On Sun, Jan 15, 2023 at 06:08:19PM +0000, Laurent Philippart (Nokia) wrote: > Hi, > > I'm looking for guidance on what would be the easiest/best choice for > implementing malware detection rules on BPF source code (also looking > at what can be done on ELF and bytecode but that's a separate question). > > The majority of these rules will be looking at combinations of: > - Hook points used > - File names/paths > - Kernel structs like linux_dirent64 > - Helper function calls like bpf_probe_write_user(), bpf_send_signal() > > Both smatch and coccinelle seem to require a bit of learning curve > (although the latter seem to have a more documentation/examples than > the former) so your opinion would be highly appreciated. > > This is for a personal research project, nothing related to the > company I am working for. > Malware detection is too vague to say what you're actually looking for. Generally Coccinelle is easier to use and faster. But Smatch has better flow analysis and it does cross function analysis. So if you're looking at tainting user input then that can really only done with Smatch. Or if you're looking at out of bounds accesses then Smatch is the right tool. But if you just want to print the hook points then probably Coccinelle is more straight forward. (Also I was wondering why Julia hadn't responded to your email but she's not on the CC list). regards, dan carpenter
