search

bytedance / appshark

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.
Apache License 2.0
1.49k stars 165 forks source link

ConstString rule未找到调用链 #30

Closed mdkk closed 9 months ago

mdkk commented 1 year ago

测试代码如下:

package com.example.test.util;

public class HookInfo {
    public String className;
    public String methodName;

    public static List<HookInfo> infoList = new ArrayList<>();

    public HookInfo(String className, String methodName) {
        this.className = className;
        this.methodName = methodName;
    }

    public static List<HookInfo> getInfoList() {
        infoList.add(new HookInfo("android.telephony.TelephonyManager",
                "getDeviceId"
        ));

        infoList.add(new HookInfo("android.telephony.TelephonyManager",
                "getSubscriberId"
        ));

        return infoList;
    }

}

public class testInfo {

    public static void t(HookInfo info) throws ClassNotFoundException {
        Class cls = String.class.getClassLoader().loadClass(info.className);

        test.doTest(cls, info.methodName);

    }
}

public class test {
    public static void doTest(Class cls, String m) {

    }
}

package com.example.test;

public class Main {
    public void test() throws ClassNotFoundException {

        List<HookInfo> list = HookInfo.getInfoList();

        for (HookInfo info : list) {
            testInfo.t(info);
        }

    }
}

测试规则:

{ "ConstStringTest1": { "ConstStringMode": true, "traceDepth": 26, "desc": { "name": "test", "category": "ConstStringTest", "detail": "ConstStringTest", "wiki": "", "possibility": "4", "model": "middle" }, "targetStringArr": ["android.telephony.TelephonyManager"], "minLen": 2, "source": { "ConstString": ["android.telephony.TelephonyManager"] }, "sink": { "<com.example.test.util.test: doTest()>": { "TaintCheck": [ "p*" ] } } } }

nkbai commented 1 year ago
  1. 首先建议使用SliceMode,而不是ConstStringMode,后者的分析深度有限。
{
    "ConstStringTest1": {
      "SliceMode": true,
      "traceDepth": 28,
      "desc": {
        "name": "test",
        "category": "ConstStringTest",
        "detail": "ConstStringTest",
        "wiki": "",
        "possibility": "4",
        "model": "middle"
      },
      "minLen": 2,
      "source": {
        "ConstString": [
            "android.telephony.TelephonyManager"
        ]
    },
    "sink": {
        "<com.example.test.util.test: * doTest()>": {
            "TaintCheck": [
                "p"
            ]
        }
    }
    }
  }
  1. 我分析了一下,发现iterator的next指针传播发生了中断, 需要在EngineConfig.json5中处理next函数的指针传播问题。 具体来说就是在PointerFlowRule->MethodName中增加一项,我已经修改了EngineConfig.json5文件。 
      "next": {
    "@this->ret": {
      "I": [
        "@this"
      ],
      "O": [
        "ret"
      ]
    },
    "@this.data->ret": {
      "I": [
        "@this.data"
      ],
      "O": [
        "ret"
      ]
    }
  },

    EngineConfig.json5中的PointerFlowRule和VariableFlowRule非常强大,用于覆盖appshark的默认分析方式,可以根据自己的需要,自行调整。