Dynamic and Static Analysis of SOUPs

Performs raw search of the given function name from the static and dynamic function trace database.

Automates the function name extraction from the list of CVEs of a given SOUP and perform search operation against the static and dynamic function trace database.

Installation

Sync the repo and run

python run.py

Usage

How does this tool works?

There are 3 mode of operation RAW mode, CMD mode and Linux CVE analysis mode

RAW mode

This is a simple search feature that takes an input (search string or function name) from the user and check if that string is present in the static and dynamic function trace database.

> python .\run.py
Enter the mode of operation
1. RAW
2. CMD
3. Linux-OS
0. EXIT
>> 1


Enter the search string:test123
Trim Database
[-] Not Found


Static Database
[-] Not Found


Dynamic Database
[-] Not Found

CMD mode

In this mode of operation, the programs accept soup, vendor, and version as an input from the user and using the NVD APIs fetches all the CVEs for the given SOUP.

The program checks if the CVE is applicable to the given SOUP, or it was reported for the application running on the given SOUP. It discards such CVEs.

From the description of the remaining CVEs the program extracts the function name and uses that data to compare against the static and dynamic database function trace database.

The program also generates a summary of its finding.

> python .\run.py
Enter the mode of operation
1. RAW
2. CMD
3. Linux-OS
0. EXIT
>> 2


Enter the Vendor Name:apache
Enter the SOUP Name:struts
Enter the Version:1.1

[+] No Of CVEs 9
[+] Retrieving CVEs From The NVD Database
[+] Finished Retrieving


CVE-2016-1182 : Search String:['ActionServlet.java']
CVE-2016-1181 : Search String:['ActionServlet.java']
CVE-2006-1546 : Search String:["'org.apache.struts.taglib.html.Constants.CANCEL'"]



[+] Running On CVEs                     1
[+] Remaining CVEs                      8
    5 CVEs With No Function Name
    3 CVEs With Function Name
      0 Function Found In Logs
--------------------------------------------------
[+] Total CVEs                          9

Linux CVE analysis mode

This mode of operation has two functions

• CMD generation function

Generates the trace-cmd command for the user which can be directly used in the trace environment to generate the call graph.

> python .\run.py
Enter the mode of operation
1. RAW
2. CMD
3. Linux-OS
0. EXIT
>> 3


Report Analysis (Y/N):n
Vendor: linux
SOUP: linux_kernel
Enter the version: 4.4.0

[+] No Of CVEs 1780
[+] Retrieving CVEs From The NVD Database
[+] Finished Retrieving


[+] To trace vulnerable functions run:
trace-cmd record -p function -l scsi_ioctl -l sock_getsockopt -l vgacon_scrolldelta -l ext4_write_inline_data_end -l add_partition -l device_add -l block_invalidatepage -l cgroup_release_agent_write -l fget -l packet_set_ring -l fuse_do_getattr -l make_bad_inode -l get_user_pages -l vt_ioctl -l bpf_map_update_elem -l relay_open -l k_ascii -l kmem_cache_alloc_bulk -l debugfs_remove -l ptrace_may_access -l ptrace_may_access  -l fsnotify_put_mark


[+] To generate the report run:
trace-cmd report

• Call graph to CVE mapping mode

In this mode of operation, the programs accept the linux version as an input from the user and using the NVD APIs it fetches all the CVEs for the given SOUP. The program checks if the CVE is applicable to the given SOUP, or it was reported for the application running on the given SOUP. It discards such CVEs. From the description of the remaining CVEs the program extracts the function name and uses that data to compare against ftrace logs.The program also generates a summary of its finding.

> python .\run.py
Enter the mode of operation
1. RAW
2. CMD
3. Linux-OS
0. EXIT
>> 3


Report Analysis (Y/N):y
Is trace-cmd report in /logs-ftrace (Y/N):y
Vendor: linux
SOUP: linux_kernel
Enter the version: 4.4.0



[+] No Of CVEs 1780
[+] Retrieving CVEs From The NVD Database
[+] Finished Retrieving


[+] CVEs With Function  155
[+] isTriggerd Functions 6
[+] isNotTriggered Functions 149
╒══════════════════╤════════════════════════════════╤═══════════════╕
│ CVE              │ Vulnerable Function            │ isTriggered   │
╞══════════════════╪════════════════════════════════╪═══════════════╡
│ CVE-2022-0494    │ scsi_ioctl                     │ No            │
├──────────────────┼────────────────────────────────┼───────────────┤
│ CVE-2021-4203    │ sock_getsockopt                │ No            │
├──────────────────┼────────────────────────────────┼───────────────┤
│ CVE-2020-28097   │ vgacon_scrolldelta             │ No            │
├──────────────────┼────────────────────────────────┼───────────────┤
│ CVE-2021-40490   │ ext4_write_inline_data_end     │ No            │
├──────────────────┼────────────────────────────────┼───────────────┤
│ CVE-2021-4150    │ add_partition                  │ No            │
├──────────────────┼────────────────────────────────┼───────────────┤
│ CVE-2021-4150    │ device_add                     │ No            │
├──────────────────┼────────────────────────────────┼───────────────┤
│ CVE-2021-4148    │ block_invalidatepage           │ No            │
├──────────────────┼────────────────────────────────┼───────────────┤
│ CVE-2022-0492    │ cgroup_release_agent_write     │ No            │
├──────────────────┼────────────────────────────────┼───────────────┤
│ CVE-2021-4083    │ fget                           │ Yes           │
├──────────────────┼────────────────────────────────┼───────────────┤


[+] Running On CVEs             820
[+] Remaining CVEs              960
    811 CVEs Require Analysis
    149 CVEs Not Triggered
--------------------------------------------------
[+] Total CVEs                  1780

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.