If i want to isolate to search for just one CWE which is NULL POINTER DEREFRENCE CWE-476?

[anzosasuke]

I have binaries which are object files and executables. It seems that executables are only supported. In the case of object files with .o extension, the loadable segment are needed. Is it possible to perform that analysis on the object files with only one case? It seems taint analysis is being used to find the null pointer dereference? Can that be applied on object files too? Thanks in advance !

[Enkelmann]

Right now I think it is not possible to analyze object files. It will probably be possible at some point in the future, because we also want to analyze Linux kernel objects (.ko files) in the future. But normally, if you have access to object files, then you also have access to the source code. In such a case it would be smarter to use analysis tools that make use of the additional semantic information that can be derived from the source code instead of the cwe_checker, which cannot use source code to aid the analysis. At least in theory. This is the reason why supporting .o files is currently not a goal for the cwe_checker project (but it might get implemented anyway when we work on support for .ko files in the future).

And yes, the CWE476 check uses taint analysis to find Null dereferences. The memory check also finds some Null dereferences, but it uses value set analysis and not taint analysis for that. And right now the types of Null dereferences both checks detect do not overlap.