Powered by Linux
Re: Smatch or Coccinelle for BPF static code analysis — Semantic Matching Tool

Re: Smatch or Coccinelle for BPF static code analysis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Sun, Jan 15, 2023 at 06:08:19PM +0000, Laurent Philippart (Nokia) wrote:
> Hi,
> I'm looking for guidance on what would be the easiest/best choice for
> implementing malware detection rules on BPF source code (also looking
> at what can be done on ELF and bytecode but that's a separate question).
> The majority of these rules will be looking at combinations of:
> - Hook points used
> - File names/paths
> - Kernel structs like linux_dirent64
> - Helper function calls like bpf_probe_write_user(), bpf_send_signal()
> Both smatch and coccinelle seem to require a bit of learning curve
> (although the latter seem to have a more documentation/examples than
> the former) so your opinion would be highly appreciated.
> This is for a personal research project, nothing related to the
> company I am working for.

Malware detection is too vague to say what you're actually looking for.

Generally Coccinelle is easier to use and faster.  But Smatch has better
flow analysis and it does cross function analysis.  So if you're looking
at tainting user input then that can really only done with Smatch.  Or
if you're looking at out of bounds accesses then Smatch is the right

But if you just want to print the hook points then probably Coccinelle
is more straight forward.

(Also I was wondering why Julia hadn't responded to your email but she's
not on the CC list).

dan carpenter

[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux