Dredge

AI-powered binary vulnerability discovery for drones, servers, satellites, and IoT.

Installation • Quick Start • Profiles • Commands • How It Works

---

Point Dredge at a compiled binary or firmware image - it decompiles with Ghidra, triages with fast heuristics, and sends the most interesting functions to Claude for deep vulnerability analysis. Domain-specific profiles tune the analysis for your target.

• Automated 6-stage pipeline from raw binary to actionable vulnerability report
• 4 analysis profiles with domain-specific triage heuristics, vuln classes, and Claude prompts
• Parallel Ghidra decompilation and concurrent async Claude API calls
• Smart triage scores functions 0-100 using heuristics before expensive LLM calls
• Attack chain detection - correlated findings boost severity (e.g., hardcoded creds + auth bypass)
• Graceful interruption - Ctrl+C saves progress, resume with dredge rescan
• Rich terminal UI with live dashboard, progress bars, and severity-colored finding cards

Profiles

Profile	Targets	Example Vulnerability Classes
drone	ArduPilot, PX4, Betaflight, UUVs, rovers	Command spoofing, failsafe bypass, GPS spoofing, geofence escape, unauthorized arming
server	nginx, Redis, Postgres, custom daemons	SQL injection, SSRF, deserialization, container escape, privilege escalation
satellite	NASA cFS, CubeSats, ground stations	Telecommand spoofing, safe mode bypass, replay attacks, time corruption
iot	Routers, IP cameras, IoT gateways	Command injection, hardcoded credentials, firmware backdoors, insecure updates

dredge scan firmware.bin --profile drone
dredge scan redis-server --profile server
dredge scan cfe_es.elf --profile satellite
dredge scan router.bin --profile iot
dredge scan unknown.bin                     # auto-detects profile

Installation

git clone https://github.com/HueCodes/Dredge.git
cd Dredge
python -m venv .venv && source .venv/bin/activate
pip install -e .
dredge init  # checks tools, creates config

Requirements

• Python 3.11+
• Ghidra 10.x+ (for decompilation)
• binwalk 2.x+ (only needed for firmware images - not required when scanning raw ELF binaries)
• ANTHROPIC_API_KEY environment variable

Quick Start

# Try it instantly - no Ghidra or binwalk needed
dredge demo

# Demo a specific profile
dredge demo --profile satellite

# Scan a single ELF binary (no binwalk needed)
dredge scan ./redis-server --profile server

# Scan a drone autopilot binary
dredge scan arducopter --profile drone

# Only show critical and high findings
dredge scan firmware.bin --min-severity high

# Scan a directory of server binaries
dredge scan-dir ./binaries/ --profile server

# Compare two firmware versions
dredge compare 1 2

# Export findings as JSON
dredge export 1 --format json

Commands

Command	Description
demo	Run on bundled samples - no Ghidra/binwalk needed
scan	Run full analysis pipeline on a binary or firmware image
scan-dir	Scan all binaries in a directory
list	List all scans with finding counts
findings	Show findings for a specific scan
rescan	Re-run pipeline from a specific stage
export	Export findings to Markdown or JSON
compare	Diff findings between two scans
info	Detailed metadata for a scan
stats	Aggregate statistics across all scans
init	Setup wizard - checks tools, creates config
clean	Remove artifacts and temp files

How It Works

binary / firmware
    │
    ▼
┌──────────┐     ┌───────────┐     ┌────────────┐     ┌─────────┐
│ Extract   │────▶│ Discover  │────▶│ Decompile  │────▶│ Triage  │
│ (binwalk) │     │ (profile- │     │ (Ghidra    │     │ (heur-  │
│           │     │  aware)   │     │  parallel) │     │  istics)│
└──────────┘     └───────────┘     └────────────┘     └────┬────┘
                                                            │
                  ┌───────────┐     ┌────────────┐     ┌────▼────┐
                  │ Report    │◀────│ Correlate  │◀────│ Analyze │
                  │ (terminal/│     │ (dedup +   │     │ (Claude │
                  │  md/json) │     │  chains)   │     │  async) │
                  └───────────┘     └────────────┘     └─────────┘

1. Extract - Unpack firmware with binwalk, locate filesystem root
2. Discover - Find binaries, prioritize using profile-specific heuristics
3. Decompile - Ghidra headless produces pseudo-C, call graphs, strings (parallel)
4. Triage - Score functions 0-100 with universal + domain-specific patterns
5. Analyze - Send above-threshold functions to Claude with profile-tuned prompts (concurrent, retry)
6. Correlate - Deduplicate, boost severity for attack chains
7. Report - Rich terminal panels, Markdown, or JSON

Configuration

Dredge looks for config.toml in the current directory or ~/.dredge/config.toml. See config.toml.example.

[general]
work_dir = "~/.dredge"
max_parallel_ghidra = 2

[analysis]
triage_threshold = 30

[claude]
model = "claude-sonnet-4-20250514"
max_concurrent_requests = 5

[targets]
high_priority = ["httpd", "arducopter", "nginx"]

Development

pip install -e ".[dev]"
pytest -v              # 126 tests, <0.5s
mypy dredge/

License

MIT