brazdil
commented
11 years ago Thinking aloud, the scenario I'm worried about is this:
- call a constructor of an external class with an internal object parameter and a tainted primitive (won't work with a tainted object)
- this already combines taint of args, so the internal object will get its fields tainted
- the constructor takes the tainted primitive and stores it inside a field accessible through a getter
- the constructor calls a method of the parameter object (even something stupid like
equals), passing its reference to it- at that point, the
thisreference is already valid, but not tainted - the internal method has its fields tainted, but can access the primitive through the untainted ref
- at that point, the
This directly applies to callbacks as well. The typical example I had in the dissertation was:
myListener = new LocationListener() {
public void update(Location loc) { /* do stuff */ }
};
locationManager.registerListener(myListener};locationManager is tainted, ergo the recursive setTaint method is called on myListener just before it is registered. All that's fine, but we're lacking a mechanism that would propagate it into update. Some sort of "if called from external source assign this to all your parameters" thing... Not sure what the right answer is though.
On second thought... both examples can be solved quite simply. The listener class inherits Object and therefore must have a t_super field inside (holds taint of the external parent, every internal class must have one; see the wiki), same goes for the internal object in the constructor example. This field will receive the correct taint before the problematic methods are called. So in case of a method having been entered from an external origin, could we just pull the taint from there and assign it to all the arguments? Do we do the same for internal origin? Don't see a reason... Just need to be careful to use t_super when a method is called on the parent.
Example: