Added deprecation warnings to the emulation based checks. (#66)

CHANGES.md

@@ -3,6 +3,9 @@ dev
 
 -   Added a lot more test cases to acceptance tests (PR #46)
 -   Reworked CWE-476 check to track stack variables (PR #47)
+-   Switched to BAP 2.0 (PR #49)
+-   Several internal code improvements (PRs #51, #58, #62)
+-   Added deprecation warnings to the emulation based checks (PR #66)
 
 0.3 (2019-12)
 ====

README.md

@@ -7,6 +7,7 @@
 [![Build Status](https://travis-ci.com/fkie-cad/cwe_checker.svg?branch=master)](https://travis-ci.com/fkie-cad/cwe_checker)
 ![Docker-Pulls](https://img.shields.io/docker/pulls/fkiecad/cwe_checker.svg)
 [![Documentation](https://img.shields.io/badge/doc-stable-green.svg)](https://fkie-cad.github.io/cwe_checker/doc/html/cwe_checker/index.html)
+
 ## What is cwe_checker? ##
 *cwe_checker* is a suite of tools to detect common bug classes such as use of dangerous functions and simple integer overflows. These bug classes are formally known as [Common Weakness Enumerations](https://cwe.mitre.org/) (CWEs). Its main goal is to aid analysts to quickly find vulnerable code paths.
 
@@ -20,8 +21,6 @@ Its main focus are ELF binaries that are commonly found on Linux and Unix operat
 -   [CWE-248](https://cwe.mitre.org/data/definitions/248.html): Uncaught Exception
 -   [CWE-332](https://cwe.mitre.org/data/definitions/332.html): Insufficient Entropy in PRNG
 -   [CWE-367](https://cwe.mitre.org/data/definitions/367.html): Time-of-check Time-of-use (TOCTOU) Race Condition
--   [CWE-415](https://cwe.mitre.org/data/definitions/415.html): Double Free (via emulation)
--   [CWE-416](https://cwe.mitre.org/data/definitions/416.html): Use After Free (UAF) (via emulation)
 -   [CWE-426](https://cwe.mitre.org/data/definitions/426.html): Untrusted Search Path
 -   [CWE-457](https://cwe.mitre.org/data/definitions/457.html): Use of Uninitialized Variable
 -   [CWE-467](https://cwe.mitre.org/data/definitions/467.html): Use of sizeof() on a Pointer Type
@@ -29,7 +28,8 @@ Its main focus are ELF binaries that are commonly found on Linux and Unix operat
 -   [CWE-560](https://cwe.mitre.org/data/definitions/560.html): Use of umask() with chmod-style Argument
 -   [CWE-676](https://cwe.mitre.org/data/definitions/676.html): Use of Potentially Dangerous Function
 -   [CWE-782](https://cwe.mitre.org/data/definitions/782.html): Exposed IOCTL with Insufficient Access Control
--   [CWE-787](https://cwe.mitre.org/data/definitions/787.html): Out-of-bounds Write (via emulation)
+
+**NOTE:** We recently decided to deprecate the support for the emulation based checks for CWEs 415, 416 and 787. Users of these checks should take a look at the [BAP toolkit](https://github.com/BinaryAnalysisPlatform/bap-toolkit), which provides better-maintained versions of these checks.
 
 Please note that some of the above analyses only are partially implemented at the moment. Furthermore, false positives are to be expected due to shortcuts and the nature of static analysis as well as over-approximation. For more information about the individual checks you can look at the [online documentation](https://fkie-cad.github.io/cwe_checker/doc/html/cwe_checker/index.html).
 
@@ -69,6 +69,7 @@ If you plan to develop cwe_checker, it is recommended to build it using the prov
 -   odoc >= 1.4 (for documentation)
 
 Just run `make all` to compile and register the plugin with BAP. You can run the test suite via `make test`. Documentation can be built via `make documentation`.
+
 ## How to use cwe_checker? ##
 The usage is straight forward: adjust the `config.json` (if needed) and call BAP with *cwe_checker* as a pass.
 ``` bash
@@ -80,8 +81,10 @@ For further information see the [online documentation](https://fkie-cad.github.i
 You can find some information about how to write your own check [here](https://fkie-cad.github.io/cwe_checker/doc/html/cwe_checker/index.html#HackingHowto)
 
 If you plan to open a PR, please utilize [precommit](https://pre-commit.com) in your development environment to catch many issues before the code review.
+
 ### Contribute ###
 Contributions are always welcome. Just fork it and open a pull request!
+
 ## How does cwe_checker work internally? ##
 See the [online documentation](https://fkie-cad.github.io/cwe_checker/doc/html/cwe_checker/index.html) or build it locally via `make documentation` and then browse it in the *doc/html/* folder. But the most accurate documentation is still the source code. We also provide some slides of conference presentations on cwe_checker in *doc*. These should be of special interest for those who would like to get a quick/initial overview of its internals.
 
@@ -93,6 +96,7 @@ We presented cwe_checker at the following conferences so far:
 This project is partly financed by [German Federal Office for Information Security (BSI)](https://www.bsi.bund.de).
 
 A special thanks goes out to the BAP community (especially the official gitter) for answering questions and discussing solutions.
+
 ## License
 ```
     Copyright (C) 2018 -       Fraunhofer FKIE  (firmware-security@fkie.fraunhofer.de)

index.mld

@@ -24,7 +24,10 @@ Internally, this also calls BAP as above, but enables shorter {{!section:CmdLine
 
 The symbolic execution based checks can be run with the emulation recipe in the recipes folder.
 {[bap PATH_TO_BINARY --recipe=recipes/emulation]}
-Note that these checks are rather slow at the moment and should only be applied to small binaries.
+Note that these checks are rather slow and should only be applied to small binaries.
+{e Deprecation warning:} We recently decided to deprecate support for the symbolic execution based checks and they will be removed in a future version.
+Users of these checks should take a look at the {{: https://github.com/BinaryAnalysisPlatform/bap-toolkit} BAP toolkit},
+which provides better-maintained versions of these checks.
 
 {2 How to use the docker images}
 
@@ -35,7 +38,8 @@ There are two docker images containing preinstalled versions of the {i cwe_check
 To use them, mount the target binary inside the docker container and call {i bap} with {i cwe_checker} as a pass as usual:
 {[docker run --rm -v [BINARY]:/tmp/input fkiecad/cwe_checker bap /tmp/input --pass=cwe-checker]}
 If you are using a customized [config.json] file, don't forget to mount it inside your container as well!
-If you want to print the output to a file with [--cwe-checker-out], you also need to mount the output file to the docker container, or else the file will be lost once the container gets destroyed.
+If you want to print the output to a file with [--cwe-checker-out], you also need to mount the output file to the docker container,
+or else the file will be lost once the container gets destroyed.
 
 {1:CmdLineOptions Command line options}
 

plugins/cwe_checker_emulation/cwe_checker_emulation.ml

@@ -125,6 +125,7 @@ end
 - all monitored events are collected globally
 - after the last Primus machine has terminated we report all observed incidents *)
 let main json_output file_output proj =
+  print_endline "INFO: The emulation based checks in this plugin have been deprecated. Please look at https://github.com/BinaryAnalysisPlatform/bap-toolkit for an alternative." ;
   Primus.Machine.add_component (module Monitor);
   begin
   let prog = (Project.program proj) in

src/utils/log_utils.mli

@@ -11,7 +11,7 @@
     are emit_native and emit_json.
 
     In addition, there are several functions (debug, error, info) to notify the user of certain
-    events. Note that these functions may pollute the output. 
+    events. Note that these functions may pollute the output.
  *)
 
 module CweWarning : sig
@@ -53,8 +53,9 @@ It takes the following input parameters:
 - tids: list of relevant TIDs as strings
 - symbols: list of associated symbols as strings
 - description: string description of the CWE
- *)
+*)
 val cwe_warning_factory : string -> string -> ?other:string list list -> ?addresses:string list -> ?tids:string list -> ?symbols:string list -> string -> CweWarning.t
+
 (**
 Factory function to easily build an element of type CheckPath.t.
 It takes the following input parameters:
@@ -71,10 +72,12 @@ val check_path_factory : ?path:string list -> ?path_str:string -> string -> stri
 Add one CweWarning.t element to an internal store. All elements are emited by calling one of the emit_* functions.
  *)
 val collect_cwe_warning : CweWarning.t -> unit
+
 (**
 Add one CheckPath.t element to an internal store. All elements are emited by calling one of the emit_* functions.
  *)
 val collect_check_path : CheckPath.t -> unit
+
 (**
 Returns the internal store of CweWarning.t elements as a list.
  *)
@@ -85,6 +88,7 @@ Emits stored CweWarning.t and CheckPath.t elements as json.
 target_path is the path of the current BAP project and out_path is the path a json output file.
  *)
 val emit_json : string -> string -> unit
+
 (**
 Emits stored CweWarning.t and CheckPath.t elements.
 target_path is the path of the current BAP project and out_path is the path an output file.