Raxol.Core.Runtime.Plugins.Security.BeamAnalyzer (Raxol Core v2.4.0)

Copy Markdown View Source

BEAM bytecode analyzer for detecting security-sensitive operations.

This module analyzes the abstract syntax tree (AST) of compiled BEAM modules to detect potentially dangerous operations such as:

  • File system access
  • Network access
  • Code injection / dynamic evaluation
  • System command execution
  • Process spawning with external commands

Usage

{:ok, capabilities} = BeamAnalyzer.analyze_module(MyPlugin)
# => {:ok, %{file_access: true, network_access: false, code_injection: false}}

Summary

Types

analysis_error()
analysis_result()
beam_lib_error()
capabilities()
capability()

Functions

analyze_module(module)

Analyzes a module's BEAM bytecode to detect security-sensitive operations.

has_code_injection_risk?(module)

Checks if a module has code injection capabilities.

has_file_access?(module)

Checks if a module has file system access capabilities.

has_network_access?(module)

Checks if a module has network access capabilities.

has_system_command_access?(module)

Checks if a module has system command execution capabilities.

Types

analysis_error()

@type analysis_error() :: :no_abstract_code | :unknown_beam_format | beam_lib_error()

analysis_result()

@type analysis_result() :: {:ok, capabilities()} | {:error, analysis_error()}

beam_lib_error()

@type beam_lib_error() ::
  {:beam_lib_error,
   {:not_a_beam_file, list()}
   | {:file_error
      | :invalid_beam_file
      | :invalid_chunk
      | :key_missing_or_invalid
      | :missing_backend
      | :missing_chunk
      | :unknown_chunk, list(), atom() | list() | non_neg_integer()}
   | {:chunk_too_big, list(), list(), non_neg_integer(), non_neg_integer()}}

capabilities()

@type capabilities() :: %{
  file_access: boolean(),
  network_access: boolean(),
  code_injection: boolean(),
  system_commands: boolean()
}

capability()

@type capability() ::
  :file_access | :network_access | :code_injection | :system_commands

Functions

analyze_module(module)

@spec analyze_module(module()) ::
  {:ok,
   %{
     file_access: boolean(),
     network_access: boolean(),
     code_injection: boolean(),
     system_commands: boolean()
   }}
  | {:error,
     :no_abstract_code
     | :unknown_beam_format
     | {:beam_lib_error,
        {:not_a_beam_file, [any()]}
        | {:file_error
           | :invalid_beam_file
           | :invalid_chunk
           | :key_missing_or_invalid
           | :missing_backend
           | :missing_chunk
           | :unknown_chunk, [any()], atom() | [...] | non_neg_integer()}
        | {:chunk_too_big, [any()], [...], non_neg_integer(), non_neg_integer()}}}

Analyzes a module's BEAM bytecode to detect security-sensitive operations.

Returns a map of capability flags indicating what the module can do.

has_code_injection_risk?(module)

@spec has_code_injection_risk?(module()) :: boolean()

Checks if a module has code injection capabilities.

has_file_access?(module)

@spec has_file_access?(module()) :: boolean()

Checks if a module has file system access capabilities.

has_network_access?(module)

@spec has_network_access?(module()) :: boolean()

Checks if a module has network access capabilities.

has_system_command_access?(module)

@spec has_system_command_access?(module()) :: boolean()

Checks if a module has system command execution capabilities.