dfir-orc
vast
Our great sponsors
dfir-orc | vast | |
---|---|---|
1 | 2 | |
356 | 334 | |
2.2% | 3.3% | |
8.9 | 9.9 | |
3 months ago | 6 days ago | |
C++ | C++ | |
GNU Lesser General Public License v3.0 only | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
dfir-orc
-
Standard artifact gathering script
Looks great! Will dig into that. It looks like French ANSSI's DFIR-ORC. Maybe a good solution.
vast
-
Print(“lol”) doubled the speed of my Go function
Most languages target C or LLVM, and C and LLVM have a fundamentally lossy compilation processes.
To get around this, you'd need a hodge podge of pre compiler directives, or take a completely different approach.
I found a cool project that uses a "Tower of IRs" that can restablish source to binary provenance, which, seems to me, to be on the right track:
https://github.com/trailofbits/vast
I'd definitely like to see the compilation processes be more transparent and easy to work with.
-
Compilers and IRS: LLVM IR, SPIR-V, and MLIR
At Trail of Bits, we are creating a new compiler front/middle end for Clang called VAST [1]. It consumes Clang ASTs and creates a high-level, information-rich MLIR dialect. Then, we progressively lower it through various other dialects, eventually down to the LLVM dialect in MLIR, which can be translated directly to MLIR.
Our goals with this pipeline are to enable static analyses that can choose the right abstraction level(s) for their goals, and using provenance, cross abstraction levels to relate results back to source code.
Neither Clang ASTs nor LLVM IR alone meet our needs for static analysis. Clang ASTs are too verbose and lack explicit representations for implicit behaviours in C++. LLVM IR isn't really "one IR," it's a two IRs (LLVM proper, and metadata), where LLVM proper is an unspecified family of dialects (-O0, -O1, -O2, -O3, then all the arch-specific stuff). LLVM IR also isn't easy to relate to source, even in the presence of maximal debug information. The Clang codegen process does ABI-specific lowering takes high-level types/values and transforms them to be more amenable to storing in target-cpu locations (e.g. registers). This actively works against relating information across levels; something that we want to solve with intermediate MLIR dialects.
Beyond our static analysis goals, I think an MLIR-based setup will be a key enabler of library-aware compiler optimizations. Right now, library-aware optimizations are challenging because Clang ASTs are hard to mutate, and by the time things are in LLVM IR, the abstraction boundaries provided by libraries are broken down by optimizations (e.g. inlining, specialization, folding), forcing optimization passes to reckon with the mechanics of how libraries are implemented.
We're very excited about MLIR, and we're pushing full steam ahead with VAST. MLIR is a technology that we can use to fix a lot of issues in Clang/LLVM that hinder really good static analysis.
[1] https://github.com/trailofbits/vast
What are some alternatives?
TheHive - TheHive: a Scalable, Open Source and Free Security Incident Response Platform
clangir - A new (MLIR based) high-level IR for clang.
awesome-incident-response - A curated list of tools for incident response
psychec - A compiler frontend for the C programming language
tenzir - Open source security data pipelines.
GrayC - GrayC: Greybox Fuzzing of Compilers and Analysers for C
Cortex - Cortex: a Powerful Observable Analysis and Active Response Engine
thorin2 - The Higher ORder INtermediate representation - next gen
beagle - Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs.
FFMpeg-Online - This repository catalogs a list of FFMpeg commands for different situations. By https://hotpot.ai.
exo - A process manager & log viewer for dev
webviz - web-based visualization libraries