls c = new MyCls();
        c.deviceId = foo;

        sink(c.deviceId);
    }

}

public class MyCls {
    // public String deviceId;
    public static String deviceId;
}

Expected behavior
I expect mariana could find an issue but failed;

Logs
pls get logs from the attachment;

Additional context
It is interesting to note that when the propagation path in the field is non-static, mariana could find an issue. I try to compare these two cases. I hope these can help you to locate and solve this issue.

Files in Attachment

  • report.pdf : Some experiments of my own design, the location of the codes, and possible solutions.
  • log.zip : some useful logs.
  • test.zip : test source code.
  • generator.zip : configs for mariana

attachment.zip

Writing Sanitizers

Just a quick question on how to write custom sanitizers and to get the engine to accept it. The documentations were not very verbose on how to do it. I want to write a sanitizer for a method that somehow was included in the taint analysis even though on closer inspection, I do not see any calls to the method from the smali code. Assume I have a custom class TestIntent that I do not want any taint analysis done on it. Why does this not work?

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "parent",
          "inner": {
            "constraint": "name",
            "pattern": "Lcom/testing/TestIntent;"
          }
        }
      ],
      "model": {
        "sanitizers": [
          {"sanitize": "sources"}
          {"sanitize": "sinks"}
          {"sanitize": "propogations"}
        ]
      }, 
      "verbosity" : 1
    }
  ]
}

I put the filename in the default generator config file and got this error instead.

error: Model generator(s) TestIntentSanitiser do not exist

Query on writing custom sinks

Hi there, I am currently trying to detect this flow in a program, where getIntent is the source, and endsWith is the sink.

Intent intent = getIntent();
Uri uri;
if((uri = intent.getData()) != null){
    boolean check = uri.getHost().endsWith("sink");
    finish();
}

The rules for source are from the default, whereas the sink definition is as below:

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "parent",
          "inner": {
            "constraint": "name",
            "pattern": "Ljava/lang/String;"
          }
        },
        {
          "constraint": "any_of",
          "inners": [
            {
              "constraint": "name",
              "pattern": "contains"
            },
            {
              "constraint": "name",
              "pattern": "endsWith"
            }
          ]
        }
      ],
      "model": {
        "for_all_parameters": [
          {
            "variable": "x",
            "sinks": [
              {
                "kind": "BypassableHostCheck",
                "port": "Argument(x)"
              }
              ]
          }]
        }, "verbosity" : 1
    }
  ]
}

I am able to find methods that have endsWith as its name, but unable to track the flow. Any advice would be greatly appreciated, thanks!

cannot find issue

Bug

Bug description
cannot find issue

Reproduction steps
source1:

public class MainActivity extends AppCompatActivity {


    @Override
    protected void onCreate(android.os.Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        launchFallback();
    }
    public void launchFallback( ) {
        final android.content.Intent intent = getIntent();
        if (intent.getBooleanExtra("redirect", false)) {
            android.content.Intent redirectIntent = new android.content.Intent();
            redirectIntent.setData(intent.getData());
            if (intent.hasExtra("component")) {
                try {
                    java.lang.Class name = java.lang.Class.forName(intent.getStringExtra("component"));
                    redirectIntent.setClass(this, name);
                } catch (java.lang.Exception e) {
                }
            }
            startActivityInsecure(redirectIntent);
        }
    }
    private void startActivityInsecure(Intent intent){
        startActivity(intent);
    }
}

source2:

public class MainActivity extends AppCompatActivity {


    @Override
    protected void onCreate(android.os.Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        launchFallback();
    }
    public void launchFallback( ) {
        final android.content.Intent intent = getIntent();
        if (intent.getBooleanExtra("redirect", false)) {
            android.content.Intent redirectIntent = new android.content.Intent();
            redirectIntent.setData(intent.getData());
            if (intent.hasExtra("component")) {
                try {
                    java.lang.Class name = java.lang.Class.forName(intent.getStringExtra("component"));
                    redirectIntent.setClass(this, name);
                } catch (java.lang.Exception e) {
                }
            }
            startActivity(redirectIntent);
        }
    }
    private void startActivityInsecure(Intent intent){
        startActivity(intent);
    }
}

mariana running arguments:

mariana-trench \
--binary mariana-trench/install/bin/mariana-trench-binary \
--system-jar-configuration-path=$ANDROID_SDK_ROOT/platforms/android-31/android.jar \
--model-generator-configuration-paths=configuration/default_generator_config.json \
--lifecycles-paths=configuration/lifecycles.json \
--rules-paths=configuration/rules.json \
--apk-path=MyApplication2/app/build/outputs/apk/debug/app-debug.apk \
--model-generator-search-paths=configuration/model-generators/ \
--verbosity 1 \
--maximum-source-sink-distance=7

Expected behavior
found issue for source1 or source2, but there is one issue for source2 and there is no issue for source1.
app-debug.apk.zip

Facing issues in installing marian-trench package using pip.

Hi,
I'm trying to install the python package using pip and I'm getting the following error ->

ERROR: Could not build wheels for mariana-trench which use PEP 517 and cannot be installed directly .

Here are the following details ->

  1. OS - Windows 10 Home
  2. Python - 3.8.8
  3. Pip - 21.2.4

Source from constant?

Hi, all,

I was trying to write custom rule scan for hardcoded crypto key like:

new SecretKeySpec("some-key".getBytes(), "AES");

However I can't find any resources in the document about defining Source from constant (literal string, static fields, etc.), Is it possible to scan for such issues with MT anyway?

free(): invalid pointer

Bug

Bug description
Using mariana on com.facebook.katana results in CRITICAL Analysis binary exited with exit code -6.

Reproduction steps
apktool d com.facebook.katana

mariana-trench --system-jar-configuration-path=/home/philippe/Android/Sdk/platforms/android-32/android.jar --apk-path=/media/phwd/Facebook/APKs/build-fb4a-fbandroid.279448010.apk --source-root-directory=/media/phwd/Facebook/APKs/build-fb4a-fbandroid.279448010/build-fb4a-fbandroid.279448010/sources/com

Expected behavior
Files created for analysis

Logs

INFO Analyzed 1369761 models in 6493.68s. Found 557 issues!
INFO Augmenting positions...
INFO Augmented positions in 0.58s.
INFO Writing models to `/media/phwd/Facebook/mariana/`.
free(): invalid pointer
[0x75b676]
[0xa34080]
[0xa3267b]
[0x459fa7]
[0xa6c5b6]
[0xa730ac]
[0xa7487c]
[0x6ad499]
[0x6ad47c]
[0x6ad47c]
[0x6ad47c]
[0x6ad47c]
[0x6ad47c]
[0x6ad47c]
[0x6aad35]
[0x6aadc2]
[0x6ad489]
[0x6ad47c]
[0x6aad35]
[0x6aadc2]
[0x6ad489]
[0x6aad35]
[0x6aadc2]
[0x612b27]
[0x61399a]
[0x4fc211]
[0x4fc70f]
[0x694e1b]
[0xa2cc39]
[0xaca993]
CRITICAL Analysis binary exited with exit code -6.

Additional context
Add any other context about the problem here.
Ubuntu 20.04
64GB

How to propogate taint across data casting

Currently I'm trying to detect intent redirection, using this as a example code to test for.

Intent redirectIntent = (Intent) getIntent().getParcelableExtra("redirect_intent");
...
startActivity(redirectIntent);

I defined the sink to be the default for launching components, and for sources, I defined it to be

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "name",
          "pattern": ".*getParcelableExtra.*"
        }
      ],
      "model": {
        "modes": [
          "taint-in-taint-out"
        ],
        "generations": [
          {
            "kind": "IntentRedirectSource",
            "port": "Argument(0)"
          }
          ]
      }
    }
  ]
} 

The models do not detect the flow of data, a little curious as to why that would be the case. Do I need to write a method to detect that it was casted as an Intent, or is there something wrong with my interpretation of the modeled source and sink?

failed to build flask-graphql graphql-server-core promise

Ubuntu20.04 Python3.8.10

➜  ~ python3 -m venv mariana-trench                                         
➜  ~ source mariana-trench/bin/activate
(mariana-trench) ➜  ~ pip install mariana-trench
Collecting mariana-trench
  Using cached mariana_trench-1.0.1-py3-none-manylinux1_x86_64.whl (4.8 MB)
Collecting pyre-extensions
  Using cached pyre_extensions-0.0.23-py3-none-any.whl (11 kB)
Collecting fb-sapp
  Using cached fb_sapp-0.5.1-py3-none-any.whl (2.0 MB)
Collecting typing-extensions
  Using cached typing_extensions-4.0.0-py3-none-any.whl (22 kB)
Collecting typing-inspect
  Using cached typing_inspect-0.7.1-py3-none-any.whl (8.4 kB)
Collecting pygments
  Using cached Pygments-2.10.0-py3-none-any.whl (1.0 MB)
Collecting prompt-toolkit
  Using cached prompt_toolkit-3.0.22-py3-none-any.whl (374 kB)
Collecting graphene
  Using cached graphene-3.0-py2.py3-none-any.whl (112 kB)
Collecting flask-graphql
  Using cached Flask-GraphQL-2.0.1.tar.gz (6.1 kB)
Collecting ujson
  Using cached ujson-4.2.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (216 kB)
Collecting SQLAlchemy<1.4
  Using cached SQLAlchemy-1.3.24-cp38-cp38-manylinux2010_x86_64.whl (1.3 MB)
Collecting flask
  Using cached Flask-2.0.2-py3-none-any.whl (95 kB)
Collecting click
  Using cached click-8.0.3-py3-none-any.whl (97 kB)
Collecting flask-cors
  Using cached Flask_Cors-3.0.10-py2.py3-none-any.whl (14 kB)
Collecting traitlets
  Using cached traitlets-5.1.1-py3-none-any.whl (102 kB)
Collecting munch
  Using cached munch-2.5.0-py2.py3-none-any.whl (10 kB)
Collecting ipython
  Using cached ipython-7.29.0-py3-none-any.whl (790 kB)
Collecting click-log
  Using cached click_log-0.3.2-py2.py3-none-any.whl (4.6 kB)
Collecting graphene-sqlalchemy
  Using cached graphene_sqlalchemy-2.3.0-py2.py3-none-any.whl (38 kB)
Collecting xxhash
  Using cached xxhash-2.0.2-cp38-cp38-manylinux2010_x86_64.whl (243 kB)
Collecting mypy-extensions>=0.3.0
  Using cached mypy_extensions-0.4.3-py2.py3-none-any.whl (4.5 kB)
Collecting wcwidth
  Using cached wcwidth-0.2.5-py2.py3-none-any.whl (30 kB)
Collecting graphql-relay<4,>=3.0
  Using cached graphql_relay-3.1.0-py3-none-any.whl (16 kB)
Collecting graphql-core~=3.1.2
  Downloading graphql_core-3.1.6-py3-none-any.whl (189 kB)
     |████████████████████████████████| 189 kB 898 kB/s 
Collecting aniso8601<10,>=8
  Using cached aniso8601-9.0.1-py2.py3-none-any.whl (52 kB)
Collecting graphql-server-core<2,>=1.1
  Using cached graphql-server-core-1.2.0.tar.gz (7.0 kB)
Collecting itsdangerous>=2.0
  Using cached itsdangerous-2.0.1-py3-none-any.whl (18 kB)
Collecting Werkzeug>=2.0
  Using cached Werkzeug-2.0.2-py3-none-any.whl (288 kB)
Collecting Jinja2>=3.0
  Using cached Jinja2-3.0.3-py3-none-any.whl (133 kB)
Collecting Six
  Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting matplotlib-inline
  Using cached matplotlib_inline-0.1.3-py3-none-any.whl (8.2 kB)
Collecting decorator
  Using cached decorator-5.1.0-py3-none-any.whl (9.1 kB)
Collecting backcall
  Using cached backcall-0.2.0-py2.py3-none-any.whl (11 kB)
Collecting jedi>=0.16
  Using cached jedi-0.18.1-py2.py3-none-any.whl (1.6 MB)
Requirement already satisfied: setuptools>=18.5 in ./mariana-trench/lib/python3.8/site-packages (from ipython->fb-sapp->mariana-trench) (44.0.0)
Collecting pexpect>4.3; sys_platform != "win32"
  Using cached pexpect-4.8.0-py2.py3-none-any.whl (59 kB)
Collecting pickleshare
  Using cached pickleshare-0.7.5-py2.py3-none-any.whl (6.9 kB)
Collecting singledispatch<4,>=3.4.0.3
  Using cached singledispatch-3.7.0-py2.py3-none-any.whl (9.2 kB)
Collecting promise>=2.3
  Using cached promise-2.3.tar.gz (19 kB)
Collecting MarkupSafe>=2.0
  Using cached MarkupSafe-2.0.1-cp38-cp38-manylinux2010_x86_64.whl (30 kB)
Collecting parso<0.9.0,>=0.8.0
  Using cached parso-0.8.2-py2.py3-none-any.whl (94 kB)
Collecting ptyprocess>=0.5
  Using cached ptyprocess-0.7.0-py2.py3-none-any.whl (13 kB)
Building wheels for collected packages: flask-graphql, graphql-server-core, promise
  Building wheel for flask-graphql (setup.py) ... error
  ERROR: Command errored out with exit status 1:
   command: /home/firmy/mariana-trench/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-n1qnas3n/flask-graphql/setup.py'"'"'; __file__='"'"'/tmp/pip-install-n1qnas3n/flask-graphql/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-k3xtjv3x
       cwd: /tmp/pip-install-n1qnas3n/flask-graphql/
  Complete output (6 lines):
  usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
     or: setup.py --help [cmd1 cmd2 ...]
     or: setup.py --help-commands
     or: setup.py cmd --help
  
  error: invalid command 'bdist_wheel'
  ----------------------------------------
  ERROR: Failed building wheel for flask-graphql
  Running setup.py clean for flask-graphql
  Building wheel for graphql-server-core (setup.py) ... error
  ERROR: Command errored out with exit status 1:
   command: /home/firmy/mariana-trench/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-n1qnas3n/graphql-server-core/setup.py'"'"'; __file__='"'"'/tmp/pip-install-n1qnas3n/graphql-server-core/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-lr3nv8tm
       cwd: /tmp/pip-install-n1qnas3n/graphql-server-core/
  Complete output (6 lines):
  usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
     or: setup.py --help [cmd1 cmd2 ...]
     or: setup.py --help-commands
     or: setup.py cmd --help
  
  error: invalid command 'bdist_wheel'
  ----------------------------------------
  ERROR: Failed building wheel for graphql-server-core
  Running setup.py clean for graphql-server-core
  Building wheel for promise (setup.py) ... error
  ERROR: Command errored out with exit status 1:
   command: /home/firmy/mariana-trench/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-n1qnas3n/promise/setup.py'"'"'; __file__='"'"'/tmp/pip-install-n1qnas3n/promise/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-w0vbeoy2
       cwd: /tmp/pip-install-n1qnas3n/promise/
  Complete output (6 lines):
  usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
     or: setup.py --help [cmd1 cmd2 ...]
     or: setup.py --help-commands
     or: setup.py cmd --help
  
  error: invalid command 'bdist_wheel'
  ----------------------------------------
  ERROR: Failed building wheel for promise
  Running setup.py clean for promise
Failed to build flask-graphql graphql-server-core promise
ERROR: graphql-server-core 1.2.0 has requirement graphql-core<3,>=2.3, but you'll have graphql-core 3.1.6 which is incompatible.
ERROR: flask-graphql 2.0.1 has requirement graphql-core<3,>=2.1, but you'll have graphql-core 3.1.6 which is incompatible.
ERROR: graphene-sqlalchemy 2.3.0 has requirement graphene<3,>=2.1.3, but you'll have graphene 3.0 which is incompatible.
Installing collected packages: typing-extensions, mypy-extensions, typing-inspect, pyre-extensions, pygments, wcwidth, prompt-toolkit, graphql-core, graphql-relay, aniso8601, graphene, itsdangerous, Werkzeug, MarkupSafe, Jinja2, click, flask, Six, promise, graphql-server-core, flask-graphql, ujson, SQLAlchemy, flask-cors, traitlets, munch, matplotlib-inline, decorator, backcall, parso, jedi, ptyprocess, pexpect, pickleshare, ipython, click-log, singledispatch, graphene-sqlalchemy, xxhash, fb-sapp, mariana-trench
    Running setup.py install for promise ... done
    Running setup.py install for graphql-server-core ... done
    Running setup.py install for flask-graphql ... done
Successfully installed Jinja2-3.0.3 MarkupSafe-2.0.1 SQLAlchemy-1.3.24 Six-1.16.0 Werkzeug-2.0.2 aniso8601-9.0.1 backcall-0.2.0 click-8.0.3 click-log-0.3.2 decorator-5.1.0 fb-sapp-0.5.1 flask-2.0.2 flask-cors-3.0.10 flask-graphql-2.0.1 graphene-3.0 graphene-sqlalchemy-2.3.0 graphql-core-3.1.6 graphql-relay-3.1.0 graphql-server-core-1.2.0 ipython-7.29.0 itsdangerous-2.0.1 jedi-0.18.1 mariana-trench-1.0.1 matplotlib-inline-0.1.3 munch-2.5.0 mypy-extensions-0.4.3 parso-0.8.2 pexpect-4.8.0 pickleshare-0.7.5 promise-2.3 prompt-toolkit-3.0.22 ptyprocess-0.7.0 pygments-2.10.0 pyre-extensions-0.0.23 singledispatch-3.7.0 traitlets-5.1.1 typing-extensions-4.0.0 typing-inspect-0.7.1 ujson-4.2.0 wcwidth-0.2.5 xxhash-2.0.2

How to use this configuration file: [configuration/filters/3-intent-redirect-filter.json ] to filter Export component

Feature Request

There are two files in the source code directory, which seem to be used to filter exportable components, but where to use this function

configuration/filters/3-intent-redirect-filter.json
configuration/filters/exported-component-filter.json

name:
Input in exported components flows into implicit intent launcher
Input in exported components flows into injection sink

I have the same problem:
@Securee
I used the mariana-trench to analyze my apk, and the mariana-trench find many issues, but most of the issues did not filter the soures which conponents(Activity,Provider)are not exported writed in manifest.xml(Android:Exported = False).
How can I filter the False positive issues ?

Can't run Mariana Trench on M1

Bug

Bug description
When I try to run Mariana Trench I keep getting this error for some reason. I've even tried running the sample application from the repo and the problem keeps persisting. Is there anyway around it or am I doing something wrong?

Logs

CRITICAL Unexpected error:
Traceback (most recent call last):
  File "/opt/homebrew/lib/python3.9/site-packages/mariana_trench/shim/shim.py", line 583, in main
    output = subprocess.run(command)
  File "/opt/homebrew/Cellar/[email protected]/3.9.8/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 505, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/opt/homebrew/Cellar/[email protected]/3.9.8/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 951, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/opt/homebrew/Cellar/[email protected]/3.9.8/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 1821, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
OSError: [Errno 8] Exec format error: '/opt/homebrew/bin/mariana-trench-binary'

Sink on no-source-code method

Is it possible to define a sink model on a method which is not implemented inside the apk?
According to the documentation that method (let say the method foo from Service, not defined/implemented inside the apk) will have the default model, which corresponds to what I see on the verbose output:

INFO Instruction: INVOKE_VIRTUAL v0, v4, Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;
WARNING Unable to resolve call to `Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;`
INFO Getting model for virtual call ``
INFO Callee model: 
Model(method=``,
  modes={ skip-analysis add-via-obscure-feature taint-in-taint-out})

But immediately after those lines I get:

INFO Processing sinks for call to `Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;`
INFO Processing propagations for call to `Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;`
INFO Processing generations for call to `Lcom/example/demo/Service;.foo:(Ljava/lang/String;)Ljava/lang/String;`

So, it seems that is trying to process sinks/propagations/generations for that method...
Is it possible to define sinks/propagations for that method? how can I do that?

Thanks!

Install Instructions for building the source

Feature Request

Is your feature request related to a problem? Please describe.
I want to build from source instead of using pip. But there are missing informations and the build fails.

Describe the solution you'd like
Clear instructions on how to replicate a functioning build from source in the readme or in an Install.md

Question: public repo with custom sources and sinks generators

Hello guys, I would like to know if there are any public repo where users can share his own sources and sinks generators. It would be very useful to share custom generators among the community, beyond those already provided by Meta in this repo. Obviously, even custom rules would be nice!

Bad dex magic dex

Hi,
I'm getting the following issue when running with APK's

INFO Initializing Redex...
error: /tmp/mt-static-cnhs17k0/build/redex-master/libredex/DexLoader.cpp:49: void validate_dex_header(const dex_header*, size_t, int): assertion `supported' failed.
Bad dex magic dex
039 for support_dex_version 37

Any help here would be great.

Thanks

Taint cannot flow into AsyncTask

I set the source and sink as shown in the code below, but Mariana-trench found 0, it looks like doInBackground is not in the flow.
Can Mariana-trench deal with scenarios where taint flowed into AsyncTask? Or how can i write config for this?

public void foo(Source source) {
    String txt = source.getText(); // Source here
    MyAsyncTask myTask = new MyAsyncTask(txt);
    myTask.execute(1000);
}

public class MyAsyncTask extends AsyncTask<Integer, Integer, Void> {

    private String txt;
    public MyAsyncTask(String txt)

    {
        super();
        this.txt = txt;
    }
    @Override
    protected Void doInBackground(Integer... params) {
        Intent intent = new Intent();
        intent.putExtra("txt",this.txt); // Sink here
        sendBroadcast(intent);
        return null;
    }
    @Override
    protected void onPreExecute() {
        Log.i("test","onPreExecute");
    }

}

Always showing 0 issues

I run different android apk's even with the officially provided one with the tool, I am getting 0 issues. It should have flagged 1 default RCE issue as per the documentation/getting started guide.

Please look into it. Or any thing I am evaluation different than it should be, let me know.

implicitly launched intent got a false positive

I checked defult rules.json and found multi_sources and partial_sinks. This feature is not reflected in the documentation. Can you help explain this concept? In addition, I don’t know if I understand code3, right?

I got a false positive here

default multi_sources rules

{
    "name": "User input flows into implicitly launched intent",
    "code": 3,
    "description": "Values from user-controlled source may eventually flow into an implicit intent and intent launcher",
    "multi_sources": {
      "a": [
        "IntentCreation"
      ],
      "b": [
        "FragmentUserInput",
        "ActivityUserInput",
        "ReceiverUserInput",
        "ServiceUserInput"
      ]
    },
    "partial_sinks": [
      "LaunchingComponent"
    ]
  },

code examples

public class FiveActivity extends Activity {

    private TextView textView;

    @Override
    protected void onCreate(@Nullable Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_five);
        
        // IntentCreation 
        Intent newIntent = new Intent();
        // if newIntent = null , only one false positive
        //Intent newIntent = null;

        // ActivityUserInput
        Intent getIntent = getIntent();
        String test = getIntent.getStringExtra("test");
        
        // I test this must set extra data from getIntent in newIntent
        newIntent.putExtra("test",test);
        newIntent.setClass(FiveActivity.this, ThirdActivity.class);
        // Partial:LaunchingComponent:b
        startActivity(newIntent);
        initView();
    }

    private void initView() {

        textView = findViewById(R.id.textView2);
        textView.setOnTouchListener(new View.OnTouchListener() {
            @SuppressLint("ClickableViewAccessibility")
            @Override
            public boolean onTouch(View v, MotionEvent event) {
                Intent intent = new Intent();
                intent.setClass(FiveActivity.this, MainActivity.class);

                //  Got a false positive here
                //  Partial:LaunchingComponent:b  too !
                startActivity(intent);
                return false;
            }
        });
    }
}

I get two issues:

1. Got a false positive here


// 0 . Data of type ActivityUserInputflowing up to void FiveActivit.onCreate(Bundle) in com/h/vulnerability_test/FiveActivity.java.
Intent getIntent = getIntent();

// 1. Source and sink traces meet at void FiveActivit.onCreate(Bundle) in com/h/vulnerability_test/FiveActivity.java.

initView();


// 2. Data of type ActivityUserInputflowing from void FiveActivit.onCreate(Bundle) into sinks of type Partial:LaunchingComponent:bin com/h/vulnerability_test/FiveActivity.java.
textView = findViewById(R.id.textView2);
textView.setOnTouchListener(new View.OnTouchListener() {

intent.setClass(FiveActivity.this, MainActivity.class);

// 3. sink 
startActivity(intent);

2. I think this is correct.

If "Intent newIntent =new Intent();" is replaced with "Intent newIntent = null;" ,There will be no issue here.

  // 0.Data of type ActivityUserInputflowing up to void FiveActivit.onCreate(Bundle) in com/h/vulnerability_test/FiveActivity.java.

   Intent getIntent = getIntent();

 // 1. Source and sink traces meet at void FiveActivit.onCreate(Bundle) in com/h/vulnerability_test/FiveActivity.java.

 // 2. Data of type ActivityUserInputflowing from void FiveActivit.onCreate(Bundle) into sinks of type Partial:LaunchingComponent:bin com/h/vulnerability_test/FiveActivity.java.
 startActivity(newIntent);


 @Override
    protected void onCreate(@Nullable Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_five);
        
        // IntentCreation 
        Intent newIntent = new Intent();
       // if newIntent = null , only one false positive
        //Intent newIntent = null;

        // ActivityUserInput
        Intent getIntent = getIntent();
        String test = getIntent.getStringExtra("test");
        
        // I test this must set extra data from getIntent in newIntent
        newIntent.putExtra("test",test);
        newIntent.setClass(FiveActivity.this, ThirdActivity.class);
        // Partial:LaunchingComponent:b
        startActivity(newIntent);
        initView();
    }

Display Kotlin source

Issues are found within Kotlin code, but aren't matched to the corresponding Kotlin source file - SAPP just displays "No file found" for the class. Looks like the position entry in the models for any Kotlin methods is just being left as "{}". It'd be great to be able to look at Kotlin source as well as Java.

CRITICAL Could not find `mariana-trench-binary` in PATH

In windows platform, I have installed mariana-trench by:
1 install python 3.8
2 install sapp: pip install fb-sapp
3 install mariana-trench: pip install mariana-trench
when I want to analyze one apk, it says : CRITICAL Could not find mariana-trench-binary in PATH
I searched mariana-trench-binary.exe, but failed to find it.

does mariana trench support windows or not ?

mac 11.5.2 Can not operate

CRITICAL Unexpected error:
Traceback (most recent call last):
File "/.venvs/mariana-trench/lib/python3.8/site-packages/mariana_trench/shim/shim.py", line 582, in main
output = subprocess.run(command)
File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 494, in run
with Popen(*popenargs, **kwargs) as process:
File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 859, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 1705, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
OSError: [Errno 8] Exec format error: '/.venvs/mariana-trench/bin/mariana-trench-binary'

Question about writing advanced rules

For reference, I am trying my hand at writing a rule to detect PendingIntents used dangerously, as noted in https://www.researchgate.net/publication/325818237_PIAnalyzer_A_Precise_Approach_for_PendingIntent_Vulnerability_Analysis, and I have a rule that can detect implicit intents being initialised as its source, and something like this for its sink.

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "parent",
          "inner": {
            "constraint": "name",
            "pattern": "Landroid/app/PendingIntent;"
          }
        },
        {
          "constraint": "any_of",
          "inners": [
            {
              "constraint": "name",
              "pattern": "getB.*"
            },
            {
              "constraint": "name",
              "pattern": "getA.*"
            },
            {
              "constraint": "name",
              "pattern": "getS.*"
            }
          ]
        }
      ],
      "model": {
        "for_all_parameters": [
          {
            "variable": "x",
            "sinks": [
              {
                "kind": "PendingIntentSink",
                "port": "Argument(x)"
              }
              ]
          }]
        }
    }
  ]
}

However, I am unable to abstract this flow as its own standalone source/sink. Would like to develop this further to detect instances of PendingIntents being initialised with implicit intents, and then sent off as another Intent's extraData. How should I link these 2 use cases up? Appreciate any advice regarding this!

How to debug and check if source/sinks are working

Hi there! Was looking at this to try and do security assessments on apk files, but unsure of how to debug on whether the sources/sinks are being identified accurately. Any advice would be greatly appreciated.

AttributeError: 'LocalStack' object has no attribute '__ident_func__'

Bug

Bug description
Following the instructions on the home page to run but encountered issue.

Reproduction steps
Follow the manual on GitHub homepage.

Expected behavior
Give a clear and concise description of what you expected to happen.
SAPP isn't starting a server instead throwing an error :( did cut a issue to SAPP as well if anyone knows how to fix this it would be helpful
Logs

  File "/usr/local/bin/sapp", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/click/decorators.py", line 84, in new_func
    return ctx.invoke(f, obj, *args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/sapp/cli_lib.py", line 236, in server
    start_server(ctx.database, debug, static_resources, source_directory, editor_schema)
  File "/usr/local/lib/python3.9/site-packages/sapp/ui/server.py", line 75, in start_server
    scopefunc=_app_ctx_stack.__ident_func__,
AttributeError: 'LocalStack' object has no attribute '__ident_func__'

Additional context
Add any other context about the problem here.

what generations means in model_generators's model ? eg.ImplicitIntentSourceGenerator.json

The model attribute of model_generators in the document only provides sources, sinks, and propagation, and the value of generations is not found.
But in ImplicitIntentSourceGenerator.json, generations are used. I want to know what is the difference between generations and sources, or what generations means, is it to initialize a class as a source, or...

ImplicitIntentSourceGenerator.json ->

{
  "model_generators": [
    {
      "find": "methods",
      "where": [
        {
          "constraint": "parent",
          "inner": {
            "constraint": "name",
            "pattern": "Landroid/content/Intent;"
          }
        },
        {
          "constraint": "name",
          "pattern": "\\<init\\>"
        },
        {
          "constraint": "not",
          "inner": {
            "constraint": "signature",
            "pattern": ".*Ljava/lang/Class;.*"
          }
        }
      ],
      "model": {
        "**generations**": [
          {
            "kind": "IntentCreation",
            "port": "Argument(0)"
          }
        ]
      }
    }
  ]
}

rules

I found that there are many functions in use that are not reflected in the document.
For example model's key = generations,The relationship between multi_sources and partial_sinks in rules.json is And or or, for example, User input flows into implicitly launched intent rule, the text means that external input is passed to new Intent(...) and then launched intent.
I think the process should be
1, User Input -> Intent test = this.getIntent();
2, Intent ha = new Intent(test);
3, startActivity(ha);
But multi_sources seems to be an or relationship,
1, User Input-> Intent test = this.getIntent();
3, startActivity(ha);
or
2, Intent ha = new Intent(test);
3, startActivity(ha);

{
    "name": "User input flows into implicitly launched intent",
    "code": 3,
    "description": "Values from user-controlled source may eventually flow into an implicit intent and intent launcher",
    "multi_sources": {
      "a": [
        "IntentCreation"
      ],
      "b": [
        "FragmentUserInput",
        "ActivityUserInput",
        "ReceiverUserInput",
        "ServiceUserInput"
      ]
    },
    "partial_sinks": [
      "LaunchingComponent"
    ]
  },

Error running Mariana Trench on an application

While trying to run MT on an application, MT crashed halfway and exited with exit code -6.

libc++abi: terminating with uncaught exception of type std::out_of_range: vector 0 mariana-trench-binary 0x0000000102f9b681 _Z23crash_backtrace_handleri + 81 1 libsystem_platform.dylib 0x00007ff80f70ee2d _sigtramp + 29 2 libc++abi.dylib 0x00007ff80f6b8f4c libc++abi.dylib + 77644 3 libsystem_c.dylib 0x00007ff80f645d10 abort + 123 4 libc++abi.dylib 0x00007ff80f6b60b2 abort_message + 241 5 libc++abi.dylib 0x00007ff80f6a71e5 _ZL28demangling_terminate_handlerv + 242 6 libobjc.A.dylib 0x00007ff80f5a4511 _ZL15_objc_terminatev + 104 7 libc++abi.dylib 0x00007ff80f6b54d7 _ZSt11__terminatePFvvE + 8 8 libc++abi.dylib 0x00007ff80f6b7d55 __cxa_get_exception_ptr + 0 9 libc++abi.dylib 0x00007ff80f6b7d1c _ZN10__cxxabiv1L22exception_cleanup_funcE19_Unwind_Reason_CodeP17_Unwind_Exception + 0 10 libc++.1.dylib 0x00007ff80f65bbd4 _ZNSt3__120__throw_out_of_rangeEPKc + 56 11 libc++.1.dylib 0x00007ff80f66345a _ZNKSt3__120__vector_base_commonILb1EE20__throw_out_of_rangeEv + 16 12 mariana-trench-binary 0x0000000102df3789 _ZN13marianatrench8Transfer14analyze_invokeEPNS_13MethodContextEPK13IRInstructionPNS_19AnalysisEnvironmentE + 13673 13 mariana-trench-binary 0x0000000102d011de _ZNK13marianatrench12_GLOBAL__N_116FixpointIterator12analyze_nodeERKPN3cfg5BlockEPNS_19AnalysisEnvironmentE + 286 14 mariana-trench-binary 0x0000000102d141d3 _ZN6sparta7fp_impl29MonotonicFixpointIteratorBaseIN3cfg14GraphInterfaceEN13marianatrench19AnalysisEnvironmentENSt3__14hashIPNS2_5BlockEEEE14analyze_vertexEPNS0_32MonotonicFixpointIteratorContextIS9_S5_SA_EERKS9_ + 1331 15 mariana-trench-binary 0x0000000102d12f38 _ZZN6sparta25MonotonicFixpointIteratorIN3cfg14GraphInterfaceEN13marianatrench19AnalysisEnvironmentENSt3__14hashIPNS1_5BlockEEEE3runERKS4_ENKUljE_clEj + 648 16 mariana-trench-binary 0x0000000102cfd77e _ZN6sparta25MonotonicFixpointIteratorIN3cfg14GraphInterfaceEN13marianatrench19AnalysisEnvironmentENSt3__14hashIPNS1_5BlockEEEE3runERKS4_ + 622 17 mariana-trench-binary 0x0000000102cfcbdd _ZN5boost6detail11thread_dataINSt3__18__bind_rIvRZN6sparta15SpartaWorkQueueIPKN13marianatrench6MethodENS4_14workqueue_impl22NoStateWorkQueueHelperIS9_ZNS6_15Interprocedural12run_analysisERNS6_7ContextERNS6_8RegistryEE3$_0EEE7run_allEvEUlPNS4_17SpartaWorkerStateIS9_EEmE_JSM_RmEEEE3runEv + 3181 18 mariana-trench-binary 0x0000000102e8b818 _ZN5boost12_GLOBAL__N_112thread_proxyEPv + 120 19 libsystem_pthread.dylib 0x00007ff80f6f94f4 _pthread_start + 125 20 libsystem_pthread.dylib 0x00007ff80f6f500f thread_start + 15 CRITICAL Analysis binary exited with exit code -6.

Is there like any error page or documentation on troubleshooting error on MT?

Error by following Getting Started

Hi,
I was trying your tool out by following the Getting Started section in README.md, but got the following error. Any hint about how to resolve this issue?

(mariana-trench) linghuiluo@Linghuis-MacBook-Pro sample-app %mariana-trench --system-jar-configuration-path=$ANDROID_SDK/platforms/android-30/android.jar --apk-path=sample-app-debug.apk
Password:
INFO Extracting `/Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/sample-app-debug.apk`...
INFO Extracted APK into `/tmp/tmp1pzy08bd_apk` and DEX into `/tmp/tmptl0_emvd_dex`
INFO Running Mariana Trench: /Users/linghuiluo/.venvs/mariana-trench/bin/mariana-trench-binary --system-jar-paths /Users/linghuiluo/Library/Android/sdk/platforms/android-30/android.jar --apk-directory /tmp/tmp1pzy08bd_apk --dex-directory /tmp/tmptl0_emvd_dex --rules-paths /Users/linghuiluo/.venvs/mariana-trench/share/mariana-trench/configuration/rules.json --repository-root-directory /Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/ --source-root-directory /Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/ --apk-path /Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/sample-app-debug.apk --output-directory /Users/linghuiluo/Projects/mariana-trench/documentation/sample-app/ --maximum-source-sink-distance 7 --model-generator-configuration-paths /Users/linghuiluo/.venvs/mariana-trench/share/mariana-trench/configuration/default_generator_config.json --model-generator-search-paths /Users/linghuiluo/.venvs/mariana-trench/share/mariana-trench/configuration/model-generators
CRITICAL Unexpected error:
Traceback (most recent call last):
  File "/Users/linghuiluo/.venvs/mariana-trench/lib/python3.8/site-packages/mariana_trench/shim/shim.py", line 576, in main
    output = subprocess.run(command)
  File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 489, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 854, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/subprocess.py", line 1702, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
OSError: [Errno 8] Exec format error: '/Users/linghuiluo/.venvs/mariana-trench/bin/mariana-trench-binary'

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.