binsec
Swiss Army Knife for Binary (In)security
Introduction
binsec is a portable and cross-platform utility for detecting security mitigations across ELF, PE and mach-O executable formats. While it is able to detect the usual binary hardening features across executables, it can also check for more advanced security enhacenements, from kernel configurations to its own subset of YARA-based "enhanced" checks.
Features
- Robust checks for a wide variety of security mitigations across ELF/PE/Mach-O binaries.
- Contains YARA-based enhanced checks for deeper binary insight (ie. compiled language, anti-analysis, etc)
- Supports host-based kernel security checks for system insight (WIP: macOS and Windows)
- Backends libgoblin for efficient and cross-platform binary parsing.
- Can generate serializable outputs for JSON and TOML formats for storage/logging consumption.
Use Cases
- Application Assessments - use as part of your security tooling when conducting black-box static analysis!
- Security infrastructure - incorporate as part of your runtime analysis pipeline!
- Malware Machine Learning - extract features for machine learning models for malware detection!
- CTFs and Wargames - help find security holes in crackmes for to exploit!
How to Use
Installation
The only necessary external dependency for binsec is yara installed through your package manager. binsec is not using Rust bindings to YARA, since it is currently supporting a much older version. This should only be temporary!
Once done, binsec can be installed simply through the cargo package manager:
$ cargo install binsec
You can now use binsec as a CLI application, and even interface the crate as a library in your own applications!
Usage
When running binsec by default, the standard binary harden check will be deployed automatically after checking the
binary format being used:
$ binsec ./out.elf
[*] Name: ./out.elf
Binary Hardening Checks
Executable Stack (NX Bit) true
FORTIFY_SOURCE false
Position-Independent Executable true
Read-Only Relocatables (RELRO) "Full RELRO"
Stack Canary false
You can specify more than one binaries, and a detector will be used on each one:
$ binsec ./another.mach ./out.elf
[*] Name: ./another.mach
...
[*] Name: ./out.elf
...
You can also include --info, if you would like some basic verbose details to be included alongside the analysis:
$ binsec --info ./file
Basic Information
Architecture "X86_64"
Binary Type "DYN"
Entry Point Address 721600
File Class "ELF64"
You can also export this information through serialization, either as a JSON or TOML file. Keep in mind that any checks that are excluded from the terminal-based display will show up serialized:
$ binsec --format=json ./file
[*] file
{
"harden_features": {
"type": "ElfChecker",
"exec_stack": true,
"stack_canary": false,
"fortify_source": false,
"pie": true,
"relro": "FullRelro",
"runpath": [],
"asan": false,
"ubsan": false,
}
}
Contributing
This is something that is continually being developed! You can contribute by catching issues and bugs and submitting them through the issue tracker or making a pull request!