Galois' Open Source GREASE Delivers Automated Vulnerability Discovery for Precompiled Binaries

Digital security specialist Galois has released an open source tool that, it claims, can find otherwise-hidden vulnerabilities in compiled binary files — without needing any access to the underlying source code: GREASE.

"Proactively and defensively ensuring the absence of vulnerabilities in binary code is crucial for deploying high-assurance systems," Langston Barrett, Ryan Scott, Ben Davis, and Matt Bauer write by way of introduction to their company's software. "GREASE is an open-source tool leveraging under-constrained symbolic execution to help software reverse engineers analyze binaries and uncover hard-to-spot bugs, ultimately enhancing system security. This kind of binary analysis is especially important for systems that include COTS [Commercial Off-The-Shelf] software that is only provided in binary form."

Finding vulnerabilities in anything but the most simple of programs is a never-ending job, and it can be a challenge even with full access to a program's source code — as anyone who has found themselves installing urgent security patches for open source packages will attest. When all you have is a pre-compiled binary, though, it's even harder, which is where GREASE aims to help.

To prove the tool's functionality, Barrett and colleagues turned to a known, years-old vulnerability in the libpng Portable Network Graphic library: an incorrect calculation that can cause an integer overflow and resultant divide-by-zero, crashing the software. "Even at the source level," the team claims, "the bug is hard to spot. GREASE can automatically find this hard-to-spot bug."

In the program's output, a binary compiled from a cut-down version of the faulty code is analyzed with GREASE at the terminal — with the tool immediately returning a result warning of a division-by-zero error. "[The] output says that png_check_chunk_length will divide by zero when the register rdi holds a pointer to an allocation containing the bytes 54 41 44," Barrett and colleagues explain.

The tool works by running each program function on a set of symbolic registers and monitoring for errors. When an error is detected, GREASE uses a set of heuristics to refine the error's preconditions and determine whether it's something to warn about or not. "GREASE relies on heuristics to determine whether a fallible memory access should be reported as a bug or not," the team admits. "These heuristics may cause false positives (reporting a normal program behavior as suspicious) or false negatives (missing real bugs)."

Galois has released GREASE under the permissive BSD Three-Clause license, with full source code and documentation available on GitHub; the tool can be used stand-alone or as a plugin for the National Security Agency (NSA)'s Ghidra reverse-engineering tool.