This plugin recovers and applies inferred type information to a Ghidra database. The plugin uses a type inference algorithm inspired by "Polymorphic Type Inference for Machine Code", to derive types that are conservative in the presence of subtyping and polymorphism. The Ghidra plugin itself is a frontend for a static analysis and type inference located in the binary_type_inference repository. Jump to the DEMO.md to see an example workflow, or follow the install directions to get started.
Download the latest release from the releases page. The plugin can be installed by opening Ghidra and selecting "Install Extensions..." in the project window. Select the downloaded zip, and ensure the checkbox next to BTIGhidra is checked. After restarting Ghidra, the plugin will be installed and the analysis will be available. DEMO.md provides usage instructions.
Please be sure to grab the submodules:
git submodule update --init --recursive
The following must be installed:
- Java 11+
- gradle 7+
- Rust toolchain with Cargo build system
There is a Dockerfile that provides an environment that is able to build and run the tests. Run the following from the root directory of this repo
$ docker build -t bti .
# Drop into the built container with this repo mapped in
# You can run the rest of the commands in the README within the Docker container
$ docker run --rm -t -i -v "$(pwd):/home/tob/workspace" -w /home/tob/workspace bti /bin/bash
Make sure you have an environment variable set to the Ghidra installation directory (this is already set up in the Docker image/container):
export GHIDRA_INSTALL_DIR=<path_to>/ghidra_11.0.1_PUBLIC
Using the just tool (or view the justfile
for common workflow commands):
just build
After building, you can find the zipped plugin in plugin/dist
directory
If you are not using the Docker container, this command will build the zip and install it into the Ghidra directory specified by GHIDRA_INSTALL_DIR
just install
If you built using Docker, then you can only use the resulting built plugin on a Linux distribution newer than Ubuntu 20.04.
To install the plugin built by the Docker container, open Ghidra 11.0.1 on your host machine:
- Navigate and click on
File -> Install Extensions...
- Click on the
+
icon in the upper right corner of the window - Navigate to the path of this repo under
plugin/dist
and select the latest builtghidra_11.0.1_PUBLIC_<date>_BTIGhidra.zip
file and hitOK
to finish the selection - Hit
OK
again if you do not see the message to "restart Ghidra" - Restart Ghidra
The plugin is now installed!
DEMO.md walks through how to use the installed plugin to infer types on the mooosl ctf challenge.
just test
BTIGhidra currently relies on Ghidra's notions of parameters to bind physical locations to function parameters. If the decompiler has function signatures that are correct, you can run the Decompiler Parameter ID analysis to apply the decompile signatures to the ghidra database.
The underlying type inference algorithm used in this work was primarily inspired by and derives significant direction from the following paper:
M. Noonan, A. Loginov, and D. Cok, "Polymorphic Type Inference for Machine Code," arXiv:1603.05495 [cs], Mar. 2016, Accessed: Nov. 08, 2021. [Online]. Available: http://arxiv.org/abs/1603.05495
The methods described in the paper are patented under process patent US10423397B2 held by GrammaTech, Inc. This work was developed with permission from GrammaTech pursuant to the GPLv3 terms of their own implementation: https://github.com/GrammaTech/retypd.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of GrammaTech, Inc.
We would also like to thank the team at FKIE-CAD behind CWE Checker. Their static analysis platform over Ghidra PCode provided an excellent base set of capabilities in our analysis.