Switch default backend to Ghidra (#128)

.github/workflows/acceptance-tests.yml

@@ -39,3 +39,13 @@ jobs:
         with:
           command: test
           args: --no-fail-fast -p acceptance_tests_ghidra -- --show-output --ignored --test-threads 1
+
+  docker-build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Build the docker image
+        run: docker build -t cwe_checker .
+      - name: Check functionality of the image
+        run: docker run --rm cwe_checker /bin/echo | grep -q CWE676
\ No newline at end of file

CHANGES.md

+0.5-dev
+====
+
+-   Switched default backend to Ghidra (PR #128)
+
 0.4 (2021-01)
 ====
 

Dockerfile

-FROM fkiecad/cwe_checker_travis_docker_image:bap
+FROM rust:1.49 AS builder
 
-COPY . /home/cwe/cwe_checker/
+WORKDIR /cwe_checker
 
-RUN sudo chown -R cwe:cwe /home/cwe/cwe_checker \
-    && cd /home/cwe/cwe_checker \
-    && make all \
-    && cargo clean \
-    && dune clean
+COPY . .
+RUN cargo build --release
 
-WORKDIR /home/cwe/cwe_checker
+FROM phusion/baseimage:18.04-1.0.0 as runtime
 
-ENTRYPOINT ["opam", "config", "exec", "--"]
-CMD cwe_checker /tmp/input
+RUN apt-get -y update \
+    && install_clean sudo \
+    && useradd -m cwe \
+    && echo "cwe:cwe" | chpasswd \
+    && adduser cwe sudo \
+    && sed -i.bkp -e 's/%sudo\s\+ALL=(ALL\(:ALL\)\?)\s\+ALL/%sudo ALL=NOPASSWD:ALL/g' /etc/sudoers
+USER cwe
+
+WORKDIR /home/cwe
+
+ENV PATH="/home/cwe/.cargo/bin/:${PATH}"
+ENV GHIDRA_VERSION="9.2.1_PUBLIC"
+
+# Install Ghidra
+RUN sudo apt-get -y update \
+    && sudo install_clean \
+        curl \
+        unzip \
+        openjdk-11-jdk \
+    && curl -fSL https://www.ghidra-sre.org/ghidra_9.2.1_PUBLIC_20201215.zip -o ghidra.zip \
+    && unzip -q ghidra.zip \
+    && sudo mv ghidra_${GHIDRA_VERSION} /opt/ghidra \
+    && rm ghidra.zip
+
+# Install all necessary files from the builder stage
+COPY --from=builder /cwe_checker/target/release/cwe_checker /home/cwe/cwe_checker
+COPY --from=builder /cwe_checker/src/config.json /home/cwe/.config/cwe_checker/config.json
+COPY --from=builder /cwe_checker/ghidra/p_code_extractor /home/cwe/.local/share/cwe_checker/ghidra/p_code_extractor
+RUN echo "{ \"ghidra_path\": \"/opt/ghidra\" }" | sudo tee /home/cwe/.config/cwe_checker/ghidra.json
+
+WORKDIR /
+
+ENTRYPOINT ["/home/cwe/cwe_checker"]

Makefile

@@ -3,14 +3,22 @@ GHIDRA_PATH =
 .PHONY: all clean test uninstall docker
 all:
 	cargo build --release
+ifdef GHIDRA_PATH
 	mkdir -p ${HOME}/.config/cwe_checker
 	cp src/config.json ${HOME}/.config/cwe_checker/config.json
-ifdef GHIDRA_PATH
 	cargo install --path caller --locked
 	echo "{ \"ghidra_path\": \"${GHIDRA_PATH}\" }" > ${HOME}/.config/cwe_checker/ghidra.json
 	mkdir -p ${HOME}/.local/share/cwe_checker
 	cp -r ghidra ${HOME}/.local/share/cwe_checker/ghidra
 else
+	echo "GHIDRA_PATH not specified. Please set it to the path to your local Ghidra installation."
+	false
+endif
+
+with_bap_backend:
+	cargo build --release
+	mkdir -p ${HOME}/.config/cwe_checker
+	cp src/config.json ${HOME}/.config/cwe_checker/config.json
 	cp target/release/libcwe_checker_rs.a src/libcwe_checker_rs.a
 	cp target/release/libcwe_checker_rs.so src/dllcwe_checker_rs.so
 	dune build
@@ -20,7 +28,6 @@ else
 	cd plugins/cwe_checker_type_inference && make all
 	cd plugins/cwe_checker_type_inference_print && make all
 	cd plugins/cwe_checker_pointer_inference_debug && make all
-endif
 
 test:
 	cargo test
@@ -69,8 +76,8 @@ uninstall:
 	cd plugins/cwe_checker_pointer_inference_debug; make uninstall; cd ../..
 
 documentation:
-	dune build @doc
-	cp -r _build/default/_doc/_html doc/html
+	cargo doc --open
 
 docker:
-	./install.sh
+	make clean
+	docker build -t cwe_checker .

ghidra.Dockerfile → bap.Dockerfile

-FROM fkiecad/cwe_checker_travis_docker_image:ghidra
+FROM fkiecad/cwe_checker_travis_docker_image:bap
 
 COPY . /home/cwe/cwe_checker/
 
 RUN sudo chown -R cwe:cwe /home/cwe/cwe_checker \
     && cd /home/cwe/cwe_checker \
-    && make all GHIDRA_PATH=/home/cwe/ghidra \
-    && cargo clean
+    && make with_bap_backend \
+    && cargo clean \
+    && dune clean
 
 WORKDIR /home/cwe/cwe_checker
 
-# ENTRYPOINT ["/bin/sh", "-c"]
+ENTRYPOINT ["opam", "config", "exec", "--"]
 CMD cwe_checker /tmp/input

caller/Cargo.toml

 [package]
 name = "cwe_checker"
-version = "0.4.0"
+version = "0.5.0-dev"
 authors = ["Enkelmann <nils-edvin.enkelmann@fkie.fraunhofer.de>"]
 edition = "2018"
 

caller/src/main.rs

@@ -34,10 +34,6 @@ struct CmdlineArgs {
     #[structopt(long, short)]
     quiet: bool,
 
-    /// Checks if there is a path from an input function to a CWE hit.
-    #[structopt(long)]
-    check_path: bool,
-
     /// Prints out the version numbers of all known modules.
     #[structopt(long)]
     module_versions: bool,
@@ -86,9 +82,6 @@ fn build_bap_command(args: &CmdlineArgs) -> Command {
     if args.quiet {
         command.arg("--cwe-checker-no-logging");
     }
-    if args.check_path {
-        command.arg("--cwe-checker-check-path");
-    }
     if args.module_versions {
         command.arg("--cwe-checker-module-versions");
     }
@@ -119,10 +112,6 @@ fn run_with_ghidra(args: CmdlineArgs) {
         return;
     }
 
-    if args.check_path {
-        panic!("Check-path module not yet implemented for the Ghidra backend");
-    }
-
     // Get the configuration file
     let config: serde_json::Value = if let Some(config_path) = args.config {
         let file = std::io::BufReader::new(std::fs::File::open(config_path).unwrap());

cwe_checker_rs/Cargo.toml

 [package]
 name = "cwe_checker_rs"
-version = "0.4.0"
+version = "0.5.0-dev"
 authors = ["Nils-Edvin Enkelmann <nils-edvin.enkelmann@fkie.fraunhofer.de>"]
 edition = "2018"
 

ghidra_plugin/cwe_checker_ghidra_plugin.py

 # Import the results of the cwe_checker as bookmarks and comments into Ghidra.
 #
 # Usage:
-# - Run the cwe_checker on a binary and save its output as a json file.
 # - Copy this file into the Ghidra scripts folder
+# - Run the cwe_checker on a binary and save its output as a json file, e.g. with
+#   "cwe_checker BINARY --json --out output.json"
 # - Open the binary in Ghidra and run this file as a script. Select the generated json file when prompted.
 
 import json
-from ghidra.app.util.opinion import ElfLoader
 
 
 def bookmark_cwe(ghidra_address, text):
@@ -42,29 +42,12 @@ def get_cwe_checker_output():
         return json.load(json_file)
 
 
-def compute_ghidra_address(address_string):
-    fixed_address_string = address_string.replace(':32u', '').replace(':64u', '')
-    address_int = int(fixed_address_string, 16)
-    # Ghidra sometimes adds an offset to all addresses.
-    try:
-        # try for ELF-files
-        offset = currentProgram.getMinAddress().getOffset() - int(ElfLoader.getElfOriginalImageBase(currentProgram))
-        return currentProgram.getAddressFactory().getAddress(fixed_address_string).add(offset)
-    except:
-        # the file is probably not an ELF file, so we use a workaround that should work in most cases.
-        if address_int < currentProgram.getMinAddress().getOffset():
-            return currentProgram.getMinAddress().add(address_int)
-        else:
-            return currentProgram.getAddressFactory().getAddress(fixed_address_string)
-
-
 def main():
     """
-    Annotate cwe_checker results (including check_path paths) in Ghidra as end-of-line
+    Annotate cwe_checker results in Ghidra as end-of-line
     comments and bookmarks to the corresponding addresses.
     """
-    cwe_checker_output = get_cwe_checker_output()
-    warnings = cwe_checker_output['warnings']
+    warnings = get_cwe_checker_output()
     for warning in warnings:
         if len(warning['addresses']) == 0:
             cwe_text =  '[' + warning['name'] + '] ' + warning['description']
@@ -72,16 +55,9 @@ def main():
             bookmark_cwe(ghidra_address, cwe_text)
             comment_cwe_pre(ghidra_address, cwe_text)
         else:
-            for address_string in warning['addresses']:
-                ghidra_address = compute_ghidra_address(address_string)
-                bookmark_cwe(ghidra_address, warning['description'])
-                comment_cwe_eol(ghidra_address, warning['description'])
-    if 'check_path' in cwe_checker_output:
-        for check_path in cwe_checker_output['check_path']:
-            ghidra_address = compute_ghidra_address(check_path['source_addr'])
-            check_path_string = 'Path to CWE at ' + check_path['destination_addr'] + ': ' + check_path['path_str']
-            bookmark_cwe(ghidra_address, check_path_string)
-            comment_cwe_eol(ghidra_address, check_path_string)
-
+            address_string = warning['addresses'][0]
+            ghidra_address = currentProgram.getAddressFactory().getAddress(address_string)
+            bookmark_cwe(ghidra_address, warning['description'])
+            comment_cwe_eol(ghidra_address, warning['description'])
 
 main()

install.sh

-#!/usr/bin/env bash
-
-echo "Cleaning up"
-make clean
-
-echo "Building docker container"
-docker build --build-arg=http{,s}_proxy --build-arg=HTTP{,S}_PROXY -t cwe-checker .
-
-exit 0