cwe_checker

cwe_checker is a suite of tools to detect common bug classes such as use of dangerous functions and simple integer overflows. These bug classes are formally known as Common Weakness Enumerations (CWEs). Its main goal is to aid analysts to quickly find vulnerable code paths.

Its main focus are ELF binaries that are commonly found on Linux and Unix operating systems. cwe_checker is built on top of BAP(Binary Analysis Platform). By using BAP, we are not restricted to one low level instruction set architectures like Intel x86. BAP lifts several of them to one common intermediate representation (IR). cwe_checker implements its analyses on this IR. At time of writing, BAP 1.6 supports Intel x86/x64, ARM, MIPS, and PPC amongst others. Hence, this makes cwe_checker a valuable tool for firmware analysis.

cwe_checker implements a modular architecture that allows to add new analyses with ease. So far the following analyses are implemented across several BAP plugins:

• CWE-125: Out-of-bounds read (via emulation)
• CWE-190: Integer Overflow or Wraparound
• CWE-215: Information Exposure Through Debug Information
• CWE-243: Creation of chroot Jail Without Changing Working Directory
• CWE-248: Uncaught Exception
• CWE-332: Insufficient Entropy in PRNG
• CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
• CWE-415: Double Free (via emulation)
• CWE-416: Use After Free (UAF) (via emulation)
• CWE-426: Untrusted Search Path
• CWE-457: Use of Uninitialized Variable
• CWE-467: Use of sizeof() on a Pointer Type
• CWE-476: NULL Pointer Dereference
• CWE-560: Use of umask() with chmod-style Argument
• CWE-676: Use of Potentially Dangerous Function
• CWE-782: Exposed IOCTL with Insufficient Access Control
• CWE-787: Out-of-bounds Write (via emulation)

cwe_checker comes with a script called cwe_checker_to_ida, which parses the output of cwe_checker and generates an IDAPython script. This script annotates the found CWEs in IDA Pro, which helps during the manual analysis of a binary. The colors represent the severeness of the found issues (yellow, orange, or red). The following screenshot shows some results:

Why use cwe_checker?

The following arguments should convince you to give cwe_checker a try:

• it is very easy to set up, just build the Docker container!
• it analyzes ELF binaries of several CPU architectures including x86, ARM, MIPS, and PPC
• it is extensible due to its plugin-based architecture
• it is configurable, e.g. apply analyses to new APIs
• view results annotated in IDA Pro
• cwe_checker can be integrated as a plugin into FACT

Changelog v0.7

Version 0.7 contains many small enhancements and bugfixes to improve precision and stability of the analysis. We also improved the internal code organization to make it easier to use the cwe_checker as a library instead of a standalone program.

Other highlights include:

• A new check for CWE-789: Memory Allocation with Excessive Size Value
• The checks for CWE-119: Buffer Overflow and CWE-416: Use After Free now include even more meta-information in the JSON output of their CWE warnings: Now functions and calls relevant to the CWE warning are emitted to help with subsequent manual or automatic verification.

Install && Use

Copyright (C) 2018 fkie-cad