BinAbsInspector: Vulnerability Scanner for Binaries

Binaries Vulnerability Scanner

What is BinAbsInspector?

BinAbsInspector (Binary Abstract Inspector) is a static analyzer for automated reverse engineering and scanning vulnerabilities in binaries, which is a long-term research project incubated at Keenlab. It is based on abstract interpretation with support from Ghidra. It works on Ghidra’s Pcode instead of assembly. Currently, it supports binaries on x86,x64, armv7, and aarch64.

Binaries Vulnerability Scanner

Implemented Checkers

So far BinAbsInspector supports the following checkers:

  • CWE78 (OS Command Injection)
  • CWE119 (Buffer Overflow (generic case))
  • CWE125 (Buffer Overflow (Out-of-bounds Read))
  • CWE134 (Use of Externally-Controlled Format string)
  • CWE190 (Integer overflow or wraparound)
  • CWE367 (Time-of-check Time-of-use (TOCTOU))
  • CWE415 (Double free)
  • CWE416 (Use After Free)
  • CWE426 (Untrusted Search Path)
  • CWE467 (Use of sizeof() on a pointer type)
  • CWE476 (NULL Pointer Dereference)
  • CWE676 (Use of Potentially Dangerous Function)
  • CWE787 (Buffer Overflow (Out-of-bounds Write))

Usage

You can run BinAbsInspector in headless mode, GUI mode, or with docker.

  • With Ghidra headless mode.

$GHIDRA_INSTALL_DIR/support/analyzeHeadless <projectPath> <projectName> -import <file> -postScript BinAbsInspector “@@<scriptParams>”

<projectPath> — Ghidra project path.
<projectName> — Ghidra project name.
<scriptParams> — The argument for our analyzer provides the following options:

Parameter Description
[-K <kElement>] KSet size limit K
[-callStringK <callStringMaxLen>] Call string maximum length K
[-Z3Timeout <timeout>] Z3 timeout
[-timeout <timeout>] Analysis timeout
[-entry <address>] Entry address
[-externalMap <file>] External function model config
[-json] Output in json format
[-disableZ3] Disable Z3
[-all] Enable all checkers (by default)
[-debug] Enable debugging log output
[-check “<cweNo1>[;<cweNo2>…]”] Enable specific checkers
  • With Ghidra GUI

    1. Run Ghidra and import the target binary into a project
    2. Analyze the binary with default settings
    3. When the analysis is done, open Window -> Script Manager and find BinAbsInspector.java
    4. Double-click on the BinAbsInspector.java entry, set the parameters in the configuration window, and click OK
    5. When the analysis is done, you can see the CWE reports in a console window, double-click the addresses from the report can jump to the corresponding address
  • With Docker

    git clone git@github.com:KeenSecurityLab/BinAbsInspector.git
    
    cp BinAbsInspector/Dockerfile ./
    docker build . -t bai
    docker run -v $(pwd):/data/workspace bai "@@<script parameters>" -import <file>

     

Installation

Copyright (C) 2022 KeenSecurityLab