A platform-agnostic rule-based system resource usage deduction library for retroactively generating "permissions" used by executable programs from their compiled binaries.
In other words: A library to figure out what system resources (specific files, network call targets, IO, etc.) any executable (.exe, ELF, etc) may attempt to use when run. Define rules for the resources you would like to monitor and retroperm will return potential violations of those rules.
Technical Writeup: https://colab.research.google.com/drive/1vNTgV7hJ9M12SzLpSiDcskSP_rMPsPrd
pip install retropermfrom retroperm.project import RetropermProject
retroperm_proj = RetropermProject("path/to/binary")from retroperm.rules.filesystem_rule import FilesystemRule
from retroperm.rules.ban_library_function_rule import BanLibraryFunctionRule
# Define a rule that blacklists filesystem access to /etc/passwd
blacklist_etc_passwd_rule = FilesystemRule("/etc/passwd", 'filename', is_whitelist=False, is_dir=False)
# Define a rule that blacklists all network access
blacklist_all_network_calls_rule = BanCategoryRule('network')
# Load rules into project
rule_list = [blacklist_etc_passwd_rule, blacklist_all_network_calls_rule]
retroperm_proj.load_rules(rule_list)retroperm_proj.resolve_abusable_functions()
results = retroperm_proj.validate_rules()
print(results)See tests/test_project.py for more examples.
git clone [email protected]:SpiritSeal/retroperm.git
cd retroperm
pip3 install -e .This version of Retroperm is built as a proof-of-concept and is limited by the rules and syscall definitions it has defined. In addition, large binaries take excessive amounts of time to process due to the unoptimized manner in which this project leverages angr's Calling Convention Analysis.