Lighthouse is a code coverage plugin for IDA Pro. Last week I promoted the github development branch to master and tagged the release as Lighthouse v0.6. This post details some of its noteworthy changes.

Highlights for this release include a Lighthouse compatible Intel pintool, cyclomatic complexity metrics, batch loading, and a number of important bugfixes.

Lighthouse is a plugin to explore and visualize externally collected code coverage in IDA Pro

CodeCoverage Pintool

One of the top requests for Lighthouse has been an Intel Pin based solution for collecting compatible code coverage. Since the initial release, Lighthouse has only offered DynamoRIO support.

Thanks to a community contribution from Agustin Gianni, Lighthouse v0.6 now ships with the CodeCoverage pintool that works with Windows, MacOS, and Linux!

Running the 64bit CodeCoverage pintool against the boombox.exe testcase

Pin tends to have a better track record instrumenting complex applications (eg, Browsers, Office) at the expense of runtime performance (pin is slower). Where one DBI fails, hopefully the other offering can pick up the slack.

I’ve tentatively labeled the pintool as experimental while it undergoes further vetting from the public.

Cyclomatic Complexity

As a feature request from the community (thanks @yrp604), the Coverage Overview now lists the computed cyclomatic complexity of functions.

The newly added cyclomatic complexity column as seen in the Coverage Overview

Cyclomatic complexity quantifies the number of unique paths through a function. Functions with high complexity scores can point to code that is going to be hard for developers to understand, test, and maintain.

Human intuition tells us that high complexity constructs are more likely to contain defects (bugs).

Batch Load

The last notable feature added with the Lighthouse v0.6 release is batch loading.

File → Load file → Code coverage batch...

Batch loading allows one to select and load any number of coverage files from disk, but collapses their data into a single coverage set (an aggregate) at load time. This is useful when analyzing coverage data for a large set of testcases that may be cumbersome for Lighthouse to load and manage as individual coverage sets.

I’ve used this feature to load a batch of coverage data for 400+ unique testcases against a target application.

Bugfixes

With every release of Lighthouse I generally find and fix a number of bugs. This section highlights some of the important bugfixes that will be shipping with this release.

Poor Color Selection

By sampling the colors in the Qt & disassembly views, Lighthouse attempts to make a conscious decision as to which color would better maintain disassembly readability when painting coverage data to the database.

Lighter IDA themes get a light green coverage paint versus a dark theme with dark paint

There were a few bugs surrounding my sampling and selection code that would cause Lighthouse to paint coverage data with the wrong color, yielding largely unreadable text.

This release fixes the sampling issues to provide a more consistent experience with coverage paint colors.

IDA Crashes

On rare occasions Lighthouse was triggering a UAF in the compiled IDAPython library and crashing IDA.

A hard crash of IDA some users reported experiencing

In Lighthouse v0.6, a workaround has been put in place that appears to mitigate the issue (for now). The proper fix will have to be made to IDAPython in a later release of IDA.

Minor Bugfixes

Fixed a parsing issue for drcov coverage logs created on MacOS or Linux

coverage logs created on MacOS or Linux Fixed a bug where IDA could hang (deadlock) on close if an asynchronous paint was still in progress

In the Wild

Finally, I’d like to recognize public works that I have seen make use of Lighthouse since the last release.

In September I was forwarded a blogpost written by @symeonp that documents his research and findings from fuzzing MSXML6 (one of Microsoft’s XML parsing libraries) with WinAFL + Lighthouse.

Right, finally I finished my first blog post: Fuzzing the MSXML6 library with WinAFL: https://t.co/pezyvJ2dAz ! Comments are welcome! — symeon (@symeonp) September 17, 2017

The beauty of this juxtaposition is that Lighthouse was created as a direct result of conversations I had with Axel (@0vercl0k) about his contributions to WinAFL.

Seeing this pairing of technology emerge naturally in the public domain is simply awesome.

Conclusion

Lighthouse continues to evolve and improve with every release. It is open source under the MIT License and is maintained as an independent project. Your feedback drives its development.

I welcome external contributions, issues, and feature requests.