threatflux-binary-analysis 0.2.0

Comprehensive binary analysis library with multi-format support, disassembly, and security analysis
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325

# ThreatFlux Binary Analysis - Testing Documentation

## Overview

This document describes the comprehensive test suite for the ThreatFlux Binary Analysis library, designed to achieve 90%+ test coverage across all Phase 1 features and ensure production-ready quality.

## Test Suite Architecture

### Comprehensive Coverage Strategy

Our testing approach follows a multi-layered strategy:

```
┌─────────────────────────────────────────────────────────┐
│                    Test Architecture                    │
├─────────────────────────────────────────────────────────┤
│  Property-Based Tests (Fuzzing & Invariants)           │
├─────────────────────────────────────────────────────────┤
│  Integration Tests (Performance & Real Binaries)       │
├─────────────────────────────────────────────────────────┤
│  Unit Tests (Individual Components)                    │
├─────────────────────────────────────────────────────────┤
│  Test Fixtures & Common Infrastructure                 │
└─────────────────────────────────────────────────────────┘
```

### Test Categories

#### 1. Unit Tests (90%+ Coverage Target)

**Binary Format Parsers:**
- `unit_elf_test.rs` - ELF parser comprehensive testing
- `unit_pe_test.rs` - PE parser comprehensive testing  
- `unit_macho_test.rs` - Mach-O parser comprehensive testing
- `unit_java_test.rs` - Java format comprehensive testing

**Advanced Features:**
- `unit_compiler_detection_test.rs` - Compiler/toolchain detection
- `unit_debug_info_test.rs` - Debug information extraction (DWARF, PDB, CodeView)
- `unit_enhanced_binary_info_test.rs` - Enhanced structures and serialization

**Robustness Testing:**
- `unit_property_based_test.rs` - Property-based fuzzing with proptest

#### 2. Integration Tests

**Performance & Scalability:**
- `integration_performance_test.rs` - Performance benchmarks and real-world testing

#### 3. Common Infrastructure

**Shared Utilities:**
- `common/fixtures.rs` - Test binary data creation
- `common/helpers.rs` - Test utility functions
- `common/mod.rs` - Module organization

## Test Coverage Goals

| Component | Current Target | Key Areas |
|-----------|---------------|-----------|
| **ELF Parser** | 90%+ | Header parsing, sections, symbols, security features |
| **PE Parser** | 90%+ | DOS/PE headers, imports/exports, debug directories |
| **Mach-O Parser** | 90%+ | Load commands, segments, code signing |
| **Java Parser** | 90%+ | Class files, JAR/WAR/EAR/APK archives |
| **Compiler Detection** | 90%+ | GCC, Clang, MSVC, Rust, Go toolchains |
| **Debug Information** | 90%+ | DWARF v2-v5, PDB, CodeView, stripped detection |
| **Enhanced Structures** | 90%+ | Metadata, serialization, security features |
| **Overall Library** | 90%+ | Format detection, analysis pipeline, error handling |

## Test Features

### 1. Comprehensive Format Support

**ELF Testing:**
- All architectures (x86, x86_64, ARM, AARCH64, RISC-V, etc.)
- Endianness variants (little/big endian)
- File types (executable, shared object, core)
- Section parsing (.text, .data, .bss, .debug_*, etc.)
- Symbol table analysis (local, global, weak symbols)
- Program header validation
- Security feature detection (NX, ASLR, PIE, RELRO)

**PE Testing:**
- Machine types (x86, x64, ARM, ARM64)
- DOS header validation
- COFF header parsing
- Optional header analysis (PE32/PE32+)
- Section characteristics and permissions
- Import/export table parsing
- Rich header detection (compiler identification)
- Debug directory analysis (PDB, CodeView)
- Digital signature validation

**Mach-O Testing:**
- Magic number variants (32/64-bit, endianness)
- CPU types (x86, x64, ARM, ARM64, PowerPC)
- Load command parsing (LC_SEGMENT, LC_SYMTAB, etc.)
- Platform detection (macOS, iOS, tvOS, watchOS)
- Code signing detection
- Universal binary support
- Swift metadata analysis

**Java Testing:**
- Class file versions (Java 1.1 through Java 21)
- Constant pool parsing
- Method and field extraction
- Archive formats (JAR, WAR, EAR)
- Android APK analysis
- Manifest parsing
- JNI library detection

### 2. Advanced Compiler Detection

**Comprehensive Toolchain Support:**
- **GCC**: Versions 9-13, comment section analysis
- **Clang/LLVM**: Versions 12-16, metadata detection
- **MSVC**: Visual Studio 2013-2022, Rich header analysis
- **Rust**: Cargo metadata, symbol mangling patterns
- **Go**: Build info, runtime sections
- **Swift**: Metadata sections, Swift runtime
- **Intel Compiler**: Specific signatures and patterns

**Detection Confidence Scoring:**
- Strong indicators: Specific version strings, unique signatures
- Medium indicators: Import patterns, section layouts
- Weak indicators: Heuristic patterns, statistical analysis

### 3. Debug Information Analysis

**DWARF Support (v2-v5):**
- Standard sections (.debug_info, .debug_line, .debug_abbrev)
- Extended sections (.debug_str, .debug_ranges, .debug_loc)
- Compressed debug sections (.zdebug_*)
- Language detection (C, C++, Rust, Go, Fortran)
- Compilation unit analysis
- Line number information

**Windows Debug Formats:**
- PDB references and signatures
- CodeView format detection
- Debug directory parsing
- Symbol server information

**Debug Quality Assessment:**
- Stripped vs. unstripped detection
- Debug information completeness
- Source file availability
- Optimization level indicators

### 4. Property-Based Testing

**Robustness Validation:**
- Random binary data generation
- Format detection invariants
- Parser consistency checks
- Memory usage bounds
- Error handling quality

**Fuzzing Strategies:**
- Magic number variations
- Header field randomization
- Section boundary testing
- Symbol table corruption
- Import/export manipulation

### 5. Performance Testing

**Scalability Validation:**
- Small files (4KB) - sub-millisecond parsing
- Medium files (256KB) - under 50ms parsing
- Large files (10MB) - under 5s parsing
- Very large files (100MB) - under 30s parsing

**Concurrency Testing:**
- Multi-threaded parsing validation
- Thread safety verification
- Resource contention analysis
- Memory leak detection

**Real-World Integration:**
- System binary analysis (/bin/ls, /usr/bin/file)
- Production binary compatibility
- Cross-platform validation

### 6. Error Handling & Edge Cases

**Malformed Data Handling:**
- Truncated files
- Corrupted headers
- Invalid section references
- Circular dependencies
- Buffer overflows/underflows

**Adversarial Input Protection:**
- Zip bomb detection
- Deep recursion prevention
- Memory exhaustion protection
- Timeout mechanisms
- Resource limit enforcement

## Running Tests

### Quick Test Run
```bash
# Run all tests with default configuration
./run_tests.sh

# Run with specific features
./run_tests.sh --features "elf,pe,disasm-capstone"
```

### Comprehensive Test Suite
```bash
# Full test suite with coverage
./run_tests.sh --verbose

# Performance-focused testing
./run_tests.sh --no-coverage --no-integration

# Feature-specific testing
cargo test unit_elf_test --features "elf"
```

### Coverage Analysis
```bash
# Generate detailed coverage report
cargo llvm-cov --html --output-dir coverage-report

# Check specific file coverage
cargo llvm-cov --show-missing-lines src/formats/elf.rs
```

### Continuous Integration

**GitHub Actions Configuration:**
```yaml
name: Comprehensive Test Suite
on: [push, pull_request]
jobs:
  test:
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        rust: [stable, beta, nightly]
        features: [default, "elf,pe", "all-features"]
    steps:
      - uses: actions/checkout@v3
      - uses: actions-rs/toolchain@v1
        with:
          toolchain: ${{ matrix.rust }}
      - run: ./run_tests.sh --features ${{ matrix.features }}
```

## Quality Assurance

### Coverage Monitoring
- **Line Coverage**: 90%+ target across all modules
- **Branch Coverage**: 85%+ target for complex logic
- **Function Coverage**: 95%+ target for public APIs

### Performance Benchmarks
- **Parsing Speed**: Tracked across file sizes
- **Memory Usage**: Maximum 5x file size for processing
- **Concurrency**: Linear scaling up to CPU core count

### Regression Prevention
- **Performance Regression**: ±10% tolerance
- **API Compatibility**: Semver compliance
- **Feature Parity**: No functionality loss

## Contributing to Tests

### Adding New Tests

1. **Follow naming conventions**: `test_<feature>_<specific_case>`
2. **Include documentation**: Describe test purpose and coverage
3. **Add edge cases**: Test error conditions and boundaries
4. **Update fixtures**: Add new test data as needed
5. **Maintain coverage**: Keep 90%+ coverage target

### Test Categories
- **Smoke tests**: Basic functionality validation
- **Unit tests**: Individual component isolation
- **Integration tests**: Cross-component interaction
- **Property tests**: Invariant validation
- **Performance tests**: Speed/memory validation
- **Regression tests**: Previous bug prevention

### Code Review Checklist
- [ ] Test coverage maintained above 90%
- [ ] All edge cases covered
- [ ] Performance tests included
- [ ] Error conditions tested
- [ ] Documentation updated
- [ ] CI passes on all platforms

## Test Data Management

### Synthetic Test Binaries
- **Realistic structures**: Valid headers and sections
- **Multiple architectures**: x86, x64, ARM variants
- **Security features**: Modern protection mechanisms
- **Compiler signatures**: Authentic toolchain markers

### Real Binary Integration
- **System binaries**: Common utilities and libraries
- **Cross-platform**: Linux, macOS, Windows executables
- **Various sizes**: From small tools to large applications
- **Multiple formats**: ELF, PE, Mach-O, Java archives

## Maintenance & Updates

### Regular Maintenance Tasks
- **Compiler version updates**: New GCC, Clang, MSVC releases
- **Format specification updates**: New binary format features
- **Performance threshold tuning**: Hardware capability evolution
- **Security feature evolution**: New protection mechanisms

### Future Enhancements
- **Additional formats**: .NET assemblies, WebAssembly modules
- **Enhanced analysis**: Control flow graphs, data flow analysis
- **Machine learning**: Pattern recognition, anomaly detection
- **Cloud integration**: Distributed analysis, result caching

This comprehensive test suite ensures the ThreatFlux Binary Analysis library maintains the highest standards of quality, performance, and reliability across all supported binary formats and use cases.