KRFAnalysis contains an LLVM pass and related scipts that test potential vulnerability to the tool KRF by checking whether the result of a syscall is checked for errors.
It runs through opt
on LLVM IR files (.bc
)
An LLVM Pass runs on the LLVM IR and can do analysis, transformations, and optimizations. In our case, we attempt to analyze when the results of syscalls are used.
LLVM Passes have several benefits:
- Works on any platform (since IR is platform agnostic)
- Works with Go, C, C++, and Rust
- Extremely rich capability for static analysis
But also some downsides:
- Need to have the IR bytecode, which effectively means you must have the source code
- Only works with Go, C, C++, and Rust
- LLVM has a somewhat steep learning curve
Docker is recommended, since it makes the setup and build process easier.
git clone https://github.com/trailofbits/KRFAnalysis && cd KRFAnalysis
docker build . -t krf
docker run -it krf
First, you needs to install the dependencies including cmake
, llvm
, llvm-dev
, and python3.7
Then, run the following commands to clone and build the repository, which will generate a libLLVMKRF.so
file.
git clone https://github.com/trailofbits/KRFAnalysis && cd KRFAnalysis
mkdir build && cd build
cmake ../
cmake --build .
The LLVM pass runs through opt
(which may be opt-6.0
or whatever version of llvm you have).
To analyze the file file.bc
and output human readable text into the file output.txt
, you would run:
opt -load path/to/libLLVMKRF.so -KRF -disable-output -krf-output output.txt file.bc
To analyze the file file.bc
and output JSON into the file pass_output.json
, you would run:
opt -load path/to/libLLVMKRF.so -KRF -disable-output -krf-output pass_output.json -krf-json file.bc
If -krf-output
is not specified, the output will default to krfpass.out
After creating JSON output, it can be further analyzed and triaged by the triage script:
python3 triage/triage.py pass_output.json # Outputs human readable triaged information
python3 triage/triage.py -json pass_output.json # Outputs JSON