anzosasuke
commented
1 year ago I really need to know about this. Could you share any insights or answers? @ivg
Open anzosasuke opened 1 year ago
anzosasuke
commented
1 year ago I really need to know about this. Could you share any insights or answers? @ivg
ivg
commented
1 year ago The rule policy for check-hardcoded-values only checks for hardcoded socket addresses. There's no currently any provision for passwords.
(defun check-hardcoded-socket-address (sockaddr-ptr)
(when (points-to-static-data sockaddr-ptr 16)
(incident-report 'hardcoded-socket-address (incident-location))))
(defmethod call (name fd addr)
(when (is-in name 'accept 'bind 'connect)
(check-hardcoded-socket-address addr)))
(defmethod call (name fd buf size flags addr len)
(when (is-in name 'sendto 'recvfrom)
(check-hardcoded-socket-address addr)))
I was using BAP tool kit primus checks on Juliet test suite CWE259(child of hard-coded credentials CWE 798) to detect hardcoded passwords, but somehow it didn't detect any. Hard-coded credentials should've also accounted for hard-coded passwords, could you share some insights on why it was unsuccessful? any thoughts would be greatly appreciated. Thanks