binsec 1.0.0

Swiss Army Knife for Binary (In)Security
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

//! Implements the main interface struct necessary in order to consume, parse and detect binary
//! inputs. Should be used to detect format and security mitigations for a singular binary.
#![allow(clippy::match_bool)]

use crate::check::kernel::KernelChecker;
use crate::check::{Checker, FeatureCheck};
use crate::errors::{BinError, BinResult, ErrorKind};
use crate::format::BinFormat;
use crate::rule_engine::YaraExecutor;

use goblin::mach::Mach::{Binary, Fat};
use goblin::Object;

use serde::{Deserialize, Serialize};

use std::boxed::Box;
use std::ffi::OsStr;
use std::fs;
use std::path::PathBuf;

/// Defines the main interface `Detector` struct, which is instantiated to consume and handle
/// storing all internally parsed checks in a genericized manner, such that it is much easier
/// for serialization and output.
#[derive(Serialize, Deserialize)]
pub struct Detector {
    /// If set, returns any basic binary information that may be useful for the user
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub bin_info: Option<Box<dyn FeatureCheck>>,

    /// Runs the standard binary hardening checks against the input binary
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub harden_features: Option<Box<dyn FeatureCheck>>,

    /// Performs checks for the host kernel running the binary provided
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub kernel_features: Option<Box<dyn FeatureCheck>>,

    /// Executes a set of YARA-based "enhanced" rules to detect deeper features
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub rule_features: Option<Box<dyn FeatureCheck>>,
}

impl Detector {
    /// Run the detector given the instantiated configuration options, and stores results for later
    /// output and consumption.
    /// TODO: simplify parameters to builder-like pattern
    pub fn detect(
        path: PathBuf,
        basic_info: bool,
        harden: bool,
        kernel: bool,
        rules: bool,
    ) -> BinResult<Self> {
        // read from input path and instantiate checker based on binary format
        let buffer = fs::read(path.as_path())?;

        // is set when parsing each specific binary format type
        let mut bin_info: Option<Box<dyn FeatureCheck>> = None;

        // do format-specific hardening check if set
        let harden_features: Option<Box<dyn FeatureCheck>> = match harden {
            true => match Object::parse(&buffer)? {
                Object::Elf(elf) => {
                    bin_info = match basic_info {
                        true => Some(elf.bin_info()),
                        false => None,
                    };
                    Some(elf.harden_check())
                }
                Object::PE(pe) => {
                    bin_info = match basic_info {
                        true => Some(pe.bin_info()),
                        false => None,
                    };
                    Some(pe.harden_check())
                }
                Object::Mach(_mach) => match _mach {
                    Binary(mach) => {
                        bin_info = match basic_info {
                            true => Some(mach.bin_info()),
                            false => None,
                        };
                        Some(mach.harden_check())
                    }
                    Fat(_) => {
                        return Err(BinError {
                            kind: ErrorKind::BinaryError,
                            msg: "does not support multiarch FAT binary containers yet".to_string(),
                        });
                    }
                },
                _ => {
                    return Err(BinError {
                        kind: ErrorKind::BinaryError,
                        msg: "unsupported filetype for analysis".to_string(),
                    });
                }
            },
            false => None,
        };

        // detect kernel mitigations features if set for the current host's operating system
        let kernel_features: Option<Box<dyn FeatureCheck>> = match kernel {
            true => Some(KernelChecker::detect()?),
            false => None,
        };

        // run the enhanced set of rules against the binary if set
        let rule_features: Option<Box<dyn FeatureCheck>> = match rules {
            true => {
                // initialize YARA executor
                let mut rule_exec: YaraExecutor = YaraExecutor::new(path);

                // add rules from crate directory to executor
                let paths = fs::read_dir("rules")?;
                for _path in paths {
                    let path: PathBuf = _path?.path();

                    // only parse YARA files
                    let path_ext: Option<&str> = path.as_path().extension().and_then(OsStr::to_str);
                    if path_ext != Some("yara") {
                        continue;
                    }

                    // add rule to executor for parsing and bootstrapping a command
                    rule_exec.add_rule(path)?;
                }

                // execute them against the target, and store results
                rule_exec.execute()?;

                // return back the matches for display
                Some(Box::new(rule_exec.matches))
            }
            false => None,
        };

        Ok(Self {
            bin_info,
            kernel_features,
            rule_features,
            harden_features,
        })
    }

    /// interfaces the routines within the `BinFormat` given and emit a string that can be
    /// displayed back to the end user.
    pub fn output(self, format: &BinFormat) -> BinResult<String> {
        format.dump(self)
    }
}