def do_detect(self):
with self.context.store() as store:
for cl in store.query().invocations(
InvocationPattern(
'invoke-static',
'Ljavax/crypto/Cipher;->getInstance\(Ljava/lang/String;.*?\)'
)):
try:
target_val = DataFlows.solved_possible_constant_data_in_invocation(
store, cl, 0)
if any((('ECB' in x or '/' not in x) and 'RSA' not in x)
for x in target_val):
yield Issue(
detector_id=self.option,
cvss3_vector=self.cvss,
confidence=IssueConfidence.CERTAIN,
summary=
'insecure cryptography: cipher might be operating in ECB mode',
info1=','.join(target_val),
source=store.query().qualname_of(cl),
synopsis=
'The application might be using ciphers in ECB mode.',
description='''\
The application might be using symmetric ciphers in ECB mode. ECB mode is the most basic operating mode that independently transform data blocks. Indepent transformation leaks information about distribution in plaintext.
''',
solution='''\
Use CBC or CTR mode.
''')
except (DataFlows.NoSuchValueError):
pass
def _do_detect_case1(self) -> Iterable[Issue]:
import base64
import binascii
def looks_like_real_key(k: str) -> bool:
# XXX: silly
return len(k) >= 8 and not any(x in k for x in ('Padding', 'SHA1', 'PBKDF2', 'Hmac', 'emulator'))
with self._context.store() as store:
for cl in store.query().invocations(InvocationPattern('invoke-', '^Ljavax?.*/(SecretKey|(Iv|GCM)Parameter|(PKCS8|X509)EncodedKey)Spec|^Ljavax?.*/MessageDigest;->(update|digest)')):
try:
for nr in self._important_args_on_invocation(cl):
for found in DataFlows.solved_possible_constant_data_in_invocation(store, cl, nr):
try:
decoded = base64.b64decode(found)
info1 = '"{target_val}" [{target_val_len}] (base64; "{decoded_val}" [{decoded_val_len}])'.format(target_val=found, target_val_len=len(found), decoded_val=binascii.hexlify(decoded).decode('ascii'), decoded_val_len=len(decoded))
except (ValueError, binascii.Error):
info1 = f'"{found}" [{len(found)}]'
if looks_like_real_key(found):
yield Issue(
detector_id=self.option,
cvss3_vector=self._cvss,
confidence='firm',
summary='insecure cryptography: static keys',
info1=info1,
source=store.query().qualname_of(cl),
synopsis='Traces of cryptographic material has been found the application binary.',
description='''\
Traces of cryptographic material has been found in the application binary. If cryptographic material is hardcoded, attackers can extract or replace them.
''',
solution='''\
Use a device or installation specific information, or obfuscate them.
'''
)
else:
yield Issue(
detector_id=self.option,
cvss3_vector=self._cvss_nonkey,
confidence='tentative',
summary='Cryptographic constants detected',
info1=info1,
source=store.query().qualname_of(cl),
synopsis='Possible cryptographic constants have been found.',
description='''\
Possible cryptographic constants has been found in the application binary.
'''
)
except IndexError:
pass