Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Huge number of false positives for module S14 weak function check (radare) #1319

Open
ghechenberger opened this issue Sep 23, 2024 · 2 comments
Open

Huge number of false positives for module S14 weak function check (radare) #1319

ghechenberger opened this issue Sep 23, 2024 · 2 comments
Labels
bug Something isn't working Core modules (Sxx) The core scanning modules (Sxx modules) EMBA

Comments

@ghechenberger
Copy link

Describe the bug
The Grep commands for identifying weak functions in module S14 are very permissive, leading to a huge number of false positives if identifiers in the binary contain specific keywords like "system". This skews the statistics and hides real weak functions. As an example, the boost_filesystem file from the Boost library is used below.

To Reproduce
Steps to reproduce the behavior:

  1. EMBA installation 4.1.0
  2. Use libboost_filesystem.so.1.84.0 from https://freebsd.pkgs.org/14/freebsd-aarch64/boost-libs-1.84.0.pkg.html
  3. Start EMBA with the following parameters: Any as long as module S14 is executed
  4. See results in HTML report at html-report/s14_weak_func_radare_check/vul_func_XXX_system-libboost_filesystem.so.1.84.0.html. Many matches will look as follows, which is definitely not a common weak "system" function:
add r1, pc
blx rsym._ZNK5boost10filesystem15directory_entry12refresh_implEPNS_6system10error_codeE
ldr r0, [r4, 0x14]

Expected behavior
Identifiers just containing the keywords out-of-context should not be flagged.
The Regex used for flagging these issues should be adapted.
This may be hard, as we still want to identify legit weak function wrappers and variations.

Screenshots
N/A

Desktop

  • OS: Kali Linux 2024.1
  • EMBA version: v4.1.0
  • Installation method: default with up to date docker image

Priority issue
Are you already a Sponsor? - N

Additional context
Add any other context about the problem here.
@github-actions GitHub Actions
Copy link

Thank you for contributing an issue!

Welcome to the EMBA firmware analysis community!

We are glad you are here and appreciate your contribution. Please keep in mind our contributing guidelines here and here.
Also, please check existing open issues and consider to open a discussion in the dedicated discussion area.
Additionally, we have collected a lot of details around EMBA, the installation and the usage of EMBA in our Wiki.

If you like EMBA you have the chance to support us by becoming a Sponsor or buying some beer here.

To show your love for EMBA with nice shirts or other merch you can check our Spreadshop.

This is an automatic message. Allow for time for the EMBA community to be able to read the issue and comment on it.

@m-1-k-3 m-1-k-3 added bug Something isn't working Core modules (Sxx) The core scanning modules (Sxx modules) EMBA labels Sep 23, 2024
@m-1-k-3
Copy link
Member

m-1-k-3 commented Sep 23, 2024

Indeed the regex defined in the module are quite generic - see here

emba/modules/S14_weak_func_radare_check.sh

Line 321 in c345740

r2 -e bin.cache=true -e io.cache=true -e scr.color=false -q -c 'pI $s' "${BINARY_}" | grep -A 2 -B 20 "bl.*${FUNCTION}" 2> /dev/null >> "${FUNC_LOG}" || true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Core modules (Sxx) The core scanning modules (Sxx modules) EMBA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@m-1-k-3 @ghechenberger