BinAbsInspector – Vulnerability Scanner For Binaries




BinAbsInspector (Binary Summary Inspector) is a static analyzer for automated reverse engineering and scanning vulnerabilities in binaries, which is a long-term research project incubated at Keenlab. It’s primarily based on abstract interpretation with the assist from Ghidra. It really works on Ghidra’s Pcode as a substitute of meeting. At present it helps binaries on x86,x64, armv7 and aarch64.

  • Set up Ghidra in line with Ghidra’s documentation
  • Set up Z3 (examined model: 4.8.15)
  • Observe that usually there are two elements for Z3 library: one is Java package deal, the opposite one is native library. The Java package deal is already included in “/lib” listing, however we propose that you just exchange it with your individual Java package deal for model compatibility.
    • For Home windows, obtain a pre-built package deal from here, extract the zip file and add a PATH surroundings variable pointing to z3-${model}-win/bin
    • For Linux, set up with package deal supervisor is NOT beneficial, there are two choices:
      1. You may obtain appropriate pre-build package deal from here, extract the zip file and replica z3-${model}-win/bin/*.so to /usr/native/lib/
      2. or you possibly can construct and set up z3 in line with Building Z3 using make and GCC/Clang
    • For MacOS, it’s just like Linux.
  • Obtain the extension zip file from release page
  • Set up the extension in line with Ghidra Extension Notes

Construct the extension by your self, if you wish to develop a brand new characteristic, please confer with development guide.

  • Set up Ghidra and Z3
  • Set up Gradle 7.x (examined model: 7.4)
  • Pull the repository
  • Run gradle buildExtension underneath repository root
  • The extension will likely be generated at dist/${GhidraVersion}_${date}_BinAbsInspector.zip

You may run BinAbsInspector in headless mode, GUI mode, or with docker.

  • With Ghidra headless mode.
$GHIDRA_INSTALL_DIR/assist/analyzeHeadless <projectPath> <projectName> -import <file> -postScript BinAbsInspector "@@<scriptParams>"

<projectPath> — Ghidra undertaking path.
<projectName> — Ghidra undertaking title.
<scriptParams> — The argument for our analyzer, supplies following choices:

Parameter Description
[-K <kElement>] KSet dimension restrict K
[-callStringK <callStringMaxLen>] Name string most size K
[-Z3Timeout <timeout>] Z3 timeout
[-timeout <timeout>] Evaluation timeout
[-entry <address>] Entry tackle
[-externalMap <file>] Exterior operate mannequin config
[-json] Output in json format
[-disableZ3] Disable Z3
[-all] Allow all checkers
[-debug] Allow debugging log output
[-check "<cweNo1>[;<cweNo2>...]"] Allow particular checkers
  • With Ghidra GUI

    1. Run Ghidra and import the goal binary right into a undertaking
    2. Analyze the binary with default settings
    3. When the evaluation is finished, open Window -> Script Supervisor and discover BinAbsInspector.java
    4. Double-click on BinAbsInspector.java entry, set the parameters in configuration window and click on OK
    5. When the evaluation is finished, you possibly can see the CWE reviews in console window, double-click the addresses from the report can bounce to corresponding tackle
  • With Docker

git clone [email protected]:KeenSecurityLab/BinAbsInspector.git
cd BinAbsInspector
docker construct . -t bai
docker run -v $(pwd):/information/workspace bai "@@<script parameters>" -import <file>

To this point BinAbsInspector helps following checkers:

  • CWE78 (OS Command Injection)
  • CWE119 (Buffer Overflow (generic case))
  • CWE125 (Buffer Overflow (Out-of-bounds Learn))
  • CWE134 (Use of Externally-Managed Format string)
  • CWE190 (Integer overflow or wraparound)
  • CWE367 (Time-of-check Time-of-use (TOCTOU))
  • CWE415 (Double free)
  • CWE416 (Use After Free)
  • CWE426 (Untrusted Search Path)
  • CWE467 (Use of sizeof() on a pointer sort)
  • CWE476 (NULL Pointer Dereference)
  • CWE676 (Use of Doubtlessly Harmful Operate)
  • CWE787 (Buffer Overflow (Out-of-bounds Write))

The construction of this undertaking is as follows, please confer with technical details for extra particulars.

├── fundamental
│ ├── java
│ │ └── com
│ │ └── bai
│ │ ├── checkers checker implementatiom
│ │ ├── env
│ │ │ ├── funcs operate modeling
│ │ │ │ ├── externalfuncs exterior operate modeling
│ │ │ │ └── stdfuncs cpp std modeling
│ │ │ └── area reminiscence modeling
│ │ ├── solver analyze core and grpah module
│ │ └── util utilities
│ └── assets
└── check

You may also construct the javadoc with gradle javadoc, the API documentation will likely be generated in ./construct/docs/javadoc.

We make use of Ghidra as our basis and incessantly leverage JImmutable Collections for higher efficiency.
Right here we wish to thank them for his or her nice assist!



Leave a Reply

Your email address will not be published.