Skip to main content
This example showcases more advanced capabilities of VulHunt. Suppose we want to find a vulnerability where the first argument of read_argument is passed to strcpy:
program.c
This rule uses VulHunt’s dataflow capabilities to check for this condition:
rule.vh
Here, scope:calls searches for calls to strcpy within the function read_argument and associates the annotation input with the first argument of read_argument. When the call site to strcpy within read_argument is found, the check function is executed with a context representing this call site. The check function then verifies whether the annotation of the second argument passed to strcpy is input, confirming the presence of the vulnerability. We then use the result:high method to build a Result object out of a table and return it. The table the following required fields:
  • name usually contains a vulnerability identifier
  • description
  • evidence, which is another table.
The evidence table contains a single field called functions, which is a map (technically it’s also a table in Lua) containing addresses of functions to annotate. To annotate within the read_argument function, we use context.caller.address as a key and a single annotation at context.caller.call_address, meaning at the call to strcpy.

Detecting the patch

Now, let’s assume this vulnerability was patched and we want to verify if the patch was correctly applied:
program.c
We can check for the patch by adding a condition to the scope definition to filter out functions that call strlen:
rule.vh
Alternatively, we can use scope:functions to find the read_argument function and check whether it calls strlen:
rule2.vh

Increasing patch detection accuracy

The rule above is useful to understand the capabilities of the dataflow engine, but to more accurate, we have to make sure the value returned from strlen is actually being checked by the if statement and that the call to strcpy is within this if block. We can achieve this by using the decompiler extension with the following rule:
rule3.vh