BinAbsInspector – Vulnerability Scanner For Binaries

BinAbsInspector (Binary Summary Inspector) is a static analyzer for automated reverse engineering and scanning vulnerabilities in binaries, which is a long-term analysis challenge incubated at Keenlab. It’s based mostly on summary interpretation with the assist from Ghidra. It really works on Ghidra’s Pcode as an alternative of meeting. At the moment it helps binaries on x86,x64, armv7 and aarch64.

• Set up Ghidra in keeping with Ghidra’s documentation
• Set up Z3 (examined model: 4.8.15)
• Observe that usually there are two components for Z3 library: one is Java bundle, the opposite one is native library. The Java bundle is already included in “/lib” listing, however we advise that you simply substitute it with your personal Java bundle for model compatibility.
  • For Home windows, obtain a pre-built bundle from right here, extract the zip file and add a PATH surroundings variable pointing to z3-${model}-win/bin
  • For Linux, set up with bundle supervisor is NOT really helpful, there are two choices:
    1. You may obtain appropriate pre-build bundle from right here, extract the zip file and duplicate z3-${model}-win/bin/*.so to /usr/native/lib/
    2. or you may construct and set up z3 in keeping with Constructing Z3 utilizing make and GCC/Clang
  • For MacOS, it’s just like Linux.
• Obtain the extension zip file from launch web page
• Set up the extension in keeping with Ghidra Extension Notes

Construct the extension by your self, if you wish to develop a brand new characteristic, please check with improvement information.

• Set up Ghidra and Z3
• Set up Gradle 7.x (examined model: 7.4)
• Pull the repository
• Run gradle buildExtension beneath repository root
• The extension shall be generated at dist/${GhidraVersion}_${date}_BinAbsInspector.zip

You may run BinAbsInspector in headless mode, GUI mode, or with docker.

• With Ghidra headless mode.

$GHIDRA_INSTALL_DIR/assist/analyzeHeadless <projectPath> <projectName> -import <file> -postScript BinAbsInspector "@@<scriptParams>"

<projectPath> — Ghidra challenge path.
<projectName> — Ghidra challenge title.
<scriptParams> — The argument for our analyzer, gives following choices:

• With Ghidra GUI

  1. Run Ghidra and import the goal binary right into a challenge
  2. Analyze the binary with default settings
  3. When the evaluation is completed, open Window -> Script Supervisor and discover BinAbsInspector.java
  4. Double-click on BinAbsInspector.java entry, set the parameters in configuration window and click on OK
  5. When the evaluation is completed, you may see the CWE studies in console window, double-click the addresses from the report can bounce to corresponding tackle

• With Docker

git clone [email protected]:KeenSecurityLab/BinAbsInspector.git
cd BinAbsInspector
docker construct . -t bai
docker run -v $(pwd):/information/workspace bai "@@<script parameters>" -import <file>

Thus far BinAbsInspector helps following checkers:

• CWE78 (OS Command Injection)
• CWE119 (Buffer Overflow (generic case))
• CWE125 (Buffer Overflow (Out-of-bounds Learn))
• CWE134 (Use of Externally-Managed Format string)
• CWE190 (Integer overflow or wraparound)
• CWE367 (Time-of-check Time-of-use (TOCTOU))
• CWE415 (Double free)
• CWE416 (Use After Free)
• CWE426 (Untrusted Search Path)
• CWE467 (Use of sizeof() on a pointer kind)
• CWE476 (NULL Pointer Dereference)
• CWE676 (Use of Probably Harmful Operate)
• CWE787 (Buffer Overflow (Out-of-bounds Write))

The construction of this challenge is as follows, please check with technical particulars for extra particulars.

├── most important
│   ├── java
│   │   └── com
│   │       └── bai
│   │           ├── checkers                       checker implementatiom
│   │           ├── env
│   │           │   ├── funcs                      operate modeling
│   │           │   │   ├── externalfuncs          exterior operate modeling
│   │           │   │   └── stdfuncs               cpp std modeling
│   │           │   └── area                     reminiscence modeling
│   │           ├── solver                         analyze core and grpah module
│   │           └── util                              utilities
│   └── sources
└── check

You may as well construct the javadoc with gradle javadoc, the API documentation shall be generated in ./construct/docs/javadoc.

We make use of Ghidra as our basis and ceaselessly leverage JImmutable Collections for higher efficiency.
Right here we want to thank them for his or her nice assist!