Skip to content

C
cwe_checker
Commit 7bca782b by Thomas Barabosch
Options

Merge branch 'master' into acceptance_tests

parents 7fd7b2d0 3199b676
Showing with 224 additions and 26 deletions
CHANGES.md
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
- Refactoring: Unification of cwe_checker function interface - Refactoring: Unification of cwe_checker function interface
- Refactoring: Created utils module for JSON functionality - Refactoring: Created utils module for JSON functionality
- Added check for CWE 248: Uncaught Exception
0.1 (2018-10-08) 0.1 (2018-10-08)
===== =====
......
README.md
# cwe_checker # # cwe_checker #
[![Codacy Badge](https://api.codacy.com/project/badge/Grade/9dbf158110de427d893b40ba397b94bc)](https://www.codacy.com/app/weidenba/cwe_checker?utm_source=github.com&utm_medium=referral&utm_content=fkie-cad/cwe_checker&utm_campaign=Badge_Grade) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/9dbf158110de427d893b40ba397b94bc)](https://www.codacy.com/app/weidenba/cwe_checker?utm_source=github.com&utm_medium=referral&utm_content=fkie-cad/cwe_checker&utm_campaign=Badge_Grade)
## What is cwe_checker? ## ## What is cwe_checker? ##
*cwe_checker* detects common bug classes such as use of dangerous functions and simple integer overflows. These bug classes are formally known as [Common Weakness Enumerations](https://cwe.mitre.org/) (CWEs). Its main goal is to aid analysts to quickly find vulnerable code paths. *cwe_checker* detects common bug classes such as use of dangerous functions and simple integer overflows. These bug classes are formally known as [Common Weakness Enumerations](https://cwe.mitre.org/) (CWEs). Its main goal is to aid analysts to quickly find vulnerable code paths.
Its main focus are ELF binaries that are commonly found on Linux and Unix operating systems. *cwe_checker* is built on top of [BAP](https://github.com/BinaryAnalysisPlatform/bap)(Binary Analysis Platform). By using BAP, we are not restricted to one low level instruction set architectures like Intel x86. BAP lifts several of them to one common intermediate represenetation (IR). cwe_checker implements its analyses on this IR. At time of writing, BAP 1.5 supports Intel x86/x64, ARM, MIPS, and PPC amongst others. Hence, this makes *cwe_checker* a valuable tool for firmware analysis. Its main focus are ELF binaries that are commonly found on Linux and Unix operating systems. *cwe_checker* is built on top of [BAP](https://github.com/BinaryAnalysisPlatform/bap)(Binary Analysis Platform). By using BAP, we are not restricted to one low level instruction set architectures like Intel x86. BAP lifts several of them to one common intermediate represenetation (IR). cwe_checker implements its analyses on this IR. At time of writing, BAP 1.5 supports Intel x86/x64, ARM, MIPS, and PPC amongst others. Hence, this makes *cwe_checker* a valuable tool for firmware analysis.
*cwe_checker* implements a modular architecture that allows to add new analyses with ease. So far the following analyses are implemented: *cwe_checker* implements a modular architecture that allows to add new analyses with ease. So far the following analyses are implemented:
- [CWE-190](https://cwe.mitre.org/data/definitions/190.html): Integer Overflow or Wraparound - [CWE-190](https://cwe.mitre.org/data/definitions/190.html): Integer Overflow or Wraparound
- [CWE-215](https://cwe.mitre.org/data/definitions/215.html): Information Exposure Through Debug Information - [CWE-215](https://cwe.mitre.org/data/definitions/215.html): Information Exposure Through Debug Information
- [CWE-243](https://cwe.mitre.org/data/definitions/243.html): Creation of chroot Jail Without Changing Working Directory - [CWE-243](https://cwe.mitre.org/data/definitions/243.html): Creation of chroot Jail Without Changing Working Directory
- [CWE-248](https://cwe.mitre.org/data/definitions/248.html): Uncaught Exception
- [CWE-332](https://cwe.mitre.org/data/definitions/332.html): Insufficient Entropy in PRNG - [CWE-332](https://cwe.mitre.org/data/definitions/332.html): Insufficient Entropy in PRNG
- [CWE-367](https://cwe.mitre.org/data/definitions/367.html): Time-of-check Time-of-use (TOCTOU) Race Condition - [CWE-367](https://cwe.mitre.org/data/definitions/367.html): Time-of-check Time-of-use (TOCTOU) Race Condition
- [CWE-426](https://cwe.mitre.org/data/definitions/426.html): Untrusted Search Path - [CWE-426](https://cwe.mitre.org/data/definitions/426.html): Untrusted Search Path
...@@ -30,15 +31,15 @@ The following arguments should convince you to give *cwe_checker* a try: ...@@ -30,15 +31,15 @@ The following arguments should convince you to give *cwe_checker* a try:
- it is extensible due to its plugin-based architecture - it is extensible due to its plugin-based architecture
- it is configureable, e.g. apply analyses to new APIs - it is configureable, e.g. apply analyses to new APIs
- view results annotated in IDA Pro - view results annotated in IDA Pro
- *cwe_checker* can be integrated as a plugin into [FACT](https://github.com/fkie-cad/FACT_core) - *cwe_checker* can be integrated as a plugin into [FACT](https://github.com/fkie-cad/FACT_core)
## How to install cwe_checker? ## ## How to install cwe_checker? ##
There are three ways to install cwe_checker. The recommended way is to get cwe_checker from the Ocaml package manager Opam. You can install cwe_checker via the package [fkie-cad-cwe-checker](https://opam.ocaml.org/packages/fkie-cad-cwe-checker/) (`opam install fkie-cad-cwe-checker`). There are three ways to install cwe_checker. The recommended way is to get cwe_checker from the Ocaml package manager Opam. You can install cwe_checker via the package [fkie-cad-cwe-checker](https://opam.ocaml.org/packages/fkie-cad-cwe-checker/) (`opam install fkie-cad-cwe-checker`).
The second way is to utilize the installation script `install.sh`, which is just a wrapper around Docker. Make sure to have the latest version of Docker. The second way is to utilize the installation script `install.sh`, which is just a wrapper around Docker. Make sure to have the latest version of Docker.
The three way is to build it using the provided `Makefile`. In this case you must ensure that all dependencies are fulfilled: The three way is to build it using the provided `Makefile`. In this case you must ensure that all dependencies are fulfilled:
- Ocaml 4.05.0 - Ocaml 4.05.0
- Opam <= 1.2.2 - Opam 2.0.2
- BAP 1.5 (and its dependencies) - BAP 1.5 (and its dependencies)
- yojson <= 1.4.1 - yojson <= 1.4.1
- alcotest <= 0.8.3 - alcotest <= 0.8.3
...@@ -57,11 +58,11 @@ Contributions are always welcomed. Just fork it and open a pull request! ...@@ -57,11 +58,11 @@ Contributions are always welcomed. Just fork it and open a pull request!
## Acknowledgements ## ## Acknowledgements ##
This project is partly financed by [German Federal Office for Information Security (BSI)](https://www.bsi.bund.de). This project is partly financed by [German Federal Office for Information Security (BSI)](https://www.bsi.bund.de).
A special thanks goes out to the BAP community (especially the official gitter) for answering questions and discussing solutions. A special thanks goes out to the BAP community (especially the official gitter) for answering questions and discussing solutions.
## License ## License
``` ```
Copyright (C) 2018 - Fraunhofer FKIE (thomas.barabosch@fkie.fraunhofer.de) Copyright (C) 2018 - Fraunhofer FKIE (thomas.barabosch@fkie.fraunhofer.de)
This library is free software; you can redistribute it and/or This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public modify it under the terms of the GNU Library General Public
License as published by the Free Software Foundation; either License as published by the Free Software Foundation; either
...@@ -71,7 +72,7 @@ A special thanks goes out to the BAP community (especially the official gitter) ...@@ -71,7 +72,7 @@ A special thanks goes out to the BAP community (especially the official gitter)
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Library General Public License for more details. Library General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. along with this program. If not, see <http://www.gnu.org/licenses/>.
``` ```
src/checkers/cwe_248.ml 0 → 100644
open Bap.Std
open Core_kernel.Std
let name = "CWE248"
let version = "0.1"
(* Print the findings to the log *)
let print_uncatched_exception block_tid ~tid_map =
Log_utils.warn
"[%s] {%s} (Possibly Uncaught Exception) (Exception thrown at %s)."
name
version
(Address_translation.translate_tid_to_assembler_address_string block_tid tid_map)
(* Extract the name of a direct call, if the block contains a direct call. *)
let extract_direct_call_symbol block =
match Symbol_utils.extract_direct_call_tid_from_block block with
| Some(tid) -> Some(Tid.name tid)
| None -> None
(* check whether block contains a direct call to a symbol with name symbol_name *)
let contains_symbol block symbol_name =
match extract_direct_call_symbol block with
| Some(symb) -> symb = symbol_name
| None -> false
(* Checks whether a subfunction contains a catch block. *)
let contains_catch subfunction =
let blocks = Term.enum blk_t subfunction in
Seq.exists blocks (fun block -> contains_symbol block "@__cxa_begin_catch")
(* Find all calls to subfunctions that are reachable from this subfunction. The calls are returned
as a list, except for calls to "@__cxa_throw", which are logged as possibly uncaught exceptions. *)
let find_calls_and_throws subfunction ~tid_map =
let blocks = Term.enum blk_t subfunction in
Seq.fold blocks ~init:[] ~f:(fun call_list block ->
if contains_symbol block "@__cxa_throw" then
let () = print_uncatched_exception (Term.tid block) ~tid_map:tid_map in
call_list
else
match Symbol_utils.extract_direct_call_tid_from_block block with
| Some(tid) -> tid :: call_list
| None -> call_list
)
(* find exception throws with for which an exception handler was not necessarily allocated beforehand.
The return value is a list of all already checked functions.*)
let rec find_uncaught_exceptions subfunction already_checked_functions program ~tid_map =
if contains_catch subfunction then
(* This function contains a catch so we assume every throw reachable from here is catched. *)
already_checked_functions
else
let subfunction_calls = find_calls_and_throws subfunction ~tid_map:tid_map in
List.fold subfunction_calls ~init:already_checked_functions ~f:(fun already_checked subfunc ->
match List.exists ~f:(fun a -> a = subfunc) already_checked with
| true -> already_checked
| false -> find_uncaught_exceptions ~tid_map:tid_map (Core_kernel.Option.value_exn (Term.find sub_t program subfunc)) (subfunc :: already_checked) program)
(* Search for uncatched exceptions for each entry point into the binary.
TODO: Exceptions, that are catched when starting from one entry point, but not from another, are masked this
way. We should check whether this produces a lot of false negatives. *)
let check_cwe program project tid_map symbol_pairs =
let entry_points = Symbol_utils.get_program_entry_points program in
let _ = Seq.fold entry_points ~init:[] ~f:(fun already_checked_functions sub -> find_uncaught_exceptions ~tid_map:tid_map sub already_checked_functions program) in
()
src/checkers/cwe_248.mli 0 → 100644
(** This module implements a check for CWE-248 (Uncaught Exception)
An uncaught exception may lead to a crash and subsequentially to other unintended behavior.
See https://cwe.mitre.org/data/definitions/248.html for detailed description.
Right now we search for exception throws that are reachable in the callgraph without
touching a function that contains a catch block. We do not check whether a catch block
can actually catch the thrown exceptions, thus we generate some false negatives. **)
val name : string
val version : string
val check_cwe : Bap.Std.program Bap.Std.term -> Bap.Std.project -> Bap.Std.word Bap.Std.Tid.Map.t -> string list list -> unit
src/config.json
...@@ -10,6 +10,9 @@ ...@@ -10,6 +10,9 @@
["chdir", "chroot", "setreuid"], ["chdir", "chroot", "setuid"]], ["chdir", "chroot", "setreuid"], ["chdir", "chroot", "setuid"]],
"_comment": "valid chroot pathes according to http://www.unixwiz.net/techtips/chroot-practices.html" "_comment": "valid chroot pathes according to http://www.unixwiz.net/techtips/chroot-practices.html"
}, },
"CWE248": {
"symbols": []
},
"CWE332": { "CWE332": {
"pairs": [["srand", "rand"]] "pairs": [["srand", "rand"]]
}, },
...@@ -40,16 +43,16 @@ ...@@ -40,16 +43,16 @@
"CWE676": { "CWE676": {
"_comment": "https://github.com/01org/safestringlib/wiki/SDL-List-of-Banned-Functions", "_comment": "https://github.com/01org/safestringlib/wiki/SDL-List-of-Banned-Functions",
"symbols": ["alloca", "_alloca", "symbols": ["alloca", "_alloca",
"scanf", "wscanf", "sscanf", "swscanf", "vscanf", "vsscanf", "scanf", "wscanf", "sscanf", "swscanf", "vscanf", "vsscanf",
"strlen", "wcslen", "strtok", "strtok_r", "wcstok", "strlen", "wcslen", "strtok", "strtok_r", "wcstok",
"strcat", "strncat", "wcscat", "wcsncat", "strcat", "strncat", "wcscat", "wcsncat",
"strcpy", "strncpy", "wcscpy", "wcsncpy", "stpcpy", "stpncpy", "wcpcpy", "wcpncpy", "strcpy", "strncpy", "wcscpy", "wcsncpy", "stpcpy", "stpncpy", "wcpcpy", "wcpncpy",
"memcpy", "wmemcpy", "memmove", "wmemmove", "memcmp", "wmemcmp", "me​mset", "wmemset", "memcpy", "wmemcpy", "memmove", "wmemmove", "memcmp", "wmemcmp", "me​mset", "wmemset",
"gets", "sprintf​", "vsprintf", "swprintf", "vswprintf", "snprintf", "vsnprintf", "gets", "sprintf​", "vsprintf", "swprintf", "vswprintf", "snprintf", "vsnprintf",
"realpath", "getwd", "wctomb", "wcrtomb", "wcstombs", "wcsrtombs", "wcsnrtombs"] "realpath", "getwd", "wctomb", "wcrtomb", "wcstombs", "wcsrtombs", "wcsnrtombs"]
}, },
"CWE782": { "CWE782": {
"symbols": [] "symbols": []
} }
} }
src/cwe_checker.ml
...@@ -16,6 +16,7 @@ type cwe_module = { ...@@ -16,6 +16,7 @@ type cwe_module = {
let known_modules = [{cwe_func = Cwe_190.check_cwe; name = Cwe_190.name; version = Cwe_190.version; requires_pairs = false}; let known_modules = [{cwe_func = Cwe_190.check_cwe; name = Cwe_190.name; version = Cwe_190.version; requires_pairs = false};
{cwe_func = Cwe_215.check_cwe; name = Cwe_215.name; version = Cwe_215.version; requires_pairs = false}; {cwe_func = Cwe_215.check_cwe; name = Cwe_215.name; version = Cwe_215.version; requires_pairs = false};
{cwe_func = Cwe_243.check_cwe; name = Cwe_243.name; version = Cwe_243.version; requires_pairs = true}; {cwe_func = Cwe_243.check_cwe; name = Cwe_243.name; version = Cwe_243.version; requires_pairs = true};
{cwe_func = Cwe_248.check_cwe; name = Cwe_248.name; version = Cwe_248.version; requires_pairs = false};
{cwe_func = Cwe_332.check_cwe; name = Cwe_332.name; version = Cwe_332.version; requires_pairs = true}; {cwe_func = Cwe_332.check_cwe; name = Cwe_332.name; version = Cwe_332.version; requires_pairs = true};
{cwe_func = Cwe_367.check_cwe; name = Cwe_367.name; version = Cwe_367.version; requires_pairs = true}; {cwe_func = Cwe_367.check_cwe; name = Cwe_367.name; version = Cwe_367.version; requires_pairs = true};
{cwe_func = Cwe_426.check_cwe; name = Cwe_426.name; version = Cwe_426.version; requires_pairs = false}; {cwe_func = Cwe_426.check_cwe; name = Cwe_426.name; version = Cwe_426.version; requires_pairs = false};
......
src/utils/symbol_utils.ml
...@@ -30,7 +30,7 @@ let get_symbol_name_from_jmp jmp symbols = ...@@ -30,7 +30,7 @@ let get_symbol_name_from_jmp jmp symbols =
| Goto _ | Ret _ | Int (_,_) -> assert(false) | Goto _ | Ret _ | Int (_,_) -> assert(false)
| Call destination -> begin | Call destination -> begin
match Call.target destination with match Call.target destination with
| Direct addr -> | Direct addr ->
begin begin
let symbol = List.find symbols ~f:(fun symbol -> match symbol.address with let symbol = List.find symbols ~f:(fun symbol -> match symbol.address with
| Some address -> addr = address | Some address -> addr = address
...@@ -52,7 +52,7 @@ Term.enum blk_t sub |> ...@@ -52,7 +52,7 @@ Term.enum blk_t sub |>
| _ -> None | _ -> None
end)) end))
let sub_calls_symbol prog sub symbol_name = let sub_calls_symbol prog sub symbol_name =
let symbol_struct = find_symbol prog symbol_name in let symbol_struct = find_symbol prog symbol_name in
match symbol_struct with match symbol_struct with
| Some s -> begin | Some s -> begin
...@@ -84,7 +84,7 @@ let call_finder = object ...@@ -84,7 +84,7 @@ let call_finder = object
end end
let transform_call_to_concrete_call (src_tid, dst_tid) symbols = let transform_call_to_concrete_call (src_tid, dst_tid) symbols =
match (get_symbol dst_tid symbols) with match (get_symbol dst_tid symbols) with
| Some symbol -> {call_site = src_tid; symbol_address = dst_tid; name = symbol.name} | Some symbol -> {call_site = src_tid; symbol_address = dst_tid; name = symbol.name}
| None -> assert(false) | None -> assert(false)
...@@ -114,11 +114,11 @@ let check_calls relevant_calls prog proj tid_map symbols check_func = ...@@ -114,11 +114,11 @@ let check_calls relevant_calls prog proj tid_map symbols check_func =
~f:(fun jmp -> if is_interesting_callsite jmp relevant_calls then ~f:(fun jmp -> if is_interesting_callsite jmp relevant_calls then
check_func proj prog sub blk jmp tid_map symbols)) check_func proj prog sub blk jmp tid_map symbols))
end) end)
let get_symbol_call_count_of_sub symbol_name sub prog = let get_symbol_call_count_of_sub symbol_name sub prog =
match find_symbol prog symbol_name with match find_symbol prog symbol_name with
| Some s -> begin | Some s -> begin
Seq.to_list (get_direct_callsites_of_sub sub) Seq.to_list (get_direct_callsites_of_sub sub)
|> List.filter ~f:(fun callsite -> |> List.filter ~f:(fun callsite ->
match Jmp.kind callsite with match Jmp.kind callsite with
| Goto _ | Ret _ | Int (_,_) -> false | Goto _ | Ret _ | Int (_,_) -> false
...@@ -129,3 +129,21 @@ let get_symbol_call_count_of_sub symbol_name sub prog = ...@@ -129,3 +129,21 @@ let get_symbol_call_count_of_sub symbol_name sub prog =
end end
| _ -> 0 | _ -> 0
let extract_direct_call_tid_from_block block =
let jmp_instructions = Term.enum jmp_t block in
Seq.fold jmp_instructions ~init:None ~f:(fun already_found instr ->
match already_found with
| Some(symb) -> Some(symb)
| None ->
match Jmp.kind instr with
| Goto _ | Ret _ | Int (_,_) -> None
| Call dst -> match Call.target dst with
| Direct tid ->
Some(tid)
| _ -> None)
let get_program_entry_points program =
let subfunctions = Term.enum sub_t program in
let entry_points = Seq.filter subfunctions ~f:(fun subfn -> Term.has_attr subfn Sub.entry_point) in
let main_fn = Seq.filter subfunctions ~f:(fun subfn -> "@main" = Tid.name (Term.tid subfn)) in
Seq.append main_fn entry_points
src/utils/symbol_utils.mli
...@@ -12,7 +12,7 @@ type symbol = { address : Bap.Std.tid option; name : string; } ...@@ -12,7 +12,7 @@ type symbol = { address : Bap.Std.tid option; name : string; }
(** Finds a symbol string in a program and returns its IR address (tid). *) (** Finds a symbol string in a program and returns its IR address (tid). *)
val find_symbol : Bap.Std.program Bap.Std.term -> string -> Bap.Std.tid option val find_symbol : Bap.Std.program Bap.Std.term -> string -> Bap.Std.tid option
(** builds a list of symbols from a list of strings for a given program (** builds a list of symbols from a list of strings for a given program
TODO: maybe another data structure like a hashmap would be better. *) TODO: maybe another data structure like a hashmap would be better. *)
val build_symbols : string list -> Bap.Std.program Bap.Std.term -> symbol list val build_symbols : string list -> Bap.Std.program Bap.Std.term -> symbol list
...@@ -60,3 +60,11 @@ val get_direct_callsites_of_sub : ...@@ -60,3 +60,11 @@ val get_direct_callsites_of_sub :
(** Returns call count of symbol in function *) (** Returns call count of symbol in function *)
val get_symbol_call_count_of_sub : string -> Bap.Std.Sub.t -> Bap.Std.Program.t -> int val get_symbol_call_count_of_sub : string -> Bap.Std.Sub.t -> Bap.Std.Program.t -> int
(** Returns Some(target tid) if the block contains a direct call or None if it does not. *)
val extract_direct_call_tid_from_block : Bap.Std.blk Bap.Std.term -> Bap.Std.tid option
(** Returns a sequence of all entry points of the program.
TODO: The _start entry point usually calls a libc-function which then calls the main function. Since right now only direct
calls are tracked, our graph traversal may never find the main function. For now, we add it by hand to the entry points. *)
val get_program_entry_points : Bap.Std.program Bap.Std.term -> Bap.Std.sub Bap.Std.term Bap.Std.Seq.t
test/artificial_samples/cwe_248.cpp 0 → 100644
#include <iostream>
using namespace std;
void throw_exception(int i) {
cout<< " Throwing exception "<< i << endl;
throw i;
}
void do_catch(int i) {
try {
throw i;
}
catch(int error) {
cout<<"Exception " << i << "successfully catched."<<endl;
}
}
void maybe_catch(int i) {
if(i<42) {
try {
throw_exception(i);
}
catch(int errror) {
// Yay, catched.
cout<<"Exception " << i << " successfully catched."<<endl;
}
}
else {
// We don't catch anything here.
throw_exception(i);
}
}
int main() {
cout<<"Enter a number." <<endl;
int i;
cin >> i;
maybe_catch(i);
do_catch(i);
// For good measure, just throw an exception here.
throw (i+20);
}
test/artificial_samples/install_cross_compilers_ubuntu_18.04.sh
#!/bin/bash #!/bin/bash
echo "Installing cross compiler for ARM architecture." echo "Installing cross compiler for ARM architecture."
sudo apt install -y gcc-arm-linux-gnueabi sudo apt install -y gcc-multilib-arm-linux-gnueabi g++-arm-linux-gnueabi
echo "Installing cross compiler for MIPS architecture." echo "Installing cross compiler for MIPS architecture."
sudo apt install -y gcc-mips-linux-gnu sudo apt install -y gcc-multilib-mips-linux-gnu g++-7-mips-linux-gnu
echo "Installing cross compiler for PPC architecture." echo "Installing cross compiler for PPC architecture."
sudo apt install -y gcc-powerpc-linux-gnu sudo apt install -y gcc-multilib-powerpc-linux-gnu g++-7-powerpc-linux-gnu
echo "Done." echo "Done."
test/artificial_samples/makefile
...@@ -4,9 +4,15 @@ CC_ARM=arm-linux-gnueabi-gcc-7 ...@@ -4,9 +4,15 @@ CC_ARM=arm-linux-gnueabi-gcc-7
CC_MIPS=mips-linux-gnu-gcc-7 CC_MIPS=mips-linux-gnu-gcc-7
CC_PPC=powerpc-linux-gnu-gcc-7 CC_PPC=powerpc-linux-gnu-gcc-7
CPP_x64=g++
CPP_X86=g++
CPP_ARM=arm-linux-gnueabi-g++-7
CPP_MIPS=mips-linux-gnu-g++-7
CPP_PPC=powerpc-linux-gnu-g++-7
CFLAGS_X64=-O0 -g -fno-stack-protector CFLAGS_X64=-O0 -g -fno-stack-protector
CFLAGS_X86=-O0 -g -m32 -fno-stack-protector CFLAGS_X86=-O0 -g -m32 -fno-stack-protector
CFLAGS_ARM=-O0 -g -fno-stack-protector CFLAGS_ARM=-O0 -g -fno-stack-protector
CFLAGS_MIPS=-O0 -g -fno-stack-protector CFLAGS_MIPS=-O0 -g -fno-stack-protector
CFLAGS_PPC=-O0 -g -fno-stack-protector CFLAGS_PPC=-O0 -g -fno-stack-protector
...@@ -16,30 +22,60 @@ define compile_x64 ...@@ -16,30 +22,60 @@ define compile_x64
execstack -s build/$(1)_x64.out execstack -s build/$(1)_x64.out
endef endef
define compile_x64_cpp
@echo "Compiling x64 target:" $(1)
$(CPP_x64) $(CFLAGS_X64) -o build/$(1)_x64.out $(1).cpp
execstack -s build/$(1)_x64.out
endef
define compile_x86 define compile_x86
@echo "Compiling x86 target:" $(1) @echo "Compiling x86 target:" $(1)
$(CC_X86) $(CFLAGS_X86) -o build/$(1)_x86.out $(1).c $(CC_X86) $(CFLAGS_X86) -o build/$(1)_x86.out $(1).c
execstack -s build/$(1)_x86.out execstack -s build/$(1)_x86.out
endef endef
define compile_x86_cpp
@echo "Compiling x86 target:" $(1)
$(CPP_X86) $(CFLAGS_X86) -o build/$(1)_x86.out $(1).cpp
execstack -s build/$(1)_x86.out
endef
define compile_mips define compile_mips
@echo "Compiling mips target:" $(1) @echo "Compiling mips target:" $(1)
$(CC_MIPS) $(CFLAGS_MIPS) -o build/$(1)_mips.out $(1).c $(CC_MIPS) $(CFLAGS_MIPS) -o build/$(1)_mips.out $(1).c
execstack -s build/$(1)_mips.out execstack -s build/$(1)_mips.out
endef endef
define compile_mips_cpp
@echo "Compiling mips target:" $(1)
$(CPP_MIPS) $(CFLAGS_MIPS) -o build/$(1)_mips.out $(1).cpp
execstack -s build/$(1)_mips.out
endef
define compile_arm define compile_arm
@echo "Compiling arm target:" $(1) @echo "Compiling arm target:" $(1)
$(CC_ARM) $(CFLAGS_ARM) -o build/$(1)_arm.out $(1).c $(CC_ARM) $(CFLAGS_ARM) -o build/$(1)_arm.out $(1).c
execstack -s build/$(1)_arm.out execstack -s build/$(1)_arm.out
endef endef
define compile_arm_cpp
@echo "Compiling arm target:" $(1)
$(CPP_ARM) $(CFLAGS_ARM) -o build/$(1)_arm.out $(1).cpp
execstack -s build/$(1)_arm.out
endef
define compile_ppc define compile_ppc
@echo "Compiling ppc target:" $(1) @echo "Compiling ppc target:" $(1)
$(CC_PPC) $(CFLAGS_PPC) -o build/$(1)_ppc.out $(1).c $(CC_PPC) $(CFLAGS_PPC) -o build/$(1)_ppc.out $(1).c
execstack -s build/$(1)_ppc.out execstack -s build/$(1)_ppc.out
endef endef
define compile_ppc_cpp
@echo "Compiling ppc target:" $(1)
$(CPP_PPC) $(CFLAGS_PPC) -o build/$(1)_ppc.out $(1).cpp
execstack -s build/$(1)_ppc.out
endef
define compile_all define compile_all
$(shell mkdir -p "build") $(shell mkdir -p "build")
$(call compile_x64,$(1)) $(call compile_x64,$(1))
...@@ -49,23 +85,31 @@ define compile_all ...@@ -49,23 +85,31 @@ define compile_all
$(call compile_ppc,$(1)) $(call compile_ppc,$(1))
endef endef
define compile_all_cpp
$(shell mkdir -p "build")
$(call compile_x64_cpp,$(1))
$(call compile_arm_cpp,$(1))
$(call compile_mips_cpp,$(1))
$(call compile_ppc_cpp,$(1))
endef
all: all:
$(call compile_all,c_constructs) $(call compile_all,c_constructs)
$(call compile_all,cwe_190) $(call compile_all,cwe_190)
$(call compile_all,cwe_243) $(call compile_all,cwe_243)
$(call compile_all,cwe_243_clean) $(call compile_all,cwe_243_clean)
$(call compile_all_cpp,cwe_248)
$(call compile_all,cwe_332) $(call compile_all,cwe_332)
$(call compile_all,cwe_367) $(call compile_all,cwe_367)
$(call compile_all,cwe_415) $(call compile_all,cwe_415)
$(call compile_all,cwe_426) $(call compile_all,cwe_426)
$(call compile_all,cwe_457) $(call compile_all,cwe_457)
$(call compile_all,cwe_467) $(call compile_all,cwe_467)
$(call compile_all,cwe_476) $(call compile_all,cwe_476)
$(call compile_all,cwe_478) $(call compile_all,cwe_478)
$(call compile_x64,cwe_782) $(call compile_x64,cwe_782)
$(call compile_all,arrays) $(call compile_all,arrays)
$(call compile_all,memory_access) $(call compile_all,memory_access)
clean: clean:
rm -rf build rm -rf build
test/run_artificial_samples.sh
...@@ -22,6 +22,10 @@ function run_arch() { ...@@ -22,6 +22,10 @@ function run_arch() {
printf_new printf_new
bap artificial_samples/build/cwe_243_clean_$1.out --pass=callsites,cwe-checker --cwe-checker-config=../src/config.json bap artificial_samples/build/cwe_243_clean_$1.out --pass=callsites,cwe-checker --cwe-checker-config=../src/config.json
printf_new printf_new
echo "cwe_248_$1"
printf_new
bap artificial_samples/build/cwe_248_$1.out --pass=callsites,cwe-checker --cwe-checker-config=../src/config.json
printf_new
echo "cwe_323_$1" echo "cwe_323_$1"
printf_new printf_new
bap artificial_samples/build/cwe_332_$1.out --pass=callsites,cwe-checker --cwe-checker-config=../src/config.json bap artificial_samples/build/cwe_332_$1.out --pass=callsites,cwe-checker --cwe-checker-config=../src/config.json
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment