Crate cwe_checker_lib
source ·Expand description
The main library of the cwe_checker containing all CWE checks and analysis modules.
What is the cwe_checker
The cwe_checker is a tool for finding common bug classes on binaries using static analysis. These bug classes are formally known as Common Weakness Enumerations (CWEs). Its main goal is to aid analysts to quickly find potentially vulnerable code paths.
Currently its main focus are ELF binaries that are commonly found on Linux and Unix operating systems. The cwe_checker uses Ghidra to disassemble binaries into one common intermediate representation and implements its own analyses on this IR. Hence, the analyses can be run on most CPU architectures that Ghidra can disassemble, which makes the cwe_checker a valuable tool for firmware analysis.
Usage
If the cwe_checker is installed locally, just run
cwe_checker BINARY
If you want to use the official docker image, you have to mount the input binary into the docker container, e.g.
docker run --rm -v $(pwd)/BINARY:/input ghcr.io/fkie-cad/cwe_checker /input
One can modify the behaviour of the cwe_checker through the command line.
Use the --help
command line option for more information.
One can also provide a custom configuration file to modify the behaviour of each check
through the --config
command line option.
Start by taking a look at the standard configuration file located at src/config.json
and read the check-specific documentation for more details about each field in the configuration file.
There is experimental support for the analysis of Linux loadable kernel modules
(LKMs). cwe_checker will recognize if you pass an LKM and will execute a
subset of the CWE checks available for user-space programs. Analyses are
configurable via a separate configuration file at src/lkm_config.json
.
For bare-metal binaries
The cwe_checker offers experimental support for analyzing bare-metal binaries.
For that, one needs to provide a bare metal configuration file via the --bare-metal-config
command line option.
An example for such a configuration file can be found at bare_metal/stm32f407vg.json
(which was created and tested for an STM32F407VG MCU).
For more information on the necessary fields of the configuration file and the assumed memory model when analyzing bare metal binaries see the configuration struct documentation.
Integration into other tools
Integration into Ghidra
To import the results of the cwe_checker as bookmarks and end-of-line comments into Ghidra,
one can use the Ghidra script located at ghidra_plugin/cwe_checker_ghidra_plugin.py
.
Detailed usage instructions are contained in the file.
Integration into FACT
FACT already contains a ready-to-use cwe_checker plugin, which lets you run the cwe_checker and view its result through the FACT user interface.
Further documentation
You can find out more information about each check, including known false positives and false negatives,
by reading the check-specific module documentation in the checkers
module.
Modules
- This module defines traits describing general properties of abstract domains as well as several abstract domain types implementing these traits.
- Modules necessary for graph-based and fixpoint-based analyses, as well as analyses depending on these modules.
- The implemented CWE checks. See their module descriptions for detailed information about each check.
- This module defines the intermediate representation used to represent a binary and all its contained executable code.
- Types to describe Ghidra P-Code and functions to translate it to the internally used intermediate representation.
- This module contains functions and structs helpful for building a complete analysis pipeline starting from the binary file path.
- This module contains various utility modules and helper functions.
Structs
- A structure containing general information about a CWE analysis module, including the function to be called to run the analysis.
Functions
- Get a list of all known analysis modules.
Type Aliases
- The generic function signature for the main function of a CWE module