• Stars
    star
    1,088
  • Rank 42,566 (Top 0.9 %)
  • Language
    Rust
  • License
    GNU Lesser Genera...
  • Created about 6 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

cwe_checker finds vulnerable patterns in binary executables

cwe_checker logo

cwe_checker

Acceptance tests Unit tests Docker-Pulls Documentation

What is cwe_checker?

cwe_checker is a suite of checks to detect common bug classes such as Null pointer dereferences and buffer overflows. These bug classes are formally known as Common Weakness Enumerations (CWEs). The checks are based on a variety of anaylsis techniques ranging from simple heuristics to abstract interpretation-based data-flow analysis. Its main goal is to aid analysts to quickly find potentially vulnerable code paths.

Its main focus are ELF binaries that are commonly found on Linux and Unix operating systems. The cwe_checker uses Ghidra to disassemble binaries into one common intermediate representation and implements its own analyses on this IR. Hence, the analyses can be run on most CPU architectures that Ghidra can disassemble, which makes the cwe_checker a valuable tool for firmware analysis.

The following arguments should convince you to give cwe_checker a try:

  • it is very easy to set up, just build the Docker container!
  • it analyzes ELF binaries of several CPU architectures including x86, ARM, MIPS, and PPC
  • it is extensible due to its plugin-based architecture
  • it is configurable, e.g. apply analyses to new APIs
  • view results annotated in Ghidra
  • cwe_checker can be integrated as a plugin into FACT

Usage Example

Installation

Using the docker image

The simplest way is to pull the latest Docker image from the Github container registry:

  • docker pull ghcr.io/fkie-cad/cwe_checker:latest yields an image based on the current master branch.
  • docker pull ghcr.io/fkie-cad/cwe_checker:stable yields an image based on the latest stable release version.
  • docker pull ghcr.io/fkie-cad/cwe_checker:v0.7 yields an image based on the v0.7 stable release version. However, it is recommended to switch to newer stable releases as soon as they get published, since improvements between stable versions can be quite significant.

If you want to build the docker image yourself, just run

docker build -t cwe_checker .

This way you can also build native Docker images for ARM-based PCs (e.g. newer Apple Macs). The prebuilt Docker images are currently only x86-based.

Local installation

The following dependencies must be installed in order to build and install the cwe_checker locally:

Run make all GHIDRA_PATH=/path/to/ghidra_folder (with the correct path to the local Ghidra installation inserted) to compile and install the cwe_checker. If you omit the GHIDRA_PATH argument the installer will search your file system for a local installation of Ghidra.

Usage

The cwe_checker takes a binary as input, runs several checks based on static analysis on the binary and then outputs a list of CWE warnings that have been found during the analysis.

If you use the official docker image, just run

docker run --rm -v /PATH/TO/BINARY:/input ghcr.io/fkie-cad/cwe_checker /input

If you installed the cwe_checker locally, run

cwe_checker BINARY

You can adjust the behavior of most checks via a configuration file located at src/config.json. If you modify it, add the command line flag --config=src/config.json to tell the cwe_checker to use the modified file. For information about other available command line flags you can pass the --help flag to the cwe_checker.

If you use the stable version, you can also look at the online documentation for more information.

For Bare-Metal Binaries

The cwe_checker offers experimental support for analyzing bare-metal binaries. For that one needs to provide a bare metal configuration file via the --bare-metal-config command line option. An example for such a configuration file can be found at bare_metal/stm32f407vg.json (which was created and tested for an STM32F407VG MCU).

For more information take a look at the online documentation.

Documentation and Tests

The test binaries for our test suite can be built with make compile_test_files (needs Docker to be installed!). The test suite can then be run with make test.

Source code documentation can be built with make documentation. For the stable version, the documentation can be found here.

Implemented Checks

So far the following analyses are implemented:

  • CWE-78: OS Command Injection (currently disabled on standard runs)
  • CWE-119 and its variants CWE-125 and CWE-787: Buffer Overflow
  • CWE-134: Use of Externally-Controlled Format String
  • CWE-190: Integer Overflow or Wraparound
  • CWE-215: Information Exposure Through Debug Information
  • CWE-243: Creation of chroot Jail Without Changing Working Directory
  • CWE-332: Insufficient Entropy in PRNG
  • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
  • CWE-416: Use After Free and its variant CWE-415: Double Free
  • CWE-426: Untrusted Search Path
  • CWE-467: Use of sizeof() on a Pointer Type
  • CWE-476: NULL Pointer Dereference
  • CWE-560: Use of umask() with chmod-style Argument
  • CWE-676: Use of Potentially Dangerous Function
  • CWE-782: Exposed IOCTL with Insufficient Access Control
  • CWE-789: Memory Allocation with Excessive Size Value

Please note that both false positives and false negatives are to be expected due to shortcuts and the nature of static analysis as well as over-approximation. You can find information on the inner workings of each check as well as known reasons for false positives and false negatives on the check-specific documentation pages.

Integration into other tools

cwe_checker comes with a script for Ghidra, which parses the output of the cwe_checker and annotates the found CWEs in the disassembler for easier manual analysis. The script is located at ghidra_plugin/cwe_checker_ghidra_plugin.py, usage instructions are contained in the file.

Ghidra Integration

The cwe_checker is also integrated as a plugin in FACT. If you want to integrate the cwe_checker into your own analysis toolchain, you can use the --json command line flag (in combination with either the --quiet or the --out=... command line options) to generate the CWE warnings in an easily parseable JSON output format.

How does cwe_checker work internally?

Building the documentation using cargo doc --open --document-private-items --no-deps will give you more information about the internal structure of the cwe_checker. However, the best documentation is still the source code itself. If you have questions, be sure to ask them on our discussions page! We are constantly striving to improve extensibility and documentation and your questions will help us to achieve that!

To get a quick/initial overview of its internals you can also look at the slides of conference presentations on the cwe_checker in the doc folder. We presented cwe_checker at the following conferences so far:

Contribute

Contributions are always welcome. Just fork it and open a pull request!

Acknowledgements

This project is partly financed by German Federal Office for Information Security (BSI).

A special thanks goes out to the BAP community (especially the official gitter) for answering questions and discussing solutions.

License

    Copyright (C) 2018 - 2023  Fraunhofer FKIE  ([email protected])

    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Library General Public
    License as published by the Free Software Foundation; either
    version 3 of the License, or (at your option) any later version.

    This library is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    Library General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

More Repositories

1

awesome-embedded-and-iot-security

A curated list of awesome embedded and IoT security resources.
1,395
star
2

FACT_core

Firmware Analysis and Comparison Tool
Python
1,230
star
3

friTap

The goal of this project is to help researchers to analyze traffic encapsulated in SSL or TLS.
JavaScript
257
star
4

dewolf

A research decompiler implemented as a Binary Ninja plugin.
Python
171
star
5

libdesock

A de-socketing library for fuzzing.
C
131
star
6

nvd-json-data-feeds

Community reconstruction of the legacy JSON NVD Data Feeds. This project uses and redistributes data from the NVD API but is neither endorsed nor certified by the NVD.
Shell
109
star
7

RoAMer

Robust Automated Malware Unpacker
Python
84
star
8

fact_extractor

Standalone Utility for FACT-like extraction
Python
80
star
9

LuckyCAT

A distributed fuzzing management framework
Python
63
star
10

iva

IVA is a system to scan for known vulnerabilities in software products installed inside an organization. IVA uses CPE identifiers to search for CVEs related to a software product.
Python
60
star
11

DeStroid

Fighting String Encryption in Android Malware
Python
53
star
12

butterfly

LibAFL components for stateful fuzzing
Rust
42
star
13

yapscan

Yapscan is a YAra based Process SCANner, aimed at giving more control about what to scan and giving detailed reports on matches.
Go
40
star
14

bountyhunter

A Caldera plugin for the emulation of complete, realistic cyberattack chains.
Python
40
star
15

socbed

A Self-Contained Open-Source Cyberattack Experimentation Testbed
Python
35
star
16

pcapFS

A FUSE module to mount captured network data
C++
32
star
17

Logprep

log data pre processing, generation and shipping in python
Python
30
star
18

embedded-evaluation-corpus

firmware evaluation reference corpus
22
star
19

wattson

A co-simulation framework for reasearching cybersecurity in power grids.
Python
19
star
20

ipal_transcriber

Industrial protocol transcriber - a common representation of industrial communication as input for protocol-independent industrial intrusion detection systems.
Python
19
star
21

ipal_ids_framework

Industrial Intrusion Detection - A framework for protocol-independent industrial intrusion detection on top of IPAL.
Python
19
star
22

FACT_docker

Dockerfile for building the FACT container
Python
18
star
23

ipal_datasets

Industrial datasets - datasets for evaluating industrial intrusion detection systems on IPAL.
Python
14
star
24

FACT_analysis-plugin_CVE-lookup

FACT analysis plug-in that maps software version to cves
Python
13
star
25

headerParser

Header information parser for PE, ELF, DEX, MachO, ZIP (JAR, DocX).
C
13
star
26

blackbox-opcua-fuzzing

Python
9
star
27

Codescanner

Python
9
star
28

png-carving

PNG file carving related material
C++
8
star
29

mcritweb

JavaScript
7
star
30

bidcos-security-doc

A documentation of the Bidcos (homematic) radio protocol with focus on practical security aspects
Python
7
star
31

FACT_firmadyne_analysis_plugin

Integrates Firmadyne into FACT
Python
7
star
32

61850-fuzzing

This repository provides fuzzing scripts to analyze an IEC 61850 implementation
Python
6
star
33

woodblock

A framework to generate file carving test data.
Python
6
star
34

eeva

EΒ²VA short for Exploitation Experience with Vulnerable App is a vulnerable app to learn userspace exploitation on Android
Java
6
star
35

common_analysis_oms

Offline Malware Scanner (OMS) scans files with multiple locally installed malware scanners.
Python
6
star
36

dewolf-logic

A graph-based logic engine for bitwise operations.
Python
5
star
37

fact_pdf_report

FACT PDF Report Generator
Python
4
star
38

maritime-dissector

A lua plugin for Wireshark which contains dissectors for common maritime protocols.
Lua
4
star
39

common_analysis_ip_and_uri

Detects IPv4 and IPv6 adresses as well as URIs
Python
4
star
40

Algorithmic-Heap-Layout-Manipulation-in-the-Linux-Kernel

Our artifacts to our Paper: "Algorithmic Heap Layout Manipulation in the Linux Kernel"
C
4
star
41

bpf-rootkit-workshop

Workshop: Forensic Analysis of eBPF based Linux Rootkits
C
4
star
42

bpmac

C
3
star
43

talk

NtDeviceIoControlFile talker
C
3
star
44

windowsScripts

A collection of some useful windows (batch) scripts.
Batchfile
3
star
45

common_helper_extraction

Extraction support functions
Python
3
star
46

cve-attribution-s2

Companion Repository to our the whitepaper "Towards Reliable and Scalable Linux Kernel CVE Attribution in Automated Static Firmware Analyses": https://arxiv.org/abs/2209.05217
Python
3
star
47

fact_helper_file

File type helper functions and magic library
Python
3
star
48

entropython

Efficient calculation of shannon byte entropy based on rust library.
Rust
3
star
49

docker_qemu_user

Phusion-based docker image containing the binaries for Qemu User Emulation
Shell
2
star
50

epf-parameter-screening

Shell
2
star
51

pidarci

PIdARCI Prototype Implementation
Python
2
star
52

FACT_analysis_plugin_template

Download this template if you want to write your own FACT analysis plug-in
Python
2
star
53

FACT_Search_and_Download

This tool is intended to create a ground truth matching specific parameters for scientific research on firmware.
Python
2
star
54

common_helper_files

Python
2
star
55

common_helper_yara

Yara command line wrapper
Python
2
star
56

bamboo-chuck-norris-plugin

2
star
57

ELFbin

C
2
star
58

hexter

A minimal terminal hex viewer supporting reading, writing and searching in files and processes.
C
2
star
59

docker_ghidra_headless_base

base docker image for ghidra headless scripting
Dockerfile
2
star
60

ssdeeper

Supplemental material for our paper: ssdeeper - Evaluating and Improving ssdeep.
Shell
1
star
61

common_helper_filter

generate nice structured output
Python
1
star
62

cwe_checker_travis_docker_image

Docker image with current BAP (opam testing) and other dependencies for fast testing of cwe_checker on travis
Dockerfile
1
star
63

mana

Python
1
star
64

FACT_remote_plugin_runner

Base class for FACT remote analysis systems
1
star
65

epf-case-study

C
1
star
66

fact_radare_viewer

Start radare webUI via REST in container and deliver url to view
Python
1
star
67

socbed-eval-acsac-2021

SOCBED evaluation code and dataset as presented at ACSAC 2021
Python
1
star
68

ei2f

C++
1
star
69

common_helper_unpacking_classifier

Try to guess if unpacking a container was successfull.
Python
1
star
70

docker-radare-web-gui

Dockerfile for Radare2 web gui
Shell
1
star
71

dewolf-idioms

A new approach for compiler idioms handling that automatically generates patterns to annotate them.
Python
1
star
72

conpot-plus

Python
1
star
73

frida-emulator-bypass

1
star
74

common_helper_passwords

Helper functions for handling password lists and files.
Python
1
star
75

Web-Content-Integrity

Web Content Integrity: Tamper-proof websites beyond HTTPS
HTML
1
star
76

spmac

Python
1
star
77

common_helper_process

fail-safe process helpers
Python
1
star
78

powerowl

PowerOwl models power grids as a whole and allows to simulate their power-domain behavior.
Python
1
star
79

winDbgFixPte

Fixes WinDbg !pte command not working bug
C
1
star
80

DEXSLib

Currently, the project is being heavily refactored and is therefore in an unusable state. Android RE library for static forward and backward slicing
Java
1
star
81

fact_goblin_bindings

Goblin bindings for parsing ELF header information in FACT
Rust
1
star
82

linux-firmware-corpus

HTML
1
star