Cwe Checker Versions Save

cwe_checker finds vulnerable patterns in binary executables

v0.8

2 months ago

The v0.8 release contains a major change in the inner workings of the Pointer Inference analysis: It can now track nested parameters, which allows tracking of a lot more memory objects around function boundaries for all checks depending on it. Additionally, it also solves a long-standing issue regarding state explosion, which previously lead to extremely high RAM usage and analysis times on some binaries.

Other highlights:

  • Better meta-information generation and less false positives for the CWE-416: Use After Free check
  • A new check for CWE-337: Predictable Seed in Pseudo-Random Number Generator

See the CHANGES.md for more details.

v0.7

10 months ago

Version 0.7 contains many small enhancements and bugfixes to improve precision and stability of the analysis. We also improved the internal code organization to make it easier to use the cwe_checker as a library instead of a standalone program.

Other highlights include:

  • A new check for CWE-789: Memory Allocation with Excessive Size Value
  • The checks for CWE-119: Buffer Overflow and CWE-416: Use After Free now include even more meta-information in the JSON output of their CWE warnings: Now functions and calls relevant to the CWE warning are emitted to help with subsequent manual or automatic verification.

See the CHANGES.md for more details.

v0.6

1 year ago

Version 0.6 contains improved abstract domains able to represent data more precise and more complete. Furthermore, the Pointer Inference analysis was reworked to be a bottom-up analysis and an additional function signature analysis step was added to the analysis pipeline. These improvements allow all analyses depending on the Pointer Inference to be both more precise and more complete.

Other highlights include:

  • A new command line flag for analyzing bare-metal binaries.
  • The check for CWE-78: Command line injections was completely rewritten using abstract domains for strings.
  • The check for CWE-119: Buffer Overflow was completely rewritten and now emits additional data flow information in the JSON output to help with root cause analysis.
  • The check for CWE-416: Use After Free was completely rewritten and now emits additional data flow information in the JSON output to help with root cause analysis.

See the CHANGES.md for more details.

v0.5

2 years ago

Version 0.5 contains the switch to Ghidra as the standard backend and the removal of the old BAP backend. Some internal improvements should lead to better analysis results for most checks. We also added several new CWE checks in this release:

  • CWE-78: OS Command Injection
  • CWE-119 and its variants CWE-125 and CWE-787: Buffer Overflow
  • CWE-134: Use of Externally-Controlled Format String

See the CHANGES.md for more details.

v0.4

3 years ago

Version 0.4 contains improvements for the CWE-476 (Null Pointer Dereference) check as well as the addition of a new, still experimental memory check searching for CWEs 415 (Double Free) and 416 (Use After Free). We also updated our backend to BAP 2.2.

Under the hood a completely new analysis framework was written in Rust, which is used by the new memory check. We also implemented support for Ghidra as an alternative backend to BAP.

See the CHANGES.md for more details.

v0.3

4 years ago

Version 0.3 mostly adds ease-of-use functionalities to the cwe_checker. This is the last release based on BAP 1.6 before we switch to BAP 2.0.

The changes in detail:

  • Added more documentation to checks (PR #26)
  • Added clang as another compiler for test cases, added tests for clang compiled test cases (PR #27)
  • Fixed check CWE367: use symbols defined in config.json (PR #28)
  • Refactoring of logging and JSON support via --json (PR #30)
  • Added file output support via --out (PR #30)
  • Surpress logging of info, error and warning to STDOUT via --no-logging (PR #32)
  • Added check-path feature via --check-path that searches paths between interesting input functions and cwe hits (PR #31)
  • Added online documentation (PR #36, #37)
  • Added convenience executable to enable shorter command line options (PR #40)
  • Added a plugin for integration into Ghidra (PR #42, #43)

v0.2

4 years ago

Changes:

  • Refactoring: Unification of cwe_checker function interface
  • Refactoring: Created utils module for JSON functionality
  • Added check for CWE 248: Uncaught Exception (PR #5)
  • Added automated test suite (run with make test) (PR #7)
  • Improved cross compiling for acceptance test cases by using dockcross (PR #8)
  • Added BAP recipe for standard cwe_checker run (PR #9)
  • Improved check for CWE-476 (NULL Pointer Dereference) using data flow analysis (PR #11)
  • Added cwe_checker_emulation plugin based on BAP's Primus to detect CWE-125, CWE-415, and CWE-416 (PR #15)
  • Switched C build system from make to scons (PR #16)
  • Added type inference pass (PR #14, #18)
  • Added unit tests to test suite (PR #14)
  • Added check for CWE-560 (Use of umask() with chmod-style Argument) (PR #21)

v0.1

5 years ago

This is the initial release of cwe_checker under LGPL 3.0.