Create a tool and manual for hunting vulnerabilities in C-Family software.
Semgrep- for static analysis when target cannot be compiled.CodeQL- for taint analysis when target can be compiled.angr- for symbolic execution when target can be run.
I am trying to develop three set of the rules for the same vulnerability in parallel:
semgrep_rules- rules for semgrep - target cannot be compiledcodeql_rules- rules for codeql - target can be compiledangr_rules- rules for angr - target can be run
Rules in "not_my_rules" directory are from:
- 0xdea I forked them here.
semgrep -c rules/semgrep_rules/sprintf-buffer-overflow.yaml samples/CVE-2021-20294/readelf.c# Go to target build directory
cd samples/TARGET_BUILD_DIR
# Create codeql database
codeql database create /Users/karmaz/r/scripts/FUZZER/STATIC_HUNTER/tmp/MY_PROJECT-db --language=cpp --command="bash -c \"./configure && make\""
# Go back to root directory
cd ../../../
# Run query
codeql query run rules/codeql_rules/sprintf-overflow.ql --database=tmp/MY_PROJECT-dbpython3 rules/angr_rules/angr_sprintf-overflow.py "./vulnerable_binary -arg1 test -arg2 123"These rules can be imported into a larger tool and used to find vulnerabilities in binaries.
from angr_sprintf_overflow import find_sprintf_overflow
find_sprintf_overflow("readelf")I started building this tool while learning Vulnerabilities 1001: C-Family Software Implementation Vulnerabilities from OpenSecurityTraining2 course. First CVEs in samples directory comes from the course. They are categorized by the CVE numbers and pseudo.c most of the time is copy-pasted from the course.