search

facebook / mariana-trench

A security focused static analysis tool for Android and Java applications.
https://mariana-tren.ch/
MIT License
1.1k stars 139 forks source link

How to define taint propagation with lists #171

Closed draftyfrog closed 1 month ago

draftyfrog commented 1 month ago

I wonder how it is possible to configure MarianaTrench to also report taint propageted trough lists, for example like this:

List<String> taintList= new ArrayList<String>();
taintList.add(source()); // Add a tainted variable to the list
sink(taintList); // Hand the list as argument to a function defined as sink

I guess I would need a propagation model generator that looks something like this

{
  "find": "methods",
  "where": [
    {
      "constraint": "signature_match",
      "parent": "Ljava/util/List",
      "name": "add"
    }
  ],
  "model": {
    "propagation": [
      {
        "input": "Argument(0)",
        "output": "Return"
      }
    ]
  }
}

But this doesn't work as the taint isn't propagated to the return value but to the list itself. So it would need another argument at model.propagation[0].output but I couldn't find the correct option in the Documentation.

arthaud commented 1 month ago

Hi @draftyfrog, thanks for reaching out.

In Mariana Trench, the implicit this is actually Argument(0). This is mentioned here https://mariana-tren.ch/docs/models/#method-name-format So you would want a propagation from Argument(1) to Argument(0).

Also note that you are missing the final ; in the parent name (it should be "parent": "Ljava/util/List;").

We actually have models for List but they aren't open source, unfortunately. This is what we use internally:

    {
      "find": "methods",
      "where": [
        {
          "constraint": "any_of",
          "inners": [
            {
              "constraint": "signature_pattern",
              "pattern": "Ljava/util/List;\\.add:\\(Ljava/lang/Object;\\)Z"
            },
            {
              "constraint": "signature_pattern",
              "pattern": "Ljava/util/Queue;\\.add:\\(Ljava/lang/Object;\\)Z"
            },
            {
              "constraint": "signature_pattern",
              "pattern": "Ljava/util/Queue;\\.offer:\\(Ljava/lang/Object;\\)Z"
            }
          ]
        }
      ],
      "model": {
        "modes": [
          "skip-analysis",
          "taint-in-taint-this",
          "no-join-virtual-overrides"
        ]
      }
    }
draftyfrog commented 1 month ago

Hi @arthaud, thanks for the fast response. That does exactly what I was looking for!