Skip to content

trailofbits/BTIGhidra

Repository files navigation

Binary Type Inference Ghidra Plugin

This plugin recovers and applies inferred type information to a Ghidra database. The plugin uses a type inference algorithm inspired by "Polymorphic Type Inference for Machine Code", to derive types that are conservative in the presence of subtyping and polymorphism. The Ghidra plugin itself is a frontend for a static analysis and type inference located in the binary_type_inference repository. Jump to the DEMO.md to see an example workflow, or follow the install directions to get started.

Installing

Download the latest release from the releases page. The plugin can be installed by opening Ghidra and selecting "Install Extensions..." in the project window. Select the downloaded zip, and ensure the checkbox next to BTIGhidra is checked. After restarting Ghidra, the plugin will be installed and the analysis will be available. DEMO.md provides usage instructions.

Building from Source

Please be sure to grab the submodules:

git submodule update --init --recursive

Build Requirements

The following must be installed:

  • Java 11+
  • gradle 7+
  • Rust toolchain with Cargo build system

There is a Dockerfile that provides an environment that is able to build and run the tests. Run the following from the root directory of this repo

$ docker build -t bti .
# Drop into the built container with this repo mapped in
# You can run the rest of the commands in the README within the Docker container
$ docker run --rm -t -i -v "$(pwd):/home/tob/workspace" -w /home/tob/workspace bti /bin/bash

Building

Make sure you have an environment variable set to the Ghidra installation directory (this is already set up in the Docker image/container):

export GHIDRA_INSTALL_DIR=<path_to>/ghidra_11.0.1_PUBLIC

Using the just tool (or view the justfile for common workflow commands):

just build

After building, you can find the zipped plugin in plugin/dist directory

Installing

If you are not using the Docker container, this command will build the zip and install it into the Ghidra directory specified by GHIDRA_INSTALL_DIR

just install

If you built using Docker, then you can only use the resulting built plugin on a Linux distribution newer than Ubuntu 20.04.

To install the plugin built by the Docker container, open Ghidra 11.0.1 on your host machine:

  1. Navigate and click on File -> Install Extensions...
  2. Click on the + icon in the upper right corner of the window
  3. Navigate to the path of this repo under plugin/dist and select the latest built ghidra_11.0.1_PUBLIC_<date>_BTIGhidra.zip file and hit OK to finish the selection
  4. Hit OK again if you do not see the message to "restart Ghidra"
  5. Restart Ghidra

The plugin is now installed!

Usage

DEMO.md walks through how to use the installed plugin to infer types on the mooosl ctf challenge.

Testing

just test

Usage Notes:

BTIGhidra currently relies on Ghidra's notions of parameters to bind physical locations to function parameters. If the decompiler has function signatures that are correct, you can run the Decompiler Parameter ID analysis to apply the decompile signatures to the ghidra database.

Acknowledgments

The underlying type inference algorithm used in this work was primarily inspired by and derives significant direction from the following paper:

M. Noonan, A. Loginov, and D. Cok, "Polymorphic Type Inference for Machine Code," arXiv:1603.05495 [cs], Mar. 2016, Accessed: Nov. 08, 2021. [Online]. Available: http://arxiv.org/abs/1603.05495

The methods described in the paper are patented under process patent US10423397B2 held by GrammaTech, Inc. This work was developed with permission from GrammaTech pursuant to the GPLv3 terms of their own implementation: https://github.com/GrammaTech/retypd.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of GrammaTech, Inc.

We would also like to thank the team at FKIE-CAD behind CWE Checker. Their static analysis platform over Ghidra PCode provided an excellent base set of capabilities in our analysis.