KRFAnalysis contains an LLVM pass and related scipts that test potential vulnerability to the tool KRF by checking whether the result of a syscall is checked for errors.
It runs through
opt on LLVM IR files (
An LLVM Pass runs on the LLVM IR and can do analysis, transformations, and optimizations. In our case, we attempt to analyze when the results of syscalls are used.
LLVM Passes have several benefits:
- Works on any platform (since IR is platform agnostic)
- Works with Go, C, C++, and Rust
- Extremely rich capability for static analysis
But also some downsides:
- Need to have the IR bytecode, which effectively means you must have the source code
- Only works with Go, C, C++, and Rust
- LLVM has a somewhat steep learning curve
Docker is recommended, since it makes the setup and build process easier.
git clone https://github.com/trailofbits/KRFAnalysis && cd KRFAnalysis docker build . -t krf docker run -it krf
First, you needs to install the dependencies including
Then, run the following commands to clone and build the repository, which will generate a
git clone https://github.com/trailofbits/KRFAnalysis && cd KRFAnalysis mkdir build && cd build cmake ../ cmake --build .
The LLVM pass runs through
opt (which may be
opt-6.0 or whatever version of llvm you have).
To analyze the file
file.bc and output human readable text into the file
output.txt, you would run:
opt -load path/to/libLLVMKRF.so -KRF -disable-output -krf-output output.txt file.bc
To analyze the file
file.bc and output JSON into the file
pass_output.json, you would run:
opt -load path/to/libLLVMKRF.so -KRF -disable-output -krf-output pass_output.json -krf-json file.bc
-krf-output is not specified, the output will default to
After creating JSON output, it can be further analyzed and triaged by the triage script:
python3 triage/triage.py pass_output.json # Outputs human readable triaged information python3 triage/triage.py -json pass_output.json # Outputs JSON