Customize Sources and Sinks
This page provides a high-level overview of the steps needed to update or create new sources and sinks.
Overview
Under the context of Mariana Trench, we talk about sources and sinks in terms of methods (or, rarely, fields). For example, we may say that the return value of a method is a source (or a sink). We may also say that the 2nd parameter of a method is a source (or a sink). Such description of a method is called a "model". See Models & Model Generators for more details about models and writing them.
To define sources or sinks that are not contained in the default set of sources and sinks, a user needs to:
Write one or more JSON files that respect our model generator Domain Specific Language (DSL), which express how to generate models from methods and are hence called "model generators".
- For example, a model generator may say that, for all methods (that will be analyzed by Mariana Trench) whose name is
onActivityResult
, specify their 2nd parameter as a source.
{
"model_generators": [
{
"find": "methods",
"where": [
{
"constraint": "name",
"pattern": "onActivityResult"
}
],
"model": {
"sources": [
{
"kind": "TestSensitiveUserInput",
"port": "Argument(2)"
}
]
}
}
]
}- For example, a model generator may say that, for all methods (that will be analyzed by Mariana Trench) whose name is
Instruct Mariana Trench to read from your model generator, so that Mariana Trench will generate models at runtime.
- Intuitively, the models generated (by interpreting model generators) express sources and sinks for each method before running Mariana Trench. Based on such models, Mariana Trench will automatically infer new models for each method at runtime.
- To instruct Mariana Trench to read from customized JSON model generators, add your json model generator here.
- Add the model generator name (i.e, the file name) in the JSON configuration file.
Update "rules" if necessary.
- Background: Mariana Trench categorizes sources and sinks into different "kinds", which are string-typed. For example, a source may have a kind of
JavascriptInterfaceUserInput
. A sink may have a kind ofLogging
. Mariana Trench only finds data flow from sources of a particular kind to sinks of another particular kind, which are called "rules". See Rules for writing them. - To specify kinds that are not mentioned in the default set of rules or to specify rules that are different than the default rules, you need to specify a new rule in file
rules.json
, in order to instruct Mariana Trench to find data flow that matches the new rule. - For example, to catch flows from
TestSensitiveUserInput
in the example above and the sink kindLogging
, you can add the following rule to the defaultrules.json
:
{
"name": "TestRule",
"code": 18,
"description": "A test rule",
"sources": [
"TestSensitiveUserInput"
],
"sinks": [
"Logging"
]
}- Background: Mariana Trench categorizes sources and sinks into different "kinds", which are string-typed. For example, a source may have a kind of