Skip to content
/ FixSigTrack Public

Exploring an approach to inserting and tracking code fix markers in binaries.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sa-ne/FixSigTrack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
src
src
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 
scan.sh
scan.sh
 
 
scan2.sh
scan2.sh
 
 

Repository files navigation

Fix-Signature Tracking (FixSigTrack)

Exploring an approach to inserting and tracking code fix markers in binaries.

This is an exploration of using the yara (https://virustotal.github.io/yara/) tool as a mechanism to articulate "rules" for identification of "signature" markers associated with code fixes. Product Security Advisories may be issued in response to documented CVE exposures. At Red Hat these are called Red Hat Security Advisories or RHSAs. An RHSA may span multiple CVEs. The signaturing approach facilitated by yara can provide specific fix-level granularity reporting and verification on a produced binary.

This repository demonstrates successful signature identification on files built using the following build stacks:

  • C
  • C++
  • Java
  • Go (Golang)

While we will assume a Linux environment, the process can very easily be adapted to other environments. I installed most everything using dnf on Fedora 32.

To start, you will need the yara tool installed:

* yara-3.11.0-2.fc32.x86_64

To support the above languages I have the following installed:

* gcc-10.1.1-1.fc32.x86_64
* gcc-c++-10.1.1-1.fc32.x86_64
* java-1.8.0-openjdk-1:1.8.0.252.b09-1.fc32.x86_64
* golang-1.14.3-1.fc32.x86_64

After cloning this repository you can execute the build.sh script. This script basically will created a target folder tree and compile each of the sample code files from the src tree. If you have the tree command installed then you can verify that the src tree is mirrored in the target tree.

At this point you can execute scan.sh or scan2.sh. The first script (scan.sh) executes a scan using a generic rule. This would result in the output as below:

  Fix_ID_2017_2423_2019_17571 [RHSA_ID="RHSA-2017:2423",CVE_ID="CVE-2019-17571"] target/java/TestJava2.class
  Fix_ID_2017_2423_2019_17571 [RHSA_ID="RHSA-2017:2423",CVE_ID="CVE-2019-17571"] target/c/TestC2
  Fix_ID_2017_2423_2019_17571 [RHSA_ID="RHSA-2017:2423",CVE_ID="CVE-2019-17571"] target/c++/TestCPP2
  Fix_ID_2017_2423_2019_17571 [RHSA_ID="RHSA-2017:2423",CVE_ID="CVE-2019-17571"] target/go/TestGo2

The other script executes a rule containing a more specific signature resulting in fewer matches:

  Fix_ID_2017_2423_2019_17571 [RHSA_ID="RHSA-2017:2423",CVE_ID="CVE-2019-17571"] target/java/TestJava2.class

About

Exploring an approach to inserting and tracking code fix markers in binaries.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

6 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages