search

CROSSINGTUD / CryptoAnalysis

CogniCrypt_SAST: CrySL-to-Static Analysis Compiler
Eclipse Public License 2.0
63 stars 39 forks source link

Failure of Interprocedural Analysis #717

Open mraashish opened 2 weeks ago

mraashish commented 2 weeks ago

The Interprocedural Analysis fails when key is generated in a different method.

For the two examples below, Cognicrypt gives different results.

SimpleEncryption.java

 public class SimpleEncryption {
    public static void main(String[] args) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        SecretKey key = getSecretKey();
        cipher.init(Cipher.ENCRYPT_MODE,key);
    }

    public static SecretKey getSecretKey() throws NoSuchAlgorithmException {
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        return keyGen.generateKey();
    }

   }

SimpleEncryption1.java

 public class SimpleEncryption1 {
    public static void main(String[] args) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        SecretKey key = keyGen.generateKey();
        cipher.init(Cipher.ENCRYPT_MODE,key);
    }
   }

The output for the 1st code gives a RequiredPredicateError in the last statement cipher.init(Cipher.ENCRYPT_MODE,key);.

Second parameter was not properly generated as generatedPrivkey OR generatedPubkey OR generatedKey

This is the output for " HeadlessJavaScanner-4.0.0-jar-with-dependencies.jar ".

smeyer198 commented 1 week ago

Hi, can you tell us which Java version you have used to compile the program? If I compile the interprocedural program with Java 11, I only get an IncompleteOperationError as expected (since a call to doFinal is missing), there is no RequiredPredicateError (you can check with the attached file). Note that newer Java versions may produce different byte codes. Currently, we focused mostly on Java 11 and 8, that is, you can expect the best results with compiling your programs with these versions (or versions that are not too new, e.g. Java 17).

Issue717.zip

mraashish commented 5 days ago

Hi, The output of Java 11 is indeed different from Java 19,

However, this still doesn't solve this issue of interprocedural2 for some reasons. Can you check for this file as well. I believe there should not be ImpreciseValueExtractionError for this file.

Archive.zip

mraashish commented 5 days ago

As for the previous issue, I have deleted all instances of other java versions from my machine and i am sure i am using Java11 now. However, the jar output when using it through a terminal still gives me RequiredPredicateError:

String jarFileName = classFilePath.replace(".class", ".jar");
        ProcessBuilder pb = new ProcessBuilder("jar", "-cf", jarFileName, classFilePath);
        pb.environment().putAll(env);
        Process process = pb.start();

        captureProcessOutput(process);

But simply making a Jar file using JarOutputStream doesn't give this error.

String jarFilePath = classFilePath.replace(".class", ".jar");
        try (JarOutputStream jarOutputStream = new JarOutputStream(new FileOutputStream(jarFilePath))) {

            String entryName = new File(classFilePath).getName();
            JarEntry entry = new JarEntry(entryName);
            jarOutputStream.putNextEntry(entry);

            byte[] fileContent = Files.readAllBytes(Paths.get(classFilePath));
            jarOutputStream.write(fileContent);

            jarOutputStream.closeEntry();
        }

Do you know why?

smeyer198 commented 4 days ago

Okay. So looking at the example you provided, there seems to be a mismatch with the class declaration. Note that the class CorrectedEcbMode is declared in the package org.cambench.cap.interprocedural2.truepositive.ecbmode, that is, it is declared as org.cambench.cap.interprocedural2.truepositive.ecbmode.CorrectedEcbMode. However, the compiled class is only CorrectedEcbMode. With this, Soot does load the class CorrectedEcbMode because this is the actual main class, but tries to work with org.cambench.cap.interprocedural2.truepositive.ecbmode.CorrectedEcbMode because the class is declared like that. To deal with this problem, try to remove the package statement. For me, it worked after that. What I have done:

  1. Remove the package statement
  2. Compile the program with javac CorrectedEcbMode.java
  3. Build the jar with the CLI or the program that you provided: jar -cf CorrectedEcbMode.jar CorrectedEcbMode.class

After that, there is only the expected IncompleteOperationError. I hope this helps!

mraashish commented 4 days ago

It helped . Thanks