Binary SCA fingerprint extraction black Technology: go language Reverse Technology

Abstract ：SCA（Software Composition Analysis） Software component analysis , It refers to the software source code 、 Static analysis of binary software packages , Tap its existing open source compliance 、 Known vulnerabilities and other security compliance risks , It is a common security testing method in the industry

Hua Wei Yun DevCloud The software development platform is in 2022 Huawei partners and Developers Conference launched 4 Daxin capability , Among them, binary component analysis has the ability of safety detection , It can realize the comprehensive investigation of open source software vulnerabilities 、 Fast and accurate positioning of problems 、 And quickly respond to repair ; This article will discuss what is binary SCA The detection service and the advantages of this service .

What is binary SCA Testing services

SCA（Software Composition Analysis） Software component analysis , Refers to through pair Software source code 、 Binary packages Etc , Tap its existing open source compliance 、 Known vulnerabilities and other security compliance risks , It is a common security testing method in the industry （ At present, Huawei cloud provides binary SCA Testing services , Source code SCA The test service will be officially released later ）.

Binary system SCA Testing services , The detection object is binary software package / The firmware , Extract constant strings directly from binary files 、 Partial class name 、 Function name and other characteristic information , Then use the matching algorithm to calculate the similarity , The name and version number of the referenced open source software are detected according to the similarity threshold .

Binary system SCA Check and compare the source code SCA Advantages of detection

No need to rely on source code , It is easy to operate

Users only need to upload binary packages / The firmware , The service will use static detection technology , No need to build the running environment , You can quickly analyze binary packages without running a program / Security risks in firmware , And output a professional analysis report

chart ： Binary component analysis - Detection processing flow

Binary system SCA Fingerprint extraction black Technology ：Go The of language reverse technology --- Restore function name algorithm

Doing a security audit of the program 、 When detecting vulnerabilities , It is usually necessary to reverse analyze the program , We have no symbol table , An algorithm for recovering function names is proposed , Convenience is right Go Reverse analysis of language binaries , Improve analysis efficiency .

Go Language is a very popular language in recent years , It has and C/C++ The same advantages of fast running speed , At the same time, it has high development efficiency , Support package management mechanism and high-level language features . Its compiled binary file format and C/C++ It's also running on Linux Under the platform is elf Format , Running on the windows Under the platform is pe Format , But at the same time, in the internal details of the binary file Go Language has its own unique properties , Binary reverse personnel can take advantage of Go Language these unique attributes to achieve a more accurate reverse analysis of binary files .

characteristic 1： utilize Go The unique section information in the language to judge elf/pe The source language type of the file , yes Go Language or C、C++ Language

By judging whether there is... In the binary file “.noptrdata”、“.Gopclntab”、“.data.rel.ro.Gopclntab” Determine the source code , If the above section name exists , Then the source code is Go Language .

characteristic 2： How to recover the function name without a symbol table

We know that C/C++ In the compiled binary file , If there is no symbol table information, you can't see the function name , stay IDA Only address information can be seen in the tool .

Go How does the language recover function names , You can do this by .data.rel.ro Section to recover the function name , The specific search and location algorithm is as follows ：

Method 1：

Parsing header information can be obtained magic, quantum, ptr_size, func_tab_count data , When magic by ’\xfb\xff\xff\xff’ when ,entry_size = 2 * ptr_size by entry Structure size ,func_tab_count by entry Number of structures ; analysis entry Structure gets name information structure data position offset ( We need to pay attention to 64 Bit and 32 position Go Program func_info_offset Opposite position ), Read name information structure data , Then get the name string position offset (name_offset), Navigate to the start of the function name string based on this offset , Resolve from this location to get the function name .

Method 2：

1.16 edition Go There are some new changes in language structure ,magic Turn into ’\xfa\xff\xff\xff’, Parsing header information acquisition func_tab_cnt, file_cnt, func_name_off, cu_off, filetab_off, pctab_off, func_tab_off data , among func_tab_off by entry Data start position , analysis entry Structure acquisition code_off, func_info_offset data , The subsequent parsing process is the same as magic=’\xfb\xff\xff\xff’ Agreement .

The real name of the function can be restored through the above two methods , So that it is convenient to Go Reverse analysis of language binary files , Improve analysis efficiency .

DevCloud The software development platform is based on binary component analysis technology , The following capabilities can be provided for developers ：

• Support multiple types of installation packages ： Support windows、linux、IoT Firmware package 、 Security detection of common software packages such as Android deployment packages .
• The test is comprehensive ： Support for licenses for open source software 、 Loophole 、 Information disclosure 、 Security configuration, etc 3 Major item 、25 Security problem detection of subclasses .
• Open source software covers all aspects ： Cover 100+ Vulnerability source 、 Millions of open source component versions , Open source issues are fully covered .
• Guarantee rapid ： Hour scale Vulnerability update , Improve the speed of vulnerability discovery , Reduce security risks .

author ： Zheng Zhiqiang | Huawei cloud binary security testing tool expert

Click to follow , The first time to learn about Huawei's new cloud technology ~