# BLint
<img src="./blint.png" width="400" />
BLint is a Binary Linter that checks the security properties and capabilities of your executables. It is powered by [lief](https://github.com/lief-project/LIEF). Since version 2, blint can also generate Software Bill-of-Materials (SBOM) for supported binaries.
[](https://asciinema.org/a/438138)
Supported binary formats:
- Android (apk, aab)
- ELF (GNU, musl)
- PE (exe, dll)
- Mach-O (x64, arm64)
You can run blint on Linux, Windows, and Mac against any of these binary formats.
## Motivation
Nowadays, vendors distribute statically linked binaries produced by Golang, Rust, or Dotnet tooling. Users are used to running antivirus and anti-malware scans while using these binaries in their local devices. Blint augments these scans by listing the technical capabilities of a binary. For example, whether the binary could use network connections or can perform file system operations and so on.
The binary is first parsed using the lief framework to identify the various properties, such as functions and the presence of symtab and dynamic symbols. Thanks to YAML-based annotation data, this information can be matched against capabilities and presented visually using a rich table.
NOTE: The presence of capabilities doesn't imply that the binary always performs the operations. Use the output of this tool to get an idea about a binary. Also, this tool is not suitable for reviewing malware and other heavily obfuscated binaries for obvious reasons.
## Use cases
- Quickly identify malicious binaries by looking at their capabilities (Ability to manipulate networks or drivers or kernels etc)
- Add blint to CI/CD to inspect the final binaries to ensure code signing or authenticode is applied correctly
- Identify interesting functions and symbols for fuzzing
## Installation
- Install python 3.10, 3.11, or 3.12
```bash
pip install blint
```
### Single binary releases
You can download single binary builds from the [blint-bin releases](https://github.com/OWASP-dep-scan/blint/releases). These executables should work without requiring python to be installed. The macOS .pkg file is signed with a valid developer account.
## Usage
```shell
usage: blint [-h] [-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]] [-o REPORTS_DIR] [--no-error] [--no-banner]
[--no-reviews] [--suggest-fuzzable]
{sbom} ...
Binary linter and SBOM generator.
options:
-h, --help show this help message and exit
-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...], --src SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]
Source directories, container images or binary files. Defaults to current directory.
-o REPORTS_DIR, --reports REPORTS_DIR
Reports directory. Defaults to reports.
--no-error Continue on error to prevent build from breaking.
--no-banner Do not display banner.
--no-reviews Do not perform method reviews.
--suggest-fuzzable Suggest functions and symbols for fuzzing based on a dictionary.
sub-commands:
Additional sub-commands
{sbom}
sbom Command to generate SBOM for supported binaries.
```
### SBOM sub-command
```shell
usage: blint sbom [-h] [-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]] [-o SBOM_OUTPUT] [--deep]
options:
-h, --help show this help message and exit
-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...], --src SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]
Source directories, container images or binary files. Defaults to current directory.
-o SBOM_OUTPUT, --output-file SBOM_OUTPUT
SBOM output file. Defaults to bom.json in current directory.
--deep Enable deep mode to collect more used symbols and modules aggressively. Slow
operation.
--stdout Print the SBOM to stdout instead of a file.
```
To test any binary, including default commands
```bash
blint -i /bin/netstat -o /tmp/blint
```
Use -i to check any other binary. For eg: to check ngrok
```bash
blint -i ~/ngrok -o /tmp/blint
```
Pass `--suggest-fuzzable` to get suggestions for fuzzing. A dictionary containing "common verbs" is used to identify these functions.
```bash
blint -i ~/ngrok -o /tmp/blint --suggest-fuzzable
```
To generate SBOM in [CycloneDX format](https://cyclonedx.org/) for supported binaries, use the sbom sub-command.
```shell
blint sbom -i /path/to/apk -o bom.json
```
```shell
blint sbom -i /directory/with/apk/aab -o bom.json
```
To parse all files, including `.dex` files, pass `--deep` argument.
```shell
blint sbom -i /path/to/apk -o bom.json --deep
```
The following binaries are supported:
- Android (apk/aab)
- Dotnet executable binaries
- Go binaries
```shell
blint sbom -i /path/to/go-binaries -o bom.json --deep
```
For all other binaries, the symbols will be collected and represented as properties with `internal` prefixes for the parent component. Child components and dependencies would be missing.
PowerShell example
## Reports
Blint produces the following json artifacts in the reports directory:
- blint-output.html - HTML output from the console logs
- exename-metadata.json - Raw metadata about the parsed binary. Includes symbols, functions, and signature information
- findings.json - Contains information from the security properties audit. Useful for CI/CD integrations
- reviews.json - Contains information from the capability reviews. Useful for further analysis
- fuzzables.json - Contains a suggested list of methods for fuzzing
sbom command generates CycloneDX json.
## References
- [lief examples](https://github.com/lief-project/LIEF/tree/master/examples/python)
- [checksec](https://github.com/Wenzel/checksec.py)
## Discord support
The developers can be reached via the [Discord](https://discord.gg/DCNxzaeUpd) channel.
## Sponsorship wishlist
If you love blint, you should consider [donating](https://owasp.org/donate?reponame=www-project-dep-scan&title=OWASP+dep-scan) to our project. In addition, consider donating to the below projects, which make blint possible.
- [LIEF](https://github.com/sponsors/lief-project/)
Raw data
{
"_id": null,
"home_page": "https://github.com/OWASP-dep-scan/blint",
"name": "blint",
"maintainer": null,
"docs_url": null,
"requires_python": "<3.13,>=3.10",
"maintainer_email": null,
"keywords": "linter, binary, security, sast",
"author": "Prabhu Subramanian",
"author_email": "prabhu@appthreat.com",
"download_url": "https://files.pythonhosted.org/packages/ff/72/758e53a5f072bbfd99a67ee2a2a3510cfd900869e35a9af68da91e3c31bf/blint-2.1.3.tar.gz",
"platform": null,
"description": "# BLint\n\n<img src=\"./blint.png\" width=\"400\" />\n\nBLint is a Binary Linter that checks the security properties and capabilities of your executables. It is powered by [lief](https://github.com/lief-project/LIEF). Since version 2, blint can also generate Software Bill-of-Materials (SBOM) for supported binaries.\n\n[](https://asciinema.org/a/438138)\n\nSupported binary formats:\n\n- Android (apk, aab)\n- ELF (GNU, musl)\n- PE (exe, dll)\n- Mach-O (x64, arm64)\n\nYou can run blint on Linux, Windows, and Mac against any of these binary formats.\n\n## Motivation\n\nNowadays, vendors distribute statically linked binaries produced by Golang, Rust, or Dotnet tooling. Users are used to running antivirus and anti-malware scans while using these binaries in their local devices. Blint augments these scans by listing the technical capabilities of a binary. For example, whether the binary could use network connections or can perform file system operations and so on.\nThe binary is first parsed using the lief framework to identify the various properties, such as functions and the presence of symtab and dynamic symbols. Thanks to YAML-based annotation data, this information can be matched against capabilities and presented visually using a rich table.\nNOTE: The presence of capabilities doesn't imply that the binary always performs the operations. Use the output of this tool to get an idea about a binary. Also, this tool is not suitable for reviewing malware and other heavily obfuscated binaries for obvious reasons.\n\n## Use cases\n\n- Quickly identify malicious binaries by looking at their capabilities (Ability to manipulate networks or drivers or kernels etc)\n- Add blint to CI/CD to inspect the final binaries to ensure code signing or authenticode is applied correctly\n- Identify interesting functions and symbols for fuzzing\n\n## Installation\n\n- Install python 3.10, 3.11, or 3.12\n\n```bash\npip install blint\n```\n\n### Single binary releases\n\nYou can download single binary builds from the [blint-bin releases](https://github.com/OWASP-dep-scan/blint/releases). These executables should work without requiring python to be installed. The macOS .pkg file is signed with a valid developer account.\n\n## Usage\n\n```shell\nusage: blint [-h] [-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]] [-o REPORTS_DIR] [--no-error] [--no-banner]\n [--no-reviews] [--suggest-fuzzable]\n {sbom} ...\n\nBinary linter and SBOM generator.\n\noptions:\n -h, --help show this help message and exit\n -i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...], --src SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]\n Source directories, container images or binary files. Defaults to current directory.\n -o REPORTS_DIR, --reports REPORTS_DIR\n Reports directory. Defaults to reports.\n --no-error Continue on error to prevent build from breaking.\n --no-banner Do not display banner.\n --no-reviews Do not perform method reviews.\n --suggest-fuzzable Suggest functions and symbols for fuzzing based on a dictionary.\n\nsub-commands:\n Additional sub-commands\n\n {sbom}\n sbom Command to generate SBOM for supported binaries.\n```\n\n### SBOM sub-command\n\n```shell\nusage: blint sbom [-h] [-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]] [-o SBOM_OUTPUT] [--deep]\n\noptions:\n -h, --help show this help message and exit\n -i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...], --src SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]\n Source directories, container images or binary files. Defaults to current directory.\n -o SBOM_OUTPUT, --output-file SBOM_OUTPUT\n SBOM output file. Defaults to bom.json in current directory.\n --deep Enable deep mode to collect more used symbols and modules aggressively. Slow\n operation.\n --stdout Print the SBOM to stdout instead of a file.\n```\n\nTo test any binary, including default commands\n\n```bash\nblint -i /bin/netstat -o /tmp/blint\n```\n\nUse -i to check any other binary. For eg: to check ngrok\n\n```bash\nblint -i ~/ngrok -o /tmp/blint\n```\n\nPass `--suggest-fuzzable` to get suggestions for fuzzing. A dictionary containing \"common verbs\" is used to identify these functions.\n\n```bash\nblint -i ~/ngrok -o /tmp/blint --suggest-fuzzable\n```\n\nTo generate SBOM in [CycloneDX format](https://cyclonedx.org/) for supported binaries, use the sbom sub-command.\n\n```shell\nblint sbom -i /path/to/apk -o bom.json\n```\n\n```shell\nblint sbom -i /directory/with/apk/aab -o bom.json\n```\n\nTo parse all files, including `.dex` files, pass `--deep` argument.\n\n```shell\nblint sbom -i /path/to/apk -o bom.json --deep\n```\n\nThe following binaries are supported:\n\n- Android (apk/aab)\n- Dotnet executable binaries\n- Go binaries\n\n```shell\nblint sbom -i /path/to/go-binaries -o bom.json --deep\n```\n\nFor all other binaries, the symbols will be collected and represented as properties with `internal` prefixes for the parent component. Child components and dependencies would be missing.\n\nPowerShell example\n\n\n\n## Reports\n\nBlint produces the following json artifacts in the reports directory:\n\n- blint-output.html - HTML output from the console logs\n- exename-metadata.json - Raw metadata about the parsed binary. Includes symbols, functions, and signature information\n- findings.json - Contains information from the security properties audit. Useful for CI/CD integrations\n- reviews.json - Contains information from the capability reviews. Useful for further analysis\n- fuzzables.json - Contains a suggested list of methods for fuzzing\n\nsbom command generates CycloneDX json.\n\n## References\n\n- [lief examples](https://github.com/lief-project/LIEF/tree/master/examples/python)\n- [checksec](https://github.com/Wenzel/checksec.py)\n\n## Discord support\n\nThe developers can be reached via the [Discord](https://discord.gg/DCNxzaeUpd) channel.\n\n## Sponsorship wishlist\n\nIf you love blint, you should consider [donating](https://owasp.org/donate?reponame=www-project-dep-scan&title=OWASP+dep-scan) to our project. In addition, consider donating to the below projects, which make blint possible.\n\n- [LIEF](https://github.com/sponsors/lief-project/)\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Linter and SBOM generator for binary files.",
"version": "2.1.3",
"project_urls": {
"CI": "https://github.com/AppThreat/blint/actions",
"Homepage": "https://github.com/OWASP-dep-scan/blint",
"Repository": "https://github.com/OWASP-dep-scan/blint"
},
"split_keywords": [
"linter",
" binary",
" security",
" sast"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "30a93b29ce5dc32f41ad877c0df7c4524490392abb61bca17173eb5022247d42",
"md5": "6a1e4f6cdf4f0d093b70055e7ec32a6f",
"sha256": "cb1617cc0f4077d9e5910debd95601763f288fb9992bf2959f31c31fd857c2dd"
},
"downloads": -1,
"filename": "blint-2.1.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "6a1e4f6cdf4f0d093b70055e7ec32a6f",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<3.13,>=3.10",
"size": 138449,
"upload_time": "2024-04-21T15:42:07",
"upload_time_iso_8601": "2024-04-21T15:42:07.827438Z",
"url": "https://files.pythonhosted.org/packages/30/a9/3b29ce5dc32f41ad877c0df7c4524490392abb61bca17173eb5022247d42/blint-2.1.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "ff72758e53a5f072bbfd99a67ee2a2a3510cfd900869e35a9af68da91e3c31bf",
"md5": "9bb5a8e2c4a22a1275c4f2452f3da789",
"sha256": "b885ae200c930c621b419c69241ae1e2dc186208da11b6493090a20c51504799"
},
"downloads": -1,
"filename": "blint-2.1.3.tar.gz",
"has_sig": false,
"md5_digest": "9bb5a8e2c4a22a1275c4f2452f3da789",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<3.13,>=3.10",
"size": 129818,
"upload_time": "2024-04-21T15:42:09",
"upload_time_iso_8601": "2024-04-21T15:42:09.861162Z",
"url": "https://files.pythonhosted.org/packages/ff/72/758e53a5f072bbfd99a67ee2a2a3510cfd900869e35a9af68da91e3c31bf/blint-2.1.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-21 15:42:09",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "OWASP-dep-scan",
"github_project": "blint",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "blint"
}
JSON
