You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The Grep commands for identifying weak functions in module S14 are very permissive, leading to a huge number of false positives if identifiers in the binary contain specific keywords like "system". This skews the statistics and hides real weak functions. As an example, the boost_filesystem file from the Boost library is used below.
Start EMBA with the following parameters: Any as long as module S14 is executed
See results in HTML report at html-report/s14_weak_func_radare_check/vul_func_XXX_system-libboost_filesystem.so.1.84.0.html. Many matches will look as follows, which is definitely not a common weak "system" function:
add r1, pc
blx rsym._ZNK5boost10filesystem15directory_entry12refresh_implEPNS_6system10error_codeE
ldr r0, [r4, 0x14]
Expected behavior
Identifiers just containing the keywords out-of-context should not be flagged.
The Regex used for flagging these issues should be adapted.
This may be hard, as we still want to identify legit weak function wrappers and variations.
Screenshots
N/A
Desktop
OS: Kali Linux 2024.1
EMBA version: v4.1.0
Installation method: default with up to date docker image
We are glad you are here and appreciate your contribution. Please keep in mind our contributing guidelines here and here.
Also, please check existing open issues and consider to open a discussion in the dedicated discussion area.
Additionally, we have collected a lot of details around EMBA, the installation and the usage of EMBA in our Wiki.
If you like EMBA you have the chance to support us by becoming a Sponsor or buying some beer here.
To show your love for EMBA with nice shirts or other merch you can check our Spreadshop.
This is an automatic message. Allow for time for the EMBA community to be able to read the issue and comment on it.
Describe the bug
The Grep commands for identifying weak functions in module S14 are very permissive, leading to a huge number of false positives if identifiers in the binary contain specific keywords like "system". This skews the statistics and hides real weak functions. As an example, the
boost_filesystem
file from the Boost library is used below.To Reproduce
Steps to reproduce the behavior:
html-report/s14_weak_func_radare_check/vul_func_XXX_system-libboost_filesystem.so.1.84.0.html
. Many matches will look as follows, which is definitely not a common weak "system" function:Expected behavior
Identifiers just containing the keywords out-of-context should not be flagged.
The Regex used for flagging these issues should be adapted.
This may be hard, as we still want to identify legit weak function wrappers and variations.
Screenshots
N/A
Desktop
Priority issue
Are you already a Sponsor? - N
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: