When performing Reverse Engineering or binary analysis, one of the most common questions is: "Can user-controlled data reach a potentially dangerous function?" Let's try...
Today we'll start here:
Manually tracking these relationships is manageable in small programs, but quickly becomes time-consuming when dealing with larger applications.
Project Goal
Ghidra Sink Finder is a lightweight Ghidra script designed to automatically identify data flows between user-controlled input sources and security-relevant sink functions.
The script:
- Decompiles functions automatically.
- Searches for calls to selected sink functions.
- Identifies common user-controlled input sources.
- Tracks parameter propagation between functions.
- Reports paths where external data reaches potentially dangerous APIs.
The objective is not to replace a full static analysis framework, but to provide a fast and practical triage tool during Reverse Engineering and CTF/bug bounty analysis.
Input Sources
The script can identify data originating from common sources such as: argv[], getenv(), scanf(), fgets(), read(), recv().
Examples:
foo(argv[1]); or char *path = getenv("HOME");
These values are considered potentially user-controlled and are tracked through the application.
Sink Functions
The sink list is configurable and can be adapted to specific research goals.
Example sink functions include:
strcpy(), sprintf()strncpy(), memcpy(), strcat(), system().
These functions are often associated with: buffer overflows, command injection, memory corruption, unsafe string handling and/or general security-sensitive operations.
Example Detection
Source code:
The script detects the following flow:
argv[1] -> parameter input -> strcpy()
Result:
Function: foo
Sink: strcpy
Reason:
Parameter "input" receives user-controlled data from caller main (argv[1])
How It Works
The current implementation performs:
Function decompilation using the Ghidra Decompiler API.
Identification of sink function calls.
Extraction of sink arguments.
Detection of user-controlled sources.
One-level interprocedural parameter tracking:
Caller → Callee
Reporting of discovered source-to-sink relationships.
This approach provides a good balance between simplicity, speed, and usefulness for practical analysis.
Use Cases
Demo - testing vulnerable binary and generating report to Word file:
Current Limitations
The current version relies primarily on decompiled C code and heuristic analysis.
It is not a full:
- Data Flow Analysis engine
- Taint Analysis framework
- Symbolic Execution system
As a result, some false positives and false negatives are expected.
However, the lightweight design makes it particularly useful for rapid analysis during Reverse Engineering and CTF solving.
Future Enhancements
Possible future improvements include:
- Multi-level interprocedural tracking
- P-Code-based taint analysis
- Pointer and alias tracking
- Automatic function annotation inside Ghidra
- Source-to-sink visualization
- Interactive navigation from findings to decompiled code
Conclusion
Ghidra Simple Sink Finder is best viewed as a lightweight Reverse Engineering assistant rather than a vulnerability scanner.
Its primary purpose is to help analysts quickly answer a critical question:
"Can externally controlled data reach a potentially dangerous function?"
By automating this repetitive task, analysts can focus their time on understanding exploitability rather than manually tracing data flow through the application.
Full code is available here.
Thank you for all the support!
Have a nice day!
Brak komentarzy:
Prześlij komentarz