Пример #1
0
        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            PE portableExecutable        = target.PE;
            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

            reasonForNotAnalyzing = MetadataConditions.ImageIsNot32BitBinary;
            if (portableExecutable.Machine != Machine.I386)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsXBoxBinary;
            if (portableExecutable.IsXBox)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
            if (portableExecutable.IsResourceOnly)
            {
                return(result);
            }

            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Пример #2
0
        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            PE portableExecutable        = target.PE;
            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

            reasonForNotAnalyzing = MetadataConditions.ImageIsNot64BitBinary;
            if (portableExecutable.PEHeaders.PEHeader.Magic != PEMagic.PE32Plus)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly;
            if (portableExecutable.IsILOnly)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary;
            if (portableExecutable.IsKernelMode)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
            if (portableExecutable.IsResourceOnly)
            {
                return(result);
            }

            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Пример #3
0
        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            PE portableExecutable        = target.PE;
            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

            reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary;
            if (portableExecutable.IsKernelMode)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageLikelyLoads32BitProcess;
            if (portableExecutable.PEHeaders.PEHeader.Magic != PEMagic.PE32Plus)
            {
                // If the image's magic bytes are 'PE32', it is either a 32 bit binary (rule does not apply), or it is a managed binary compiled as AnyCpu.
                // If it's an AnyCPU managed binary, we need to do a bit more checking--if it has 'Prefers32Bit'/'Requires32Bit' flagged, it will probably
                // load as a 32 bit process.  If it doesn't, we're likely to load in a 64 bit process space on a 64 bit arch & want to ensure HighEntropyVA is enabled.
                if (!portableExecutable.IsManaged ||
                    portableExecutable.IsManaged && portableExecutable.PEHeaders.CorHeader.Flags.HasFlag(CorFlags.Requires32Bit))
                {
                    return(result);
                }
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsNotExe;
            if (!portableExecutable.PEHeaders.IsExe)
            {
                return(result);
            }

            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Пример #4
0
        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            PE portableExecutable        = target.PE;
            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

            reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
            if (portableExecutable.IsResourceOnly)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly;
            if (portableExecutable.IsILOnly)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsMixedModeBinary;
            if (portableExecutable.IsMixedMode)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeAndNot64Bit;
            if (portableExecutable.IsKernelMode && !portableExecutable.Is64Bit)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsBootBinary;
            if (portableExecutable.IsBoot)
            {
                return(result);
            }

            Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion);

            if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion)
            {
                reasonForNotAnalyzing = string.Format(
                    MetadataConditions.ImageCompiledWithOutdatedTools,
                    portableExecutable.LinkerVersion,
                    minimumRequiredLinkerVersion);

                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsWixBinary;
            if (portableExecutable.IsWixBinary)
            {
                return(result);
            }

            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Пример #5
0
        public override AnalysisApplicability CanAnalyzeElf(ELFBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            IELF elf = target.ELF;

            if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable)
            {
                reasonForNotAnalyzing = reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject;
                return(AnalysisApplicability.NotApplicableToSpecifiedTarget);
            }

            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Пример #6
0
        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            PE portableExecutable        = target.PE;
            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

            reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary;
            if (portableExecutable.IsKernelMode)
            {
                return(result);
            }

            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Пример #7
0
        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            PE portableExecutable        = target.PE;
            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

            reasonForNotAnalyzing = MetadataConditions.ImageIs64BitBinary;
            if (target.PE.PEHeaders.PEHeader.Magic == PEMagic.PE32Plus)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsKernelModeBinary;
            if (portableExecutable.IsKernelMode)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsXBoxBinary;
            if (portableExecutable.IsXBox)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
            if (portableExecutable.IsResourceOnly)
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsPreVersion7WindowsCEBinary;
            if (OSVersions.IsWindowsCEPriorToV7(portableExecutable))
            {
                return(result);
            }

            reasonForNotAnalyzing = MetadataConditions.ImageIsBootBinary;
            if (portableExecutable.IsBoot)
            {
                return(result);
            }

            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Пример #8
0
        public override AnalysisApplicability CanAnalyzeElf(ELFBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            IELF elf = target.ELF;

            if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable)
            {
                reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject;
                return(AnalysisApplicability.NotApplicableToSpecifiedTarget);
            }

            // We check for "any usage of non-gcc" as a default/standard compilation with clang leads to [GCC, Clang]
            // either because it links with a gcc-compiled object (cstdlib) or the linker also reading as GCC.
            // This has a potential for a False Negative if teams are using GCC and other tools.
            if (target.Compilers.Any(c => c.Compiler != ELFCompilerType.GCC))
            {
                reasonForNotAnalyzing = MetadataConditions.ElfNotBuiltWithGcc;
                return(AnalysisApplicability.NotApplicableToSpecifiedTarget);
            }

            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Пример #9
0
        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
        {
            PE portableExecutable        = target.PE;
            AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

            // Review the range of metadata conditions and return NotApplicableToSpecifiedTarget
            // from this method for all cases where a binary is detected that is not valid to scan.
            //
            reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary;
            if (portableExecutable.IsResourceOnly)
            {
                return(result);
            }

            // Here's an example of parameterizing a rule from input XML. In this example,
            // we enforce that the linker is of a minimal version, otherwise the scan will
            // not occur (because the toolset producing the binary is not sufficiently
            // current to enable the security mitigation).
            //
            Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion);

            if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion)
            {
                reasonForNotAnalyzing = string.Format(
                    MetadataConditions.ImageCompiledWithOutdatedTools,
                    portableExecutable.LinkerVersion,
                    minimumRequiredLinkerVersion);

                return(result);
            }

            // If we get to this location, we've determined the binary is valid to analyze.
            // We clear the 'reasonForNotAnalyzing' output variable and return
            // ApplicableToSpecifiedTarget.
            //
            reasonForNotAnalyzing = null;
            return(AnalysisApplicability.ApplicableToSpecifiedTarget);
        }
Пример #10
0
 public abstract AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing);
Пример #11
0
 public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
 {
     return(StackProtectionUtilities.CommonCanAnalyze(target, out reasonForNotAnalyzing));
 }
Пример #12
0
 public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
 {
     reasonForNotAnalyzing = "";
     return(AnalysisApplicability.ApplicableToSpecifiedTarget);
 }