Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A false positive leak caused by SummaryTaintWrapper #520

Open
RichardHoOoOo opened this issue Sep 16, 2022 · 3 comments
Open

A false positive leak caused by SummaryTaintWrapper #520

RichardHoOoOo opened this issue Sep 16, 2022 · 3 comments

Comments

@RichardHoOoOo
Copy link

Hi @StevenArzt , FlowDroid reports a FP leak on the following case, in which only mimeType field in the intent should be tainted. But FlowDroid also taints the action field in the intent.

String a = not-a-source();
String b = source(); // <== source
Intent intent = new Intent().setType(b).setAction(a);
sink(intent.getAction()); // <== sink

I register a taint propagation handler to read the incoming and outgoing access paths. I found the problem may happen at the following line

r5 = virtualinvoke r5.<android.content.Intent: android.content.Intent setType(java.lang.String)>($r4)
incoming: $r4(java.lang.String) * <+length>
outgoing: r5(android.content.Intent) <android.content.Intent: java.lang.String mimeType> * <+length>
outgoing: $r4(java.lang.String) * <+length>
outgoing: r5(android.content.Intent) * <+length>

The 1st outgoing is correct according to the summary manual android.content.Intent.xml. But it seems the 3rd outgoing, which taints the intent object is not correct. When the intent object is tainted, the return of intent.getAction() is further tainted, which results in the FP.

This is how I set the taint wrapper

app.setTaintWrapper(new SummaryTaintWrapper(new LazySummaryProvider("summariesManual")));

Do I misconfig something or is it a FlowDroid bug?
@StevenArzt
Copy link
Member

This looks like a bug on first sight, the intent object itself should not be tainted. Thanks a lot for the thorough investigation with the taint propagation handler. I'll have a look.

@flankerhqd
Copy link
Contributor

Hi Richard:

It is because the Intent.xml has a taint summary from field to return, i.e. the following line:

https://github.com/secure-software-engineering/FlowDroid/blob/develop/soot-infoflow-summaries/summariesManual/android.content.Intent.xml#L1532

				<flow isAlias="true" typeChecking="false">
					<from sourceSinkType="Field" />
					<to sourceSinkType="Return" />
				</flow>

Which means if any of the field in Intent is tainted, the return Intent value of setType is tainted on a whole object level, if typeChecking is not enabled. So you will encounter a false positive taint in following getAction call.

This can be fixed by setting typeChecking to true.

flankerhqd added a commit to flankerhqd/FlowDroid that referenced this issue Oct 3, 2022
@flankerhqd
Update Intent summary
cddc140 
This fixes issue secure-software-engineering#520
@flankerhqd flankerhqd mentioned this issue Oct 3, 2022
Open
@RichardHoOoOo
Copy link
Author

Hi @flankerhqd , Thanks for your fix. But I have a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flankerhqd @StevenArzt @RichardHoOoOo