Examples
We have provided a number of example binaries and corresponding output files within the examples folder, so that basic functionality of argXtract can be tested and verified. The name of the output file will be the same as that of the binary file, but with a .json extension. When you execute argXtract, however, the output will be in the output folder and the name will be the SHA256 hash of the tested binary.
Note that all example binaries are generated by us and may not reflect the results mentioned in our paper exactly. We have avoided making real-world binaries public, as we do not have developer consent.
Nordic uses supervisor calls to perform configuration operations on the BLE stack. To execute argXtract against the example Nordic BLE binary, use the following command from the project root folder:
python start.py -f examples/nordic_ble/nordic_ble.bin -M s -v nordic_ble
Only four Nordic BLE API calls are "enabled" by default: sd_ble_gap_device_name_set, sd_ble_uuid_vs_add, sd_ble_gatts_service_add, sd_ble_gatts_characteristic_add. The example binary nordic_ble.bin contains these four calls. The names reflect the functionality pretty well without the need for explanation :)
The argxtract/resources/vendor/nordic_ble/args/ folder contains many other API calls that you can test for. To "enable" testing against them, simply rename the files from .jsonx to .json. Similarly, to "disable" the checking of any API call, rename the associated argument definition file to anything other than *.json.
We have provided additional example binaries to test for:
- Fixed passkeys (test binary:
nordic_ble_passkey.bin; enable onlysd_ble_opt_set.json). The output file will indicate a passkey of "313233343536", which is hex for "123456". - Fixed advertising addresses (test binary:
nordic_ble_address.bin; enable onlysd_ble_gap_address_set.json). The output file will indicateaddr_type=1 (which, according to the Nordic SDK, is a random static address). The output file shows that the fixed address is "010101010101".
Supervisor calls are also used by Nordic for its ANT stack. To execute argXtract against the example Nordic ANT binary, use the following command from the project root folder:
python start.py -f examples/nordic_ant/nordic_ant.bin -M s -v nordic_ant
Note that in the given example binary (which was generated by us), all of the defined channels have encryption enabled, i.e., ucNumberOfEncryptedChannels=ucTotalNumberOfChannels=15. This is in contrast with the real-world binaries described in our paper, where none had encryption enabled.
ST uses normal functions for its configuration operations. To execute argXtract against the example ST BLE binary, use the following command from the project root folder:
python start.py -f examples/st_ble/st_ble.bin -M f -v stm -m 0
Note the different Mode used in this command
Because this test requires function pattern matching, i.e., identifying one function out of several hundred, it will take a lot longer (several hours) than for the Nordic tests.
The API call that is enabled by default is the aci_gap_init, which is used to set the privacy option (among other things). Additional function patterns have been provided for the aci_hal_write_config_data, which is used to set a device's public address (among other things) and aci_gap_set_io_capability, which is used to set the device's I/O capability (and which is the first step for specifying BLE security). To test for these API calls, rename the relevant files within argxtract/resources/vendor/stm/args/ and argxtract/resources/vendor/stm/fpfs/ from .jsonx to .json. Be aware that this will significantly increase analysis time.
