Lighthouse is an open source code coverage explorer designed for security professionals. This post documents the landmark release of Lighthouse v0.8, most notably introducing support for Binary Ninja, a more consistent cross-platform user experience, and countless other features, tweaks, and bugfixes.
To give some perspective, over 35 files (of ~40) that make up the core plugin were modified. The journey from Lighthouse v0.7 to v0.8.1 consists of a long and twisted ~96 commits, making up a third of the entire project’s commit history. Under the hood, multiple components of the project underwent substantial changes.
Binary Ninja Support (Experimental)
Over the past year, one of the most requested ‘features’ for Lighthouse has been to add support for Binary Ninja. As one of the most popular public plugins for IDA Pro, the Lighthouse codebase also weighs in among the largest and most complex integrations to date. Architecting a sustainable port for a plugin of this magnitude is non-trivial.
While Binary Ninja does not yet ship with official Python/Qt plugin bindings, a critical component for interactive plugins, I wanted to explore what kind of scaffolding was necessary to engineer disassembler-agnostic integrations. This idea lends from the aspirations of a robust and interoperable security tooling ecosystem for the future.
The result of this research is that Lighthouse now offers experimental support for Binary Ninja, demonstrating that intricate cross-platform & cross-disassembler plugins are perhaps not wholly out of reach.
The Binary Ninja port is self-contained and fully featured, meaning the plugin exists as one codebase that claims feature parity across both disassemblers. The biggest caveat is that one must manually install PyQt5 bindings for Binary Ninja until official support is provided.
As with any experimental work, there are a few issues and limitations at this time:
- Binary Ninja sometimes deadlocks when loading coverage
- Renaming a function to an existing symbol (name) does not reset the old function name
- Rapidly switching between coverage can cause a hard crash of Binary Ninja (maybe a BN bug?)
- Opening more than one Binary/BNDB at a time while using Lighthouse is not supported
- Lighthouse does not yet support Python 3.x interpreters in Binary Ninja
I imagine some of these issues will be resolved in the coming months as Lighthouse and Binary Ninja mature with respect to each other. If you encounter any other rough edges, please feel free to file an issue on github.
As the plugin continues to evolve, there was a growing need for a menu to hold our list of miscellaneous settings and actions. Lighthouse v0.8 provides a new simple quick settings menu that can be accessed by clicking the paint brush in the bottom right hand corner of the coverage overview window:
The following sub-sections detail a few of the new options included with this menu, such as the ability to generate HTML reports, clear database highlights, or disable the painting engine all together.
HTML Coverage Report
Interactive disassemblers are specialized software that only a small subset of developers (or even security researchers) have access to. This artificially limits the possible Lighthouse userbase, a tool which has the potential for much broader utility (eg, code coverage exploration, differential debugging) outside narrow subjects in security.
To help expand these horizons, you can now export a rudimentary HTML coverage report (example) from Lighthouse:
Clear Database Paint
Since the initial release, there has been no easy way to clear Lighthouse paint that gets stuck to an open database as the result of a file save. This is not ideal, and I am sure a number of users have written little ‘cleaner’ scripts by now.
In response, there is a new menu item in the quick settings to clear any paint/highlights applied to the database:
Optionally, one can completely disable Lighthouse’s active painting engine using the ‘Pause Painting’ toggle. This is more for internal development/debugging, but some may find it useful for performance & stability.
Lighthouse has traditionally been a little ‘fast and loose’ with its loading and mapping of coverage. This would manifest as virtually silent error messages printed to the disassembler console when loading coverage from disk. Or even worse, a user could sometimes get coverage data loaded from a different binary than what is open in the disassembler.
The plugin has been made more verbose through a handful of new, unique, warning messages:
These warnings will indicate complete failure to parse a selected coverage file, failure to identify relevant coverage in a valid coverage file, or coverage data that appears to map badly to the database. This should make it clear when something has gone wrong or when Lighthouse believes that you might have loaded mismatched coverage files.
A number of users had reported to me that the UI for Lighthouse looked really bad on macOS. While still functional, it was a horrible user experience. I care a lot about the usability and presentation of my work. This was something that had been overlooked since I develop and test Lighthouse almost exclusively on Windows.
With the help of a few native Mac users, I’ve done my best to remedy the situation with the v0.8 release. The difference should be night and day:
This work extends further than just macOS, making Lighthouse’s appearance more consistent both cross-disassembler & cross-platform. If you hit any issues (eg weird DPI, scaling, etc) with this release, please let me know.
There have been many tweaks made throughout this release. The following is a selection of the minor changes that you might find interesting or valuable going forward.
By default, Lighthouse will center-align the column text in the coverage overview table. This can be annoying, especially when working with symbols or long C++ names.
Now, one can toggle a column’s text alignment by right clicking the column title.
Shell Hint Tweaks
When using the composing shell to craft new coverage compositions, there is a ‘hint’ popup that lists loaded coverage and their shorthand symbol. While useful, this hint was also often ‘too aggressive’, popping up and getting in the way while clicking around Lighthouse, or switching coverage.
With the release of Lighthouse v0.8, this hint has been dialed back a bit and should appear less often.
Additionally, the hint’s style has been tweaked a bit such that it has a ‘dark’ background. This is related to future work for supporting custom / user themes.
Although minor, the coverage combobox has also experienced a number of style tweaks. Specifically, it has better spacing between entries, larger ‘X’ buttons, and has had its style normalized across platform/disassemblers.
A tooltip has also been added to the combobox, showing the filepath of coverage entries loaded from disk. Lastly, this dropdown has also been given a ‘dark’ background as part of the upcoming theming refactor.
As part of the larger styling work, the coverage table was not spared from a number of subtle tweaks to its font, spacing, and style in v0.8. This release also enables table navigation via the arrow keys, which I extended to include basic VIM navigation (h,j,k,l).
I would also like to mention the community contribution by paulsapps which extends the coverage table’s copy operations to multiple rows. This was technically added in v0.7.1, sometime after the previous post.
There are a number of other changes & bugfixes in this release:
- varseand’s first ever pull request on GitHub contributed support for ASCII DRCOV logs to Lighthouse (!!!)
drcov.pyhas been updated to support the latest DynamoRIO/DRCOV format
- The CodeCoverage pintool has been compiled for the latest Intel Pin releases (3.6, 3.7)
- yrp contributed some updates to his Frida coverage script, improving log saving via CTRL+C
- Lighthouse should no longer ignore some graph nodes in IDA
- Improved the cyclomatic complexity scoring computation from the previous workaround
- Fixed some issues that could cause the database metadata cache to be wrong
- Further improved painting stability for IDA 6.8 –> 7.0 (related)
- Shorthand symbol order will now reset (A, B, C …) if there is no more open coverage
- Coverage files loaded with the same name but from different directories will no longer overwrite each other
In the Wild
It has been almost ten months since the last major release of Lighthouse. As an otherwise reticent maintainer, it is humbling to observe the broader industry continue to discover new and creative ways to consume your creations.
Failing to keep a log of the public & private commentary, I tried to dig out at least a few of the tweets I saw float by in recent months. Your enthusiasm and support has been instrumental to the success and evolution of this project, laying the foundation to new and future works.
6/ Even with locally installed copy of an AV for conducting research, determining when emulation is actually being invoked can be challenging. I've found @gaasedelen's Lighthouse (https://t.co/4LBz3nQsk6) tool to be incredibly helpful in analyzing AVs, collecting coverage - pic.twitter.com/MtE972yVBo— Alexei Bulazel (@0xAlexei) July 2, 2018
... WinAPI / Linux debugger to allow setting & removal of tens of thousands of breakpoints; it was hard to support with heterogenous systems. I still miss "click-click" coverage in my RE tools (even though Lighthouse does some of it).— halvarflake (@halvarflake) September 7, 2018
Got lost digging in my taint traces until the wee hours tonight. Working on a new IDA plugin to compliment Lighthouse's code coverage views with tainted data overlays by my talk at the end of the month at @HITBSecConf in Beijing!— Lich in Seattle (@richinseattle) October 3, 2018
Just added to S2E: drcov-style code coverage output. This allows you to use @gaasedelen’s excellent Lighthouse tool to explore code coverage across execution states!— Adrian Herrera (@0xadr1an) February 18, 2018
My differential analysis to find out the root cause of Word UAF vulnerability CVE-2018-0797. #AlleyCat and #Lighthouse plugins users might want to check this out as there are some improvements for these tools https://t.co/tYqvsLzJeD— wLcY (@x9090) April 2, 2018
Breaking new ground, Lighthouse is the first and only open source disassembler plugin of its size to support both IDA Pro & Binary Ninja on Windows, Linux, and macOS. It teases a world of ubiquitous security tooling using only the resources we have available today, opening the door to further discussion of such ambitions.
Our experience developing for these technologies is second to none. Ret2 is happy to consult in these spaces, providing plugin development services, the addition of custom features to existing works, or other unique opportunities with regard to security tooling. If your organization has a need for this expertise, please feel free to reach out.