Overview
Finding classes are the detailed categorization of findings discovered during binary analysis. Each class has a unique identifier, description, and associated notes that indicate its behavior and purpose. For an overview of how classes are grouped into types for filtering, see Finding Types & Classes.Property Notes
The following notes indicate special behaviors for finding classes:| Note | Description |
|---|---|
artefact | Property represents or references an artefact discovered during analysis |
auto-advisory | Property can generate an advisory via the Binarly copilot service |
deprecated | Property is no longer generated by current analysis tools |
experimental | Property is in development; schema may change prior to release |
informative | Property is a finding without meaningful severity |
internal | Property is internal to analysis tools/platform |
namespace | Namespace of a group of properties emitted based on rules |
aggregate | Provides an aggregate summary of related findings |
Vulnerability Classes
Known Vulnerabilities
| Class | Description |
|---|---|
vulnerability/known-vulnerability | Known vulnerability previously documented and catalogued |
vulnerability/uefi/pkfail | Untrusted or non-production Platform Key (PK) enabling Secure Boot reconfiguration |
vulnerability/uefi/secure-boot-bypass | Signature databases permit execution of known applications with code execution primitives |
UEFI Zero-Day Vulnerabilities
| Class | Description |
|---|---|
vulnerability/uefi/dxe/arbitrary-write-via-pointer-via-nvram-variable | DXE/SMM memory corruption via NVRAM variable pointer |
vulnerability/uefi/pei/arbitrary-write-via-pointer-via-nvram-variable | PEI memory corruption via NVRAM variable pointer |
vulnerability/uefi/smram-write-via-pointer-via-nvram-variable | SMRAM corruption via unchecked NVRAM variable pointer |
vulnerability/uefi/smram-write-via-commbuffer | SMRAM corruption via unchecked CommBuffer pointer |
vulnerability/uefi/smram-write-via-global-buffer | SMRAM corruption via global buffer outside SMRAM |
vulnerability/uefi/smram-write-via-protocol | SMRAM corruption via protocol interface outside SMRAM |
vulnerability/uefi/smram-write-via-save-state | SMRAM corruption via save state pointer |
vulnerability/uefi/dxe/code-execution-via-pointer-via-nvram-variable | DXE code execution via NVRAM variable function pointer |
vulnerability/uefi/pei/code-execution-via-pointer-via-nvram-variable | PEI code execution via NVRAM variable function pointer |
vulnerability/uefi/smm-callout-via-pointer-via-nvram-variable | SMM callout via NVRAM variable function pointer |
vulnerability/uefi/smm-callout-via-boot-services | SMM callout via UEFI Boot Services |
vulnerability/uefi/smm-callout-via-commbuffer | SMM callout via unchecked CommBuffer pointer |
vulnerability/uefi/smm-callout-via-global-buffer | SMM callout via global buffer outside SMRAM |
vulnerability/uefi/smm-callout-via-protocol | SMM callout via protocol interface outside SMRAM |
vulnerability/uefi/smm-callout-via-runtime-services | SMM callout via UEFI Runtime Services |
vulnerability/uefi/smm-callout-via-save-state | SMM callout via save state pointer |
vulnerability/uefi/double-get-variable | Buffer overflow via shared DataSize between GetVariable calls |
vulnerability/uefi/pei-double-get-variable | Buffer overflow via shared DataSize in PEI phase |
vulnerability/uefi/smm-double-get-variable | Buffer overflow via shared DataSize in SMM |
vulnerability/uefi/get-set-variable | Information disclosure via shared DataSize between Get/SetVariable |
vulnerability/uefi/smm-get-set-variable | SMRAM information disclosure via shared DataSize |
vulnerability/uefi/unverified-boot-guard | Intel Boot Guard verification could not be confirmed |
vulnerability/uefi/leaked-boot-guard-km-key | Leaked Intel Boot Guard Key Manifest private key |
vulnerability/uefi/leaked-boot-guard-bpm-key | Leaked Intel Boot Guard Boot Policy Manifest private key |
Cryptographic Classes
Encryption Algorithms
| Class | Algorithm |
|---|---|
crypto/algorithm/encryption/aes | AES |
crypto/algorithm/encryption/3des | Triple DES |
crypto/algorithm/encryption/des | DES |
crypto/algorithm/encryption/blowfish | Blowfish |
crypto/algorithm/encryption/twofish | Twofish |
crypto/algorithm/encryption/camellia | Camellia |
crypto/algorithm/encryption/cast5 | CAST5 |
crypto/algorithm/encryption/curve25519 | Curve25519 |
crypto/algorithm/encryption/idea | IDEA |
crypto/algorithm/encryption/rc2 | RC2 |
crypto/algorithm/encryption/rc4 | RC4 |
crypto/algorithm/encryption/rc5 | RC5 |
crypto/algorithm/encryption/rc6 | RC6 |
crypto/algorithm/encryption/rsa | RSA (encryption) |
crypto/algorithm/encryption/salsa20 | Salsa20 |
crypto/algorithm/encryption/hc-128 | HC-128 |
crypto/algorithm/encryption/sosemanuk | Sosemanuk |
crypto/algorithm/encryption/skipjack | Skipjack |
crypto/algorithm/encryption/tea | TEA |
crypto/algorithm/encryption/xtea | XTEA |
crypto/algorithm/encryption/xxtea | XXTEA |
crypto/algorithm/encryption/vest | VEST |
Hashing Algorithms
| Class | Algorithm |
|---|---|
crypto/algorithm/hashing/md2 | MD2 |
crypto/algorithm/hashing/md4 | MD4 |
crypto/algorithm/hashing/md5 | MD5 |
crypto/algorithm/hashing/sha1 | SHA-1 |
crypto/algorithm/hashing/sha224 | SHA-224 |
crypto/algorithm/hashing/sha256 | SHA-256 |
crypto/algorithm/hashing/sha384 | SHA-384 |
crypto/algorithm/hashing/sha512 | SHA-512 |
crypto/algorithm/hashing/sha512-224 | SHA-512/224 |
crypto/algorithm/hashing/sha512-256 | SHA-512/256 |
crypto/algorithm/hashing/sha3-224 | SHA3-224 |
crypto/algorithm/hashing/sha3-256 | SHA3-256 |
crypto/algorithm/hashing/sha3-384 | SHA3-384 |
crypto/algorithm/hashing/sha3-512 | SHA3-512 |
crypto/algorithm/hashing/shake128 | SHAKE128 |
crypto/algorithm/hashing/shake256 | SHAKE256 |
crypto/algorithm/hashing/blake2b | BLAKE2b |
crypto/algorithm/hashing/blake2s | BLAKE2s |
crypto/algorithm/hashing/ripemd160 | RIPEMD-160 |
crypto/algorithm/hashing/sm3 | SM3 |
crypto/algorithm/hashing/tiger | Tiger |
crypto/algorithm/hashing/djb2 | DJB2 |
crypto/algorithm/hashing/fnv | FNV |
crypto/algorithm/hashing/murmur3 | MurmurHash3 |
Signing Algorithms
| Class | Algorithm |
|---|---|
crypto/algorithm/signing/rsa | RSA |
crypto/algorithm/signing/rsa-sha256 | RSA-SHA256 |
crypto/algorithm/signing/rsa-sha512 | RSA-SHA512 |
crypto/algorithm/signing/dsa | DSA |
crypto/algorithm/signing/ecdsa-sha256 | ECDSA-SHA256 |
crypto/algorithm/signing/ecdsa-sha384 | ECDSA-SHA384 |
crypto/algorithm/signing/ecdsa-sha512 | ECDSA-SHA512 |
crypto/algorithm/signing/ed25519 | Ed25519 |
crypto/algorithm/signing/ed448 | Ed448 |
crypto/algorithm/signing/sm2 | SM2 |
Post-Quantum Signing Algorithms
| Class | Algorithm |
|---|---|
crypto/algorithm/signing/ml-dsa-44 | ML-DSA-44 |
crypto/algorithm/signing/ml-dsa-65 | ML-DSA-65 |
crypto/algorithm/signing/ml-dsa-87 | ML-DSA-87 |
crypto/algorithm/signing/slh-dsa-sha2-128s | SLH-DSA-SHA2-128s |
crypto/algorithm/signing/slh-dsa-sha2-128f | SLH-DSA-SHA2-128f |
crypto/algorithm/signing/slh-dsa-sha2-192s | SLH-DSA-SHA2-192s |
crypto/algorithm/signing/slh-dsa-sha2-192f | SLH-DSA-SHA2-192f |
crypto/algorithm/signing/slh-dsa-sha2-256s | SLH-DSA-SHA2-256s |
crypto/algorithm/signing/slh-dsa-sha2-256f | SLH-DSA-SHA2-256f |
crypto/algorithm/signing/slh-dsa-shake-* | SLH-DSA-SHAKE variants |
MAC Algorithms
| Class | Algorithm |
|---|---|
crypto/algorithm/mac/hmac-sha256 | HMAC-SHA256 |
crypto/algorithm/mac/hmac-sha512 | HMAC-SHA512 |
crypto/algorithm/mac/poly1305 | Poly1305 |
Protocols
| Class | Description |
|---|---|
crypto/protocol/ssl/v2-0 | SSL v2.0 (insecure) |
crypto/protocol/ssl/v3-0 | SSL v3.0 (insecure) |
crypto/protocol/tls/v1-0 | TLS v1.0 (deprecated) |
crypto/protocol/tls/v1-1 | TLS v1.1 (deprecated) |
crypto/protocol/tls/v1-2 | TLS v1.2 |
crypto/protocol/tls/v1-3 | TLS v1.3 |
Certificate Issues
| Class | Description |
|---|---|
crypto/certificate/expired | Certificate has expired |
crypto/certificate/invalid | Certificate has invalid parameters or structure |
crypto/certificate/self-signed | Self-signed certificate found |
crypto/certificate/untrusted | Certificate not signed by recognised CA |
crypto/rsa/weak-key-parameters | Weak RSA key parameters detected |
Mitigation Classes
General Mitigations
| Class | Description |
|---|---|
mitigation/known-mitigation-failure | Known security mitigation failure |
mitigation/missing-control-flow-integrity | Missing CFI (BTI/IBT) protections |
mitigation/missing-stack-canaries | Missing stack canary protection |
UEFI Mitigations
| Class | Description |
|---|---|
mitigation/uefi/memory-protection-misconfiguration | Memory protection policy misconfiguration |
mitigation/uefi/missing-rsb-stuffing | Incomplete Return Stack Buffer stuffing |
mitigation/uefi/outdated-dbx | Outdated forbidden signature database |
mitigation/uefi/outdated-amd-microcode-version | Outdated AMD microcode |
mitigation/uefi/outdated-intel-microcode-version | Outdated Intel microcode |
mitigation/uefi/vulnerable-amd-microcode-version | Vulnerable AMD microcode |
mitigation/uefi/vulnerable-intel-microcode-version | Vulnerable Intel microcode |
mitigation/uefi/pei/stack-guard-misconfiguration | PEI StackGuard misconfiguration |
mitigation/uefi/dxe/stack-guard-misconfiguration | DXE StackGuard misconfiguration |
mitigation/uefi/uefiplat-weak-configuration | Weak UEFI platform configuration |
mitigation/uefi/untrusted-ami-test-key | Non-production AMI test key |
mitigation/uefi/untrusted-insyde-test-key | Non-production Insyde test key |
mitigation/uefi/untrusted-phoenix-test-key | Non-production Phoenix test key |
mitigation/uefi/leaked-ami-test-key | Leaked AMI test key (PKfail) |
POSIX Mitigations
| Class | Description |
|---|---|
mitigation/posix/fortify-source-disabled | Fortify Source protection disabled |
mitigation/posix/nx-disabled | No eXecute (NX/DEP) disabled |
mitigation/posix/relro-disabled | RELRO disabled |
mitigation/posix/relro-partially-enabled | RELRO only partially enabled |
mitigation/posix/pie-disabled | Position Independent Executable disabled |
Weakness Classes
| Class | Description |
|---|---|
weakness/posix/not-stripped | Binary contains symbol information |
weakness/posix/rpath-set | RPATH may allow arbitrary code execution |
weakness/posix/runpath-set | RUNPATH may allow arbitrary code execution |
weakness/posix/unsafe-functions/summary | Aggregate of unsafe function calls |
weakness/linux/kernel-configuration | Linux kernel hardening configuration findings |
Secret Classes
| Class | Description |
|---|---|
secret/credentials | Potential credentials for accessing restricted resources |
secret/api-credentials | Potential API credentials for unauthorised API calls |
secret/oauth-credentials | Potential OAuth credentials for application impersonation |
secret/encryption-key | Potential encryption key for decrypting protected data |
secret/jwt-token | Potential JWT token for accessing restricted resources |
secret/webhook-url | Potential Webhook URL for compromising workflows |
secret/private-key | Potential private key (experimental) |
secret/generic | Potentially sensitive data |
Malware & Suspicious Classes
Malware
| Class | Description |
|---|---|
malware/known-threat | Known malware threat |
malware/malicious-behaviour | Detection of potentially malicious behaviour |
malware/uefi/implant-hook-install | UEFI hook installations consistent with bootkits |
Suspicious (UEFI)
| Class | Description |
|---|---|
suspicious/uefi/resolve-imports | PE parsing for resolving imports |
suspicious/uefi/resolve-relocations | PE parsing for resolving relocations |
Suspicious (POSIX)
| Class | Description |
|---|---|
suspicious/posix/executable-data | DATA segments with execute permissions |
suspicious/posix/no-stdlib | Binary doesnβt use standard library |
suspicious/posix/packed-elf | Encrypted or compressed ELF binary |
suspicious/posix/reverse-text | Reverse Text Segment infection technique |
suspicious/posix/ctors-dtors | Suspicious constructor/destructor entries |
suspicious/posix/dt-needed | Modified DT_DEBUG with suspicious DT_NEEDED |
suspicious/posix/entrypoint | Suspicious entry point location |
suspicious/posix/ifuncs | Suspicious IFUNC resolvers |
suspicious/posix/init-fini | Suspicious DT_INIT/DT_FINI entries |
suspicious/posix/plt-got | Suspicious PLT stub entries |
suspicious/posix/pt-note-conversion | PT_NOTE conversion infection |
suspicious/posix/relocations | Suspicious relocation table entries |
suspicious/posix/text-padding | Suspicious TEXT segment padding |
Supply Chain Classes
| Class | Description |
|---|---|
supply-chain/known-supply-chain-issue | Known supply chain security issue |
Artefact Classes
| Class | Description |
|---|---|
artefact/uefi/boot-policy-manifest | Intel Boot Guard Boot Policy Manifest |
artefact/uefi/key-manifest | Intel Boot Guard Key Manifest |
artefact/crypto-certificate-material | X.509 certificates found in component |
artefact/crypto-key-material | Cryptographic keys found in component |
artefact/embedded-executable | Embedded executable files |
artefact/related-component | Related components discovered during analysis |
Metadata Classes
Metadata classes provide informational context about the analysed component:metadata/relation/*- Component relationships (contains, duplicates, linkage)metadata/analysis/*- Analysis metadata (size limits, provenance)metadata/entropy/*- Entropy analysis datametadata/symbols/*- Symbol table information (DWARF, ELF, PDB)metadata/hardening/*- Security hardening summariesmetadata/signature/*- File signature informationmetadata/environment/*- Runtime environment information
Related
- Finding Types & Classes - How classes are grouped into types for filtering
- Findings Scope - Configure which finding types are visible per product