Its main focus are ELF binaries that are commonly found on Linux and Unix operating systems. *cwe_checker* is built on top of [BAP](https://github.com/BinaryAnalysisPlatform/bap)(Binary Analysis Platform). By using BAP, we are not restricted to one low level instruction set architectures like Intel x86. BAP lifts several of them to one common intermediate represenetation (IR). cwe_checker implements its analyses on this IR. At time of writing, BAP 1.5 supports Intel x86/x64, ARM, MIPS, and PPC amongst others. Hence, this makes *cwe_checker* a valuable tool in firmware analysis.
Its main focus are ELF binaries that are commonly found on Linux and Unix operating systems. *cwe_checker* is built on top of [BAP](https://github.com/BinaryAnalysisPlatform/bap)(Binary Analysis Platform). By using BAP, we are not restricted to one low level instruction set architectures like Intel x86. BAP lifts several of them to one common intermediate represenetation (IR). cwe_checker implements its analyses on this IR. At time of writing, BAP 1.5 supports Intel x86/x64, ARM, MIPS, and PPC amongst others. Hence, this makes *cwe_checker* a valuable tool in firmware analysis.
*cwe_checker* implements a modular architecture that allows to add new analyses with ease. So far the following analyses are implemented:
*cwe_checker* implements a modular architecture that allows to add new analyses with ease. So far the following analyses are implemented:
-[CWE-190](https://cwe.mitre.org/data/definitions/190.html): Integer Overflow or Wraparound
-[CWE-190](https://cwe.mitre.org/data/definitions/190.html): Integer Overflow or Wraparound
-[CWE-215](https://cwe.mitre.org/data/definitions/215.html): Information Exposure Through Debug Information
-[CWE-215](https://cwe.mitre.org/data/definitions/215.html): Information Exposure Through Debug Information
-[CWE-243](https://cwe.mitre.org/data/definitions/243.html): Creation of chroot Jail Without Changing Working Directory
-[CWE-243](https://cwe.mitre.org/data/definitions/243.html): Creation of chroot Jail Without Changing Working Directory
-[CWE-332](https://cwe.mitre.org/data/definitions/332.html): Insufficient Entropy in PRNG
-[CWE-332](https://cwe.mitre.org/data/definitions/332.html): Insufficient Entropy in PRNG
-[CWE-676](https://cwe.mitre.org/data/definitions/676.html): Use of Potentially Dangerous Function
-[CWE-676](https://cwe.mitre.org/data/definitions/676.html): Use of Potentially Dangerous Function
-[CWE-782](https://cwe.mitre.org/data/definitions/782.html): Exposed IOCTL with Insufficient Access Control
-[CWE-782](https://cwe.mitre.org/data/definitions/782.html): Exposed IOCTL with Insufficient Access Control
Please note that some of the above analyses only are partially implemented at the moment. Furthermore, false positives are to be expected due to shortcuts and the nature of static analysis.
Please note that some of the above analyses only are partially implemented at the moment. Furthermore, false positives are to be expected due to shortcuts and the nature of static analysis.
...
@@ -25,24 +25,24 @@ Please note that some of the above analyses only are partially implemented at th
...
@@ -25,24 +25,24 @@ Please note that some of the above analyses only are partially implemented at th
## Why use cwe_checker? ##
## Why use cwe_checker? ##
The following arguments should convince you to give *cwe_checker* a try:
The following arguments should convince you to give *cwe_checker* a try:
- it is very easy to setup, just build the Docker container!
-it is very easy to setup, just build the Docker container!
- it analyzes ELF binaries of several CPU architectures including x86, ARM, MIPS, and PPC
-it analyzes ELF binaries of several CPU architectures including x86, ARM, MIPS, and PPC
- it is extensible due to its plugin-based architecture
-it is extensible due to its plugin-based architecture
- it is configureable, e.g. apply analyses to new APIs
-it is configureable, e.g. apply analyses to new APIs
- view results annotated in IDA Pro
-view results annotated in IDA Pro
-*cwe_checker* can be integrated as a plugin into [FACT](https://github.com/fkie-cad/FACT_core)
-*cwe_checker* can be integrated as a plugin into [FACT](https://github.com/fkie-cad/FACT_core)
## How to install cwe_checker? ##
## How to install cwe_checker? ##
There are three ways to install cwe_checker. The recommended way is to get cwe_checker from the Ocaml package manager Opam. You can install cwe_checker via the package [fkie-cad-cwe-checker](https://opam.ocaml.org/packages/fkie-cad-cwe-checker/)(`opam install fkie-cad-cwe-checker`).
There are three ways to install cwe_checker. The recommended way is to get cwe_checker from the Ocaml package manager Opam. You can install cwe_checker via the package [fkie-cad-cwe-checker](https://opam.ocaml.org/packages/fkie-cad-cwe-checker/)(`opam install fkie-cad-cwe-checker`).
The second way is to utilize the installation script `install.sh`, which is just a wrapper around Docker. Make sure to have the latest version of Docker.
The second way is to utilize the installation script `install.sh`, which is just a wrapper around Docker. Make sure to have the latest version of Docker.
The second way is to build it using the provided `Makefile`. In this case you must ensure that all dependencies are fulfilled:
The second way is to build it using the provided `Makefile`. In this case you must ensure that all dependencies are fulfilled:
- Ocaml 4.05.0
- Ocaml 4.05.0
- Opam 1.2.2
- Opam 1.2.2
- BAP 1.5 (and its dependencies)
- BAP 1.5 (and its dependencies)
- yojson 1.4.1
- yojson 1.4.1
- alcotest 0.8.3
- alcotest 0.8.3
- Sark for IDA Pro annotations
- Sark for IDA Pro annotations
Just run `make all` to compile and register the plugin with BAP.
Just run `make all` to compile and register the plugin with BAP.
## How to use cwe_checker? ##
## How to use cwe_checker? ##
The usage is straight forward: adjust the `config.json` (if needed) and call BAP with *cwe_checker* as a pass.
The usage is straight forward: adjust the `config.json` (if needed) and call BAP with *cwe_checker* as a pass.
