capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

check if basic block child of correct type

Open mike-hunhoff opened this issue 3 years ago • 3 comments

we should add a check to the following code that verifies the single child statement is of the expected type:

https://github.com/fireeye/capa/blob/14e65c46011aca908863a770ec925cc222dc7f93/capa/rules.py#L347-L354

mike-hunhoff avatar Mar 22 '21 23:03 mike-hunhoff

from my understanding a single subscope child statement must be one of and, or, optional, not, N or more?

however, it looks like we have a rule (maybe more I haven't verified) that have gotten away with a single subscope child statement of any type e.g.

https://github.com/fireeye/capa-rules/blob/1ff994f7916d66e39b4b5b8dbb310d0e0b051f7f/compiler/rust/compiled-with-rust.yml#L1-L14

do we need to restrict the type of the single subscope child statement? I feel like this is the intention, but capa doesn't enforce this. IMO we should enforce the type to avoid confusion e.g. if I can nest one mnemonic under basic block why can't I nest two?

Screen Shot 2021-03-26 at 9 02 19 AM

Screen Shot 2021-03-26 at 9 02 34 AM

thoughts @Ana06 , @mr-tz , @williballenthin ?

mike-hunhoff avatar Mar 26 '21 15:03 mike-hunhoff

yes, the subscope should have a single child item, one of and/or/X or more.

a subscope block is translated (behind the scenes) into a separate capa rule and all capa rules should have a single root element. therefore, we should enforce the same at each subscope.

williballenthin avatar Mar 26 '21 15:03 williballenthin

looks like this is only enforced during deserialization, though we should probably have a lint for it, too

https://github.com/fireeye/capa/blob/master/capa/rules.py#L565-L568 image

williballenthin avatar Mar 26 '21 15:03 williballenthin