add upper limit for basic block count #661
Conversation
| # should not be too simple | ||
| - count(basic blocks): 4 or more | ||
| # should not be too simple or too complex | ||
| - count(basic blocks): (4, 50) |
There was a problem hiding this comment.
how did we pick 50? i agree we should use an upper limit, but im leaning towards keeping it as low as possible, to keep the rule tight. thoughts?
There was a problem hiding this comment.
It's a pretty random value. One concern is around inlined PRGA code, which likely won't trigger as reliably with this or lower basic block count upper limits.
There was a problem hiding this comment.
yeah thats a good point. i recall that our RC4 rules sometimes FP, so i wonder about the tradeoff of catching the inlined routines versus matching too broadly. do you have a sense for this?
anyways, not a blocker here, but a discussion point.
There was a problem hiding this comment.
Not really, the only rough data I have is that out of 5000 random samples encrypt data using RC4 PRGA hit on 834 files (14%) which seems a lot. Manually inspecting 3 samples shows 1 valid hit and 2 library function hits (in IDA) that can be filtered out using the upper BB limit.
data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Willi Ballenthin <[email protected]>
closes #435
Library ID fails and RC4 PRGA matches on
___strgtold12_l. An upped BB count prevents this.Are there concerns on the upper limit value here?