BinAbsInspector – Vulnerability Scanner For Binaries

BinAbsInspector (Binary Summary Inspector) is a static analyzer for automated reverse engineering and scanning vulnerabilities in binaries, which is a long-term research project incubated at Keenlab. It’s primarily based on abstract interpretation with the assist from Ghidra. It really works on Ghidra’s Pcode as a substitute of meeting. At present it helps binaries on x86,x64, armv7 and aarch64.

  • Set up Ghidra in line with Ghidra’s documentation
  • Set up Z3 (examined model: 4.8.15)
  • Observe that usually there are two elements for Z3 library: one is Java package deal, the opposite one is native library. The Java package deal is already included in “/lib” listing, however we propose that you just exchange it with your individual Java package deal for model compatibility.
    • For Home windows, obtain a pre-built package deal from here, extract the zip file and add a PATH surroundings variable pointing to z3-${model}-win/bin
    • For Linux, set up with package deal supervisor is NOT beneficial, there are two choices:
      1. You may obtain appropriate pre-build package deal from here, extract the zip file and replica z3-${model}-win/bin/*.so to /usr/native/lib/
      2. or you possibly can construct and set up z3 in line with Building Z3 using make and GCC/Clang
    • For MacOS, it’s just like Linux.
  • Obtain the extension zip file from release page
  • Set up the extension in line with Ghidra Extension Notes

Construct the extension by your self, if you wish to develop a brand new characteristic, please confer with development guide.

  • Set up Ghidra and Z3
  • Set up Gradle 7.x (examined model: 7.4)
  • Pull the repository
  • Run gradle buildExtension underneath repository root
  • The extension will likely be generated at dist/${GhidraVersion}_${date}

You may run BinAbsInspector in headless mode, GUI mode, or with docker.

  • With Ghidra headless mode.
$GHIDRA_INSTALL_DIR/assist/analyzeHeadless <projectPath> <projectName> -import <file> -postScript BinAbsInspector "@@<scriptParams>"

<projectPath> — Ghidra undertaking path.
<projectName> — Ghidra undertaking title.
<scriptParams> — The argument for our analyzer, supplies following choices:

Parameter Description
[-K <kElement>] KSet dimension restrict K
[-callStringK <callStringMaxLen>] Name string most size K
[-Z3Timeout <timeout>] Z3 timeout
[-timeout <timeout>] Evaluation timeout
[-entry <address>] Entry tackle
[-externalMap <file>] Exterior operate mannequin config
[-json] Output in json format
[-disableZ3] Disable Z3
[-all] Allow all checkers
[-debug] Allow debugging log output
[-check "<cweNo1>[;<cweNo2>...]"] Allow particular checkers
  • With Ghidra GUI

    1. Run Ghidra and import the goal binary right into a undertaking
    2. Analyze the binary with default settings
    3. When the evaluation is finished, open Window -> Script Supervisor and discover
    4. Double-click on entry, set the parameters in configuration window and click on OK
    5. When the evaluation is finished, you possibly can see the CWE reviews in console window, double-click the addresses from the report can bounce to corresponding tackle
  • With Docker

git clone [email protected]:KeenSecurityLab/BinAbsInspector.git
cd BinAbsInspector
docker construct . -t bai
docker run -v $(pwd):/information/workspace bai "@@<script parameters>" -import <file>

To this point BinAbsInspector helps following checkers:

  • CWE78 (OS Command Injection)
  • CWE119 (Buffer Overflow (generic case))
  • CWE125 (Buffer Overflow (Out-of-bounds Learn))
  • CWE134 (Use of Externally-Managed Format string)
  • CWE190 (Integer overflow or wraparound)
  • CWE367 (Time-of-check Time-of-use (TOCTOU))
  • CWE415 (Double free)
  • CWE416 (Use After Free)
  • CWE426 (Untrusted Search Path)
  • CWE467 (Use of sizeof() on a pointer sort)
  • CWE476 (NULL Pointer Dereference)
  • CWE676 (Use of Doubtlessly Harmful Operate)
  • CWE787 (Buffer Overflow (Out-of-bounds Write))

The construction of this undertaking is as follows, please confer with technical details for extra particulars.

├── fundamental
│ ├── java
│ │ └── com
│ │ └── bai
│ │ ├── checkers checker implementatiom
│ │ ├── env
│ │ │ ├── funcs operate modeling
│ │ │ │ ├── externalfuncs exterior operate modeling
│ │ │ │ └── stdfuncs cpp std modeling
│ │ │ └── area reminiscence modeling
│ │ ├── solver analyze core and grpah module
│ │ └── util utilities
│ └── assets
└── check

You may also construct the javadoc with gradle javadoc, the API documentation will likely be generated in ./construct/docs/javadoc.

We make use of Ghidra as our basis and incessantly leverage JImmutable Collections for higher efficiency.
Right here we wish to thank them for his or her nice assist!

Leave a Reply

Your email address will not be published.