Comments (8)
arthaud
commented on April 19, 2024
2
I don't think there is a good way to model this currently.
I would personally use features to mark that the taint went through PendingIntent.getActivity and Intent.putExtra, but you will probably get a good amount of false positives.
It could be solved with a technic we call Taint Transforms but it is not implemented in Mariana Trench.
from mariana-trench.
chuayupeng
commented on April 19, 2024
Trying to figure this out still, but was wondering if partial_labels or some other function can be used to chain different types of declarations up?
from mariana-trench.
arthaud
commented on April 19, 2024
Could you describe what flow you are trying to catch? I don't have access to this paper.
Please give a concrete example.
from mariana-trench.
chuayupeng
commented on April 19, 2024
Hi @arthaud, sure! The example vulnerable code is here:
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main_vuln);
Intent baseIntent = new Intent();
PendingIntent pendingIntent = PendingIntent.getActivity(this, 1, baseIntent, PendingIntent.FLAG_UPDATE_CURRENT);
Intent implicitWrappingIntent = new Intent(Intent.ACTION_SEND);
implicitWrappingIntent.putExtra("vulnPI", pendingIntent);
sendBroadcast(implicitWrappingIntent);
}
Basically, I want to find any invocations of PendingIntent, via either getActivity(), getActivities(), getBroadcast()
or getService(), check that the the baseIntent that is initialised within PendingIntent is implicit, and that the PendingIntent itself is wrapped in another implicitWrappingIntent, before being sent out.
So far, I could get the source of the rule to be checking for initialization of a implicit intent, and I can trace up till the getActivity function, but not sure how to chain this rule with a rule that checks that the pendingIntent is then wrapped within another implicit intent.
from mariana-trench.
gitWK86
commented on April 19, 2024
Like below
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main_vuln);
// 1.implicitly IntentCreation Source 1
Intent baseIntent = new Intent();
// 2. implicitly intent source flows into PendingIntent.getActivity, then pendingIntent is tainted
PendingIntent pendingIntent = PendingIntent.getActivity(this, 1, baseIntent, PendingIntent.FLAG_UPDATE_CURRENT);
Intent implicitWrappingIntent = new Intent(Intent.ACTION_SEND);
// 3. tainted pendingIntent flows into implicitWrappingIntent, then implicitWrappingIntent is tainted
implicitWrappingIntent.putExtra("vulnPI", pendingIntent);
// 4. sendBroadcast(0) is sink
sendBroadcast(implicitWrappingIntent);
}
from mariana-trench.
chuayupeng
commented on April 19, 2024
How do I ensure that the taint path must have PendingIntent in it though? Or is it not possible to define that sort of granularity within the rules?
from mariana-trench.
chuayupeng
commented on April 19, 2024
Thanks @arthaud! Will keep that in mind, and work with features for now.
from mariana-trench.
serrapa
commented on April 19, 2024
Hello @chuayupeng , could you share how you achieved your goal with features? I am trying to learn propagations and features, which are not well-documented (few examples and not much detailed) and simple to understand, in my opinion.
from mariana-trench.
Related Issues (20)
- [Question] Difference between attach_to_sources and features keys. HOT 4
- Does not compile with latest fmt 9.1 due to lack of formatter for types HOT 1
- How to check argument value with regex? HOT 1
- The latest version compiles, cannot be used, and various parameters are missing. MarianaTrench mariana_trench_error: the option '--output-directory' is required but missing???
- Example code does not work HOT 3
- Taint not flowing into a sink in Runnable
- Build from source fails. HOT 1
- Stuck creating generators: Found 0 issues
- Old macOS 10.15.7 failed to execute analysis HOT 4
- Tainted data not flowing through custom propagations HOT 14
- "No such file " log in sapp HOT 3
- Request for Features Description HOT 3
- Evaluate Profile-Guided Optimization (PGO) and LLVM BOLT HOT 4
- Release app with proguard HOT 1
- Error building mariana-trench HOT 1
- verifying propagations applied to the functions. HOT 2
- ImportError when using sapp HOT 3
- Default model generators missing from PyPI release HOT 2
- Flow analysis in a method.
- Sanitizer does not work, or something wrong
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mariana-trench.