Detecting information leakage in Find Sec Bugs via taint analysis and custom annotations

199 Views Asked by At

Does Find Sec Bugs allow one to define sensitive sources and sinks via annotations, like other static analysis tools such as the Checker Framework? Right now I only see sources/sinks being defined in config files like so: https://github.com/find-sec-bugs/find-sec-bugs/blob/99814871f33ca0484b975f2fe51bae2bc1bcf40a/plugin/src/main/resources/taint-config/taint-sensitive-data.txt

The Checker Framework has a @Tainted and @Untainted annotation that can be used generically throughout the code (https://checkerframework.org/manual/#tainting-many-uses)

You can also create custom annotations, the documentation shows how it can be applied to the information leakage case (https://checkerframework.org/manual/#subtyping-example)

package myPackage.qual;

import java.lang.annotation.ElementType;
import java.lang.annotation.Target;

/**
 * Denotes that the representation of an object is encrypted.
 */
@SubtypeOf(PossiblyUnencrypted.class)
@ImplicitFor(literal={LiteralKind.NULL})
@DefaultFor({TypeUseLocation.LOWER_BOUND})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface Encrypted {}

package myPackage.qual;

import org.checkerframework.framework.qual.DefaultQualifierInHierarchy;
import org.checkerframework.framework.qual.SubtypeOf;
import java.lang.annotation.ElementType;
import java.lang.annotation.Target;

/**
 * Denotes that the representation of an object might not be encrypted.
 */
@DefaultQualifierInHierarchy
@SubtypeOf({})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface PossiblyUnencrypted {}

import myPackage.qual.Encrypted;

...

public @Encrypted String encrypt(String text) {
    // ...
}

// Only send encrypted data!
public void sendOverInternet(@Encrypted String msg) {
    // ...
}

void sendText() {
    // ...
    @Encrypted String ciphertext = encrypt(plaintext);
    sendOverInternet(ciphertext);
    // ...
}

void sendPassword() {
    String password = getUserPassword();
    sendOverInternet(password);
}

As a result it'll spit out something like:

YourProgram.java:42: incompatible types.
found   : @myPackage.qual.PossiblyUnencrypted java.lang.String
required: @myPackage.qual.Encrypted java.lang.String
    sendOverInternet(password);

Anything similar in Find Sec Bugs? Thanks!

0

There are 0 best solutions below