Skip to content

detect command (attack_surface_approximation) fails on stripped binaries and non-standard Ghidra syntax #9

Description

@krpandrei05

The detect command is unable to analyze stripped binaries or complex executables due to a combination of missing symbols and non-standard decompilation output.

Currently, the tool encounters two main obstacles:

  1. Missing Symbols: The Ghidra script crashes when the main function is not found, resulting in a Python traceback. pycparser then attempts to parse this traceback as C code, leading to a ParseError (e.g., "before: recent").
  2. Decompilation Artifacts: The decompiled code often contains Ghidra-specific keywords and formatting (such as processEntry, PTR_FUN_, or &stack0x...) that are not valid C89 syntax, causing further parsing failures.

The static analysis should be robust enough to fall back to the entry point and clean the code of any non-standard artifacts before passing it to the C parser.

Steps to reproduce:

  1. Use a stripped ELF binary (e.g., a system utility like uname).
  2. Run:
poetry run attack_surface_approximation detect --elf examples/uname_32

The result is:

$ poetry run attack_surface_approximation detect --elf examples/uname_32
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/attack_surface_approximation/cli.py", line 198, in main
    cli(prog_name="attack_surface_approximation")
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/click/core.py", line 1514, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/click/core.py", line 1435, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/click/core.py", line 1902, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/click/core.py", line 1298, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/click/core.py", line 853, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/click/decorators.py", line 34, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/attack_surface_approximation/cli.py", line 192, in analyze
    ctx.invoke(detect, elf=elf)
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/click/core.py", line 853, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/attack_surface_approximation/cli.py", line 81, in detect
    streams = detector.detect_all()
              ^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/attack_surface_approximation/static_input_streams_detection/detector.py", line 148, in detect_all
    return list(self.__detect_all())
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/attack_surface_approximation/static_input_streams_detection/detector.py", line 135, in __detect_all
    if self.uses_arguments():
       ^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/attack_surface_approximation/static_input_streams_detection/detector.py", line 124, in uses_arguments
    ast = parser.parse(self.__main_decompilation)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/pycparser/c_parser.py", line 147, in parse
    return self.cparser.parse(
           ^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/pycparser/ply/yacc.py", line 331, in parse
    return self.parseopt_notrack(input, lexer, debug, tracking, tokenfunc)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/pycparser/ply/yacc.py", line 1199, in parseopt_notrack
    tok = call_errorfunc(self.errorfunc, errtoken, self)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/pycparser/ply/yacc.py", line 193, in call_errorfunc
    r = errorfunc(token)
        ^^^^^^^^^^^^^^^^
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/pycparser/c_parser.py", line 1968, in p_error
    self._parse_error(
  File "/home/krpandrei/andreiOpenCRS/attack_surface_approximation/.venv/lib/python3.12/site-packages/pycparser/plyparser.py", line 67, in _parse_error
    raise ParseError("%s: %s" % (coord, msg))
pycparser.plyparser.ParseError: :1:19: before: entr

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions