BinAbsInspector: Vulnerability Scanner for Binaries
What is BinAbsInspector?
BinAbsInspector (Binary Abstract Inspector) is a static analyzer for automated reverse engineering and scanning vulnerabilities in binaries, which is a long-term research project incubated at Keenlab. It is based on abstract interpretation with support from Ghidra. It works on Ghidra’s Pcode instead of assembly. Currently, it supports binaries on x86,x64, armv7, and aarch64.
Implemented Checkers
So far BinAbsInspector supports the following checkers:
- CWE78 (OS Command Injection)
- CWE119 (Buffer Overflow (generic case))
- CWE125 (Buffer Overflow (Out-of-bounds Read))
- CWE134 (Use of Externally-Controlled Format string)
- CWE190 (Integer overflow or wraparound)
- CWE367 (Time-of-check Time-of-use (TOCTOU))
- CWE415 (Double free)
- CWE416 (Use After Free)
- CWE426 (Untrusted Search Path)
- CWE467 (Use of sizeof() on a pointer type)
- CWE476 (NULL Pointer Dereference)
- CWE676 (Use of Potentially Dangerous Function)
- CWE787 (Buffer Overflow (Out-of-bounds Write))
Usage
You can run BinAbsInspector in headless mode, GUI mode, or with docker.
- With Ghidra headless mode.
$GHIDRA_INSTALL_DIR/support/analyzeHeadless <projectPath> <projectName> -import <file> -postScript BinAbsInspector “@@<scriptParams>”
<projectPath> — Ghidra project path.
<projectName> — Ghidra project name.
<scriptParams> — The argument for our analyzer provides the following options:
| Parameter | Description |
|---|---|
| [-K <kElement>] | KSet size limit K |
| [-callStringK <callStringMaxLen>] | Call string maximum length K |
| [-Z3Timeout <timeout>] | Z3 timeout |
| [-timeout <timeout>] | Analysis timeout |
| [-entry <address>] | Entry address |
| [-externalMap <file>] | External function model config |
| [-json] | Output in json format |
| [-disableZ3] | Disable Z3 |
| [-all] | Enable all checkers (by default) |
| [-debug] | Enable debugging log output |
| [-check “<cweNo1>[;<cweNo2>…]”] | Enable specific checkers |
-
With Ghidra GUI
- Run Ghidra and import the target binary into a project
- Analyze the binary with default settings
- When the analysis is done, open Window -> Script Manager and find BinAbsInspector.java
- Double-click on the BinAbsInspector.java entry, set the parameters in the configuration window, and click OK
- When the analysis is done, you can see the CWE reports in a console window, double-click the addresses from the report can jump to the corresponding address
-
With Docker
Installation
Copyright (C) 2022 KeenSecurityLab
