A comprehensive security analysis platform for Solana eBPF programs in Ghidra, featuring full disassembly, decompilation, emulation, interactive debugging, and automated vulnerability detection.
This Ghidra extension provides complete tooling for analyzing Solana smart contracts compiled to eBPF bytecode. It extends Ghidra's reverse engineering capabilities with Solana-specific features including a full Solana Virtual Machine (SVM) emulator, interactive debugger, and comprehensive security analyzer that automatically detects common vulnerabilities and generates proof-of-concept exploits.
This project builds upon the foundational work of:
- Original source: giraffexiu/Solana-eBPF-for-Ghidra - Initial Solana eBPF disassembler for Ghidra
- Upstream: Toizi/eBPF-for-Ghidra - Rebase of Nalen98's eBPF extension
- Original eBPF: Nalen98/eBPF-for-Ghidra - Original eBPF processor module
The current version has been significantly extended with emulation, debugging, and security analysis capabilities.
- eBPF Solana instruction set support: Complete disassembly of Solana eBPF bytecode
- ELF loader: Proper loading of Solana program ELF files with correct memory layout
- Relocation handling: Automatic processing of Solana-specific relocations
- Stack frame analysis: Automatic stack frame creation for better decompilation
- String detection: Identification of string literals in Solana programs
- Full SVM emulator: Complete Solana Virtual Machine implementation
- Accurate memory layout (text @ 0x100000000, stack @ 0x200000000, heap @ 0x300000000, input @ 0x400000000)
- Compute unit tracking (configurable limits up to 1.4M CU)
- Syscall support for all major Solana syscalls:
- Logging:
sol_log_,sol_log_64_,sol_log_pubkey,sol_log_compute_units_ - Memory:
sol_memcpy_,sol_memmove_,sol_memcmp_,sol_memset_ - Cryptography:
sol_sha256,sol_keccak256 - PDA:
sol_create_program_address,sol_try_find_program_address - CPI:
sol_invoke_signed_c,sol_invoke_signed_rust - Sysvars: Clock, rent, and other sysvar access
- Logging:
- Transaction builder: Construct realistic transaction inputs with accounts and instruction data
- Call tree tracking: Visualize function call hierarchies during execution
- Account state management: Track changes to account data, lamports, and ownership
- Breakpoint support: Set breakpoints at any instruction address
- Step controls: Step into, step over, and step out of function calls
- Execution control: Pause, resume, and terminate execution
- State inspection:
- View all eBPF registers (R0-R10, R11/FP)
- Inspect memory regions (stack, heap, input)
- Monitor compute unit consumption
- Track execution log messages
- GUI integration: Full-featured debugging panel in Ghidra
- Transaction input builder
- Register viewer
- Execution log panel
- Call tree visualizer
- Account changes tracker
- Breakpoint manager
Comprehensive vulnerability detection with automatic proof-of-concept generation. Detects:
Authorization & Ownership Issues:
- Missing owner checks before account access
- Missing signer verification before mutations
- Overwritable account metadata in CPIs
Anchor Framework Issues:
- Missing account discriminator checks
- Instruction discriminator confusion
Cross-Program Invocation (CPI) Hazards:
- CPI calls before validation checks
- Unsigned CPI where signed is required
- Self-reentrancy vulnerabilities
- Unvalidated CPI program IDs
PDA/Seeds Issues:
- Unvalidated seeds in PDA derivation
- Impersonable PDA writes without verification
Memory Safety:
- Unchecked deserialization from instruction data
- Missing bounds checks in memory operations
Arithmetic Issues:
- Unchecked arithmetic on lamports and counters
Advanced Analysis Features:
- Execution path tracing: Maps all paths from entry points to vulnerabilities
- Data flow analysis: Taint tracking from untrusted inputs to sensitive operations
- Branch condition extraction: Identifies required conditions to trigger vulnerabilities
- Automatic PoC generation: Generates ready-to-use exploit code in Rust and TypeScript
- Security reports: Creates detailed Markdown reports with findings, PoCs, and remediation advice
- Vulnerability validation: Uses emulator to validate that vulnerabilities are exploitable
See SECURITY_ANALYZER.md for detailed documentation.
CALLX Boundary Detection & Auto-Fix:
- Automatically detects incorrect function boundaries that cause CALLX failures
- Identifies when register setup instructions are misplaced after indirect calls
- Automatic fixing of critical boundary issues with safety validation
- Configurable confidence thresholds and dry-run mode
See CALLX_BOUNDARY_DETECTOR.md for detailed documentation.
Additional Analysis Tools:
- Discriminator discovery: Automatically identifies instruction and account discriminators
- Input derivation: Analyzes programs to suggest valid transaction inputs
- Account layout extraction: Reverse-engineers account structures from memory access patterns
- Download the release version of the extension ZIP file
- In Ghidra, go to
File β Install Extensions... - Click the green "+" icon and select the downloaded ZIP file
- Restart Ghidra
-
Set the
GHIDRA_INSTALL_DIRenvironment variable:export GHIDRA_INSTALL_DIR=/path/to/ghidra -
Build the extension:
gradle
-
In Ghidra, go to
File β Install Extensions... -
Click the green "+" icon and select the ZIP from the
dist/directory -
Restart Ghidra
Supported Versions:
- Ghidra 11.0.3 and later
- Tested with Ghidra 11.0.3 and 11.1
- Open your Solana eBPF binary (
.sofile) in Ghidra's CodeBrowser - When prompted to analyze, ensure these analyzers are enabled:
- Solana Security Bug Detector
- CALLX Boundary Detector
- eBPF Solana Stack Frame Creator
- Click "Analyze"
- Open
Tools β Solana Emulatorfrom the menu - In the Transaction Input panel:
- Configure program ID
- Add accounts with proper flags (writable, signer)
- Set instruction data
- Click "Run" to execute the program
- View results in:
- Execution Log: See syscall outputs and program logs
- Call Tree: Visualize function call hierarchy
- Account Changes: Track modifications to account data
- Compute Units: Monitor CU consumption
- Launch the emulator (
Tools β Solana Emulator) - Right-click in the Listing view and select "Toggle Breakpoint" (or press F9)
- Configure transaction input
- Click "Debug" to start in debug mode
- Use step controls:
- Step Into: Execute one instruction
- Step Over: Execute function call without stepping into it
- Step Out: Run until current function returns
- Inspect state in the Registers and Memory panels
The security analyzer runs automatically during program analysis. To view results:
-
Open Bookmark Manager (
Window β Bookmarks)- Filter by "Security-Critical", "Security-High", etc.
- Click any bookmark to navigate to the vulnerability
-
Check Console Output
- Look for "Security Report Generated" messages
- Note the report file location
-
Read Generated Reports
- Navigate to the report directory (shown in console)
- Open the Markdown report in any Markdown viewer
- Review PoC code in the
pocs/subdirectory
Right-click any security bookmark and select "Validate Vulnerability" to:
- Automatically configure the emulator with inputs to reach the vulnerability
- Execute the program and verify the vulnerability is exploitable
- View detailed validation results with execution traces
Configure via Edit β Tool Options β Analyzers β Solana Security Bug Detector:
- Enable/disable specific vulnerability checks
- Set minimum confidence threshold (0-100)
- Toggle automatic PoC generation
- Configure report output directory
Configure via the Emulator GUI:
- Compute unit limit (default: 200,000)
- Max instructions (safety limit)
- Memory region sizes
- Syscall behavior
Configure via Edit β Tool Options β Analyzers β CALLX Boundary Detector:
- Enable automatic fixing of critical issues
- Set confidence threshold for auto-fix
- Toggle dry-run mode
- Require user confirmation before fixes
- Rebasing: Rebasing after a program has been imported might lead to messed up relocations. Everything should work as expected when specifying base address in import options.
- Function parameters: Functions with more than 5 parameters are not correctly decompiled. See
data/languages/eBPFSol.cspecfor details. - Complex control flow: Some complex control flow patterns in security analysis may produce false positives or miss certain vulnerabilities.
- SECURITY_ANALYZER.md: Comprehensive guide to the security analyzer, vulnerability types, and PoC generation
- CALLX_BOUNDARY_DETECTOR.md: Detailed documentation of CALLX boundary detection and automatic fixing
- Solana rbpf: Main source for how Solana eBPF works (disassembler, relocations, etc.)
- Solana Developer Docs: Official Solana development documentation
- Solana Security Best Practices: Security guidelines for Solana programs
- Creating a Ghidra Processor Module: General guide to implementing processor modules (uses V8 as example)
- Ghidra Emulator API: Official Ghidra emulation framework documentation
- giraffexiu/Solana-eBPF-for-Ghidra: Original Solana eBPF disassembler
- Toizi/eBPF-for-Ghidra: Upstream eBPF processor module
- Nalen98/eBPF-for-Ghidra: Original eBPF Ghidra extension
Contributions are welcome! When contributing:
- Follow existing code style and patterns
- Add tests for new features
- Update documentation for user-facing changes
- Ensure all analyzers run successfully on test programs
Licensed under the Apache License, Version 2.0. See LICENSE file for details.