Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Readme: Potential Implementation or Design Gap for detecting Weak or improper cryptography use #365

Open
LordAmit opened this issue Jun 20, 2020 · 0 comments
Open

Readme: Potential Implementation or Design Gap for detecting Weak or improper cryptography use #365

LordAmit opened this issue Jun 20, 2020 · 0 comments

Comments

@LordAmit
Copy link

LordAmit commented Jun 20, 2020
edited

We are reporting this since in your readme you mention that “Weak or improper cryptography use” is attempted to be found.

We believe this may be due to underlying implementation or design gaps.

Here are the details of our analysis and the cryptographic misuses:

Using QARK version 4.0.0
Using Python version 3.5.2
Using OpenJDK version 1.8.0_232 64 bit
Running on Ubuntu: 18.04 Kernel: 4.4.0-174-generic

Each cryptographic vulnerability was generated as a barebones Java project that only contained a single vulnerability in the main function and used up to two java source files. Additionally, all cryptographic API calls were from Java Cryptographic Architecture (JCA).

Replacing a Secure Parameter with an Insecure Parameter:

Cipher c = Cipher.getInstance("AES/GCM/NoPadding".replace("AES/GCM/NoPadding", "DES"));

Replacing an Insecure Parameter with an Insecure Parameter:

Cipher.getInstance(“AES”.replace(“A”, “D”));

where “AES” by itself is insecure as it defaults to using ECB.

Transforming string case, e.g., from lower to upper case:

Cipher.getInstance(“des”.toUpperCase(Locale.English));

Replacing a noisy version of insecure parameters:

Cipher.getInstance(“DE$S”.replace(“$”, “”));

Inserting an Insecure Parameter via chaining method calls:

public class CipherExample {
    private String cipherName = "AES/GCM/NoPadding";

    public CipherExample methodA() {
        cipherName = "AES/GCM/NoPadding";
        return this;
    }

    public CipherExample methodB() {
        cipherName = "DES";
        return this;
    }

    public String getCipherName(){
        return cipherName;
    }

    public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException {
        Cipher c = Cipher.getInstance(new CipherExample().methodA().methodB().getCipherName());

        System.out.println(c.getAlgorithm());
    }
}

where obj.A().getCipherName() returns the secure value, but obj.A().B().getCipherName(), and obj.B().getCipherName() return the insecure value.

Please let me know if you need any additional information (e.g., logs from our side) in fixing these issues.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LordAmit