Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive using MessageDigest in Kotlin #271

Open
AnakinRaW opened this issue Jun 25, 2020 · 0 comments
Open

False Positive using MessageDigest in Kotlin #271

AnakinRaW opened this issue Jun 25, 2020 · 0 comments
Labels
false positive

Comments

@AnakinRaW
Copy link
Collaborator

Consider the following application:

package com.example.digest
import java.security.MessageDigest

fun main() {
    testFail("abc123ABC")
    testOk("abc123ABC")
}

fun testFail(input: String) {
    val someManipulation = input.substring(0, 2)
    MessageDigest.getInstance("SHA-256").digest(someManipulation.toByteArray())
}

fun testOk(input: String) {
    MessageDigest.getInstance("SHA-256").digest(input.toByteArray())
}

Expected Result: No findings by CryptoAnalysis.

Actual Result:
IncompleteOperationError on method testFail() with message: Operation on object of type java.security.MessageDigest object not completed. Expected call to digest, update

This error only happens if you use the substring() method. It does not matter on which string object you invoke the method or which parameters are in the substring method. The IncompleteOperationError finding get reported anyway.

It get's even more interesting if you perform the analysis on semantically identical code in Java (below).
In this application CryptoAnalysis does not report any findings (as expected).

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class Launcher {

    public static void main(String [] args) throws NoSuchAlgorithmException {
        testFail("abc123ABC");
        testOk("abc123ABC");
    }

    public static void testFail(String input) throws NoSuchAlgorithmException {
        var someManipulation = input.substring(0, 2);
        MessageDigest.getInstance("SHA-256").digest(someManipulation.getBytes());
    }

    public static void testOk(String input) throws NoSuchAlgorithmException {
        MessageDigest.getInstance("SHA-256").digest(input.getBytes());
    }
}

Questions here:

  1. What is Kotlin doing differently to Bytecode?
  2. Does this only apply to MessageDigest rule or any other place?
  3. In which part of CryptAnalysis the bug located? (if it's even in CryptoAnalysis)
  4. How to fix it and assure it works on other rules.

Crypto Analysis Version: 2.7.1 - 2.7.3-SNAPSHOT
JVM: Tested on 1.8 and 11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AnakinRaW @rakshitkr