qark icon indicating copy to clipboard operation
qark copied to clipboard
verified publisher icon linkedin

Readme: Potential Implementation or Design Gap for detecting Weak or improper cryptography use

Open LordAmit opened this issue 5 years ago • 0 comments

We are reporting this since in your readme you mention that “Weak or improper cryptography use” is attempted to be found.

We believe this may be due to underlying implementation or design gaps.

Here are the details of our analysis and the cryptographic misuses:

Using QARK version 4.0.0 Using Python version 3.5.2 Using OpenJDK version 1.8.0_232 64 bit Running on Ubuntu: 18.04 Kernel: 4.4.0-174-generic

Each cryptographic vulnerability was generated as a barebones Java project that only contained a single vulnerability in the main function and used up to two java source files. Additionally, all cryptographic API calls were from Java Cryptographic Architecture (JCA).

Replacing a Secure Parameter with an Insecure Parameter:

Cipher c = Cipher.getInstance("AES/GCM/NoPadding".replace("AES/GCM/NoPadding", "DES"));

Replacing an Insecure Parameter with an Insecure Parameter:

Cipher.getInstance(“AES”.replace(“A”, “D”));

where “AES” by itself is insecure as it defaults to using ECB.

Transforming string case, e.g., from lower to upper case:

Cipher.getInstance(“des”.toUpperCase(Locale.English));

Replacing a noisy version of insecure parameters:

Cipher.getInstance(“DE$S”.replace(“$”, “”));

Inserting an Insecure Parameter via chaining method calls:

public class CipherExample {
    private String cipherName = "AES/GCM/NoPadding";

    public CipherExample methodA() {
        cipherName = "AES/GCM/NoPadding";
        return this;
    }

    public CipherExample methodB() {
        cipherName = "DES";
        return this;
    }

    public String getCipherName(){
        return cipherName;
    }

    public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException {
        Cipher c = Cipher.getInstance(new CipherExample().methodA().methodB().getCipherName());

        System.out.println(c.getAlgorithm());
    }
}

where obj.A().getCipherName() returns the secure value, but obj.A().B().getCipherName(), and obj.B().getCipherName() return the insecure value.

Please let me know if you need any additional information (e.g., logs from our side) in fixing these issues.

LordAmit avatar Jun 20 '20 19:06 LordAmit