BinAbsInspector - Static Analysis Tool for Binary Vulnerability Detection

BinAbsInspector - Static Analysis Tool for Binary Vulnerability Detection

BinAbsInspector (Binary Abstract Inspector) is a static analysis tool designed for reverse engineering and identifying vulnerabilities in binary files.

Developed by Keenlab, it leverages Ghidra's Pcode for analysis rather than assembly, making it a powerful extension for automated vulnerability detection. It supports multiple architectures, including x86, x64, ARMv7, and AArch64.

Features

  • Static Analysis: Automates reverse engineering and vulnerability scanning.

  • Abstract Interpretation: Works with Ghidra's Pcode to analyze binaries.

  • Multi-Architecture Support: Compatible with x86, x64, ARMv7, and AArch64 binaries.

  • Vulnerability Detection: Includes checkers for common vulnerabilities (e.g., buffer overflows, integer overflows, command injection).

Installation

Prerequisites

  1. Ghidra: Install as per Ghidra's official documentation.

  2. Z3 Solver (tested version: 4.8.15):

    • Windows:

      • Download the pre-built package from the Z3 release page.

      • Extract the ZIP file and add a PATH environment variable pointing to z3-${version}-win/bin.

    • Linux:

      • Avoid using package managers.

      • Option 1: Download a pre-built package, extract it, and copy *.so files to /usr/local/lib/.

      • Option 2: Build Z3 manually using GCC/Clang.

    • MacOS: Follow the Linux steps.

  3. Java Development Kit (JDK): JDK 11 or later is required.

Installing BinAbsInspector

  1. Download the extension ZIP file from the GitHub release page.

  2. Open Ghidra and navigate to File -> Install Extensions.

  3. Add the downloaded BinAbsInspector extension and confirm installation.

Building the Extension

If you wish to develop new features:

1.Install Gradle 7.x (tested version: 7.4).

2.Clone the repository:

git clone https://github.com/KeenSecurityLab/BinAbsInspector.git

3.Build the extension:

gradle buildExtension

4.The built extension will be available at dist/${GhidraVersion}_${date}_BinAbsInspector.zip.

Usage

BinAbsInspector can be run in three modes: Headless, GUI, or Docker.

1. Ghidra Headless Mode

Run the following command:

$GHIDRA_INSTALL_DIR/support/analyzeHeadless <projectPath> <projectName> -import <file> -postScript BinAbsInspector "@@<scriptParams>"

  • <projectPath>: Path to the Ghidra project.

  • <projectName>: Name of the Ghidra project.

  • <scriptParams>: Parameters for analysis (see below).

Script Parameters

Parameter

Description

[-K <kElement>]

KSet size limit K

[-callStringK <callStringMaxLen>]

Call string maximum length K

[-Z3Timeout <timeout>]

Z3 timeout

[-timeout <timeout>]

Analysis timeout

[-entry <address>]

Entry address

[-externalMap <file>]

External function model config

[-json]

Output results in JSON format

[-disableZ3]

Disable Z3 solver

[-all]

Enable all checkers

[-debug]

Enable debugging log output

[-check "<cweNo1>[;<cweNo2>...]"]

Enable specific CWE checkers

2. Ghidra GUI Mode

  1. Open Ghidra and import the target binary into a project.

  2. Analyze the binary with default settings.

  3. Navigate to Window -> Script Manager, locate BinAbsInspector.java, and double-click it.

  4. Configure parameters in the dialog box and start the analysis.

  5. View CWE reports in the console window; double-clicking an address in the report will navigate to it in Ghidra.

3. Docker Mode

1.Clone the repository:

git clone https://github.com/KeenSecurityLab/BinAbsInspector.git

2.Build the Docker image:

docker build . -t bai

3.Run BinAbsInspector with Docker:

docker run -v $(pwd):/data/workspace bai "@@<script parameters>" -import <file>

Implemented Checkers

BinAbsInspector supports detection of several Common Weakness Enumerations (CWEs), including:

  • CWE78: OS Command Injection

  • CWE119: Buffer Overflow (Generic)

  • CWE125: Out-of-Bounds Read

  • CWE134: Externally-Controlled Format String

  • CWE190: Integer Overflow or Wraparound

  • CWE367: Time-of-check Time-of-use (TOCTOU)

  • CWE415: Double Free

  • CWE416: Use After Free

  • CWE426: Untrusted Search Path

  • CWE467: Use of sizeof() on Pointer Type

  • CWE476: NULL Pointer Dereference

  • CWE676: Use of Potentially Dangerous Function

  • CWE787: Out-of-Bounds Write

Project Structure

The project is organized as follows:

├── main

│   ├── java/com/bai/

│   │   ├── checkers              # Checker implementations

│   │   ├── env/funcs             # Function modeling (external & standard)

│   │   ├── env/region            # Memory modeling

│   │   ├── solver                # Analysis core & graph module

│   │   └── util                  # Utilities

│   └── resources                 # Resources folder

└── test                          # Test cases for validation

To generate API documentation, run:

gradle javadoc

The documentation will be available in ./build/docs/javadoc.

Acknowledgements

BinAbsInspector is built on top of Ghidra and incorporates JImmutable Collections for enhanced performance. Special thanks to these projects for their contributions! You can learn more and Download BinAbsInspector in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog