Heure de naissance Feuille de chaleur
Trouvez des vulnérabilités pendant que vous dormez ! - Une implémentation open source du projet Naptime de Google pour la découverte automatisée de vulnérabilité à l'aide de modèles de grande langue.
Démarrer rapidement
Installation
# Clone the repository
git clone https://github.com/faizann24/baby-naptime.git
cd baby-naptime
# Install dependencies
pip install -r requirements.txt
# Install system dependencies (Ubuntu/Debian)
sudo apt-get install gdb g++ colorama
# Set up OpenAI API key
export OPENAI_API_KEY='your-openai-key-here'
Utilisation de base
# Analyze a C/C++ file
python run.py -c code/vulnerable.cpp
# Use specific LLM model
python run.py -c code/test.cpp -l gpt-4o
# Advanced analysis with custom settings
python run.py -c code/test.cpp -l o3-mini -k 15 -m 50
```_
## Options de ligne de commande
### Paramètres requis
```bash
# Specify source code file to analyze
python run.py -c <code_file>
python run.py --code_file <code_file>
```_
### Paramètres optionnels
```bash
# Set code directory for additional source files
python run.py -c main.cpp -d /path/to/source/
# Set maximum analysis iterations
python run.py -c main.cpp -m 100
# Choose LLM model
python run.py -c main.cpp -l gpt-4o
python run.py -c main.cpp -l gpt-4o-mini
python run.py -c main.cpp -l o3-mini
python run.py -c main.cpp -l o1-preview
# Set entry function for analysis
python run.py -c main.cpp -f main
# Control conversation history
python run.py -c main.cpp -k 14
Options du modèle LLM
Modèles disponibles
# GPT-3.5 Turbo (fastest, basic analysis)
python run.py -c code.cpp -l gpt-3.5-turbo
# GPT-4o (balanced performance and accuracy)
python run.py -c code.cpp -l gpt-4o
# GPT-4o Mini (cost-effective option)
python run.py -c code.cpp -l gpt-4o-mini
# O3 Mini (optimized for code analysis)
python run.py -c code.cpp -l o3-mini
# O1 Preview (advanced reasoning)
python run.py -c code.cpp -l o1-preview
Analyse des flux de travail
Processus étape par étape
# 1. Prepare your vulnerable code
echo '#include <stdio.h>
int main() \\\\{
char buffer[10];
gets(buffer); // Vulnerable function
printf("Input: %s\n", buffer);
return 0;
\\\\}' > vulnerable.c
# 2. Run baby-naptime analysis
python run.py -c vulnerable.c -l gpt-4o
# 3. Check results
ls results/
cat results/vulnerable_summary.md
Analyse avancée
# Analyze complex project with multiple files
python run.py -c main.cpp -d ./src/ -m 200 -k 20
# Focus on specific function
python run.py -c auth.cpp -f authenticate_user -l o3-mini
# Extended analysis with detailed history
python run.py -c network.cpp -k 30 -m 150
Aménagement de l'environnement
API Configuration de la clé
# Set OpenAI API key (required)
export OPENAI_API_KEY='sk-your-api-key-here'
# Verify API key is set
echo $OPENAI_API_KEY
# Alternative: Create .env file
echo "OPENAI_API_KEY=sk-your-api-key-here" > .env
Dépendances du système
# Ubuntu/Debian
sudo apt-get update
sudo apt-get install gdb g++ python3-pip
# CentOS/RHEL
sudo yum install gdb gcc-c++ python3-pip
# macOS (with Homebrew)
brew install gdb
xcode-select --install
Débogage et analyse
GDB Intégration
# Baby-naptime automatically uses GDB for:
# - Memory layout analysis
# - Crash reproduction
# - Exploit validation
# - Stack trace generation
# Manual GDB debugging (if needed)
gdb ./compiled_binary
(gdb) run
(gdb) bt
(gdb) info registers
Compilation binaire
# Baby-naptime compiles with security mitigations disabled:
# -fno-stack-protector (disable stack canaries)
# -z execstack (enable executable stack)
# -no-pie (disable position independent executable)
# Manual compilation for testing
gcc -fno-stack-protector -z execstack -no-pie vulnerable.c -o vulnerable
Résultats et rapports
Fichiers de résultats
# Check generated reports
ls results/
cat results/[filename]_summary.md
# View detailed analysis
less results/[filename]_summary.md
# Copy results to another location
cp results/*.md /path/to/reports/
Structure du rapport
# Each report contains:
# - Executive summary
# - Technical analysis
# - Exploitation methodology
# - Working payload
# - Proof of concept
Cas d'utilisation courante
Analyse du dépassement des tampons
# Analyze buffer overflow vulnerabilities
python run.py -c buffer_overflow.c -l gpt-4o
# Focus on memory corruption
python run.py -c heap_overflow.cpp -l o3-mini -k 20
Vulnérabilités des chaînes de format
# Analyze format string bugs
python run.py -c format_string.c -l gpt-4o-mini
# Extended analysis for complex cases
python run.py -c printf_vuln.c -m 100 -k 25
Utilisation après détection gratuite
# Analyze memory management issues
python run.py -c use_after_free.cpp -l o1-preview
# Focus on heap analysis
python run.py -c heap_vuln.c -l gpt-4o -k 30
Dépannage
Questions communes
# API key not set
export OPENAI_API_KEY='your-key-here'
# Missing dependencies
pip install -r requirements.txt
sudo apt-get install gdb g++
# Permission issues
chmod +x run.py
sudo chown $USER:$USER -R baby-naptime/
# Python version issues
python3 --version # Should be 3.7+
pip3 install -r requirements.txt
Mode de débogage
# Enable verbose output
python run.py -c code.cpp -l gpt-4o --verbose
# Check system compatibility
python -c "import sys; print(sys.version)"
gdb --version
gcc --version
Optimisation des performances
Analyse efficace
# Use faster models for initial screening
python run.py -c code.cpp -l gpt-3.5-turbo
# Optimize context history for speed
python run.py -c code.cpp -k 10 -m 50
# Use targeted analysis
python run.py -c code.cpp -f vulnerable_function
Gestion des ressources
# Limit iterations for large codebases
python run.py -c large_project.cpp -m 75
# Manage memory usage
python run.py -c code.cpp -k 8
# Batch processing multiple files
for file in *.cpp; do
python run.py -c "$file" -l gpt-4o-mini
done
Exemples d'intégration
CI/CD Pipeline
# Add to GitHub Actions
name: Security Analysis
run:|
export OPENAI_API_KEY=$\\\\{\\\\{ secrets.OPENAI_API_KEY \\\\}\\\\}
python run.py -c src/main.cpp -l gpt-4o-mini
# Jenkins integration
sh 'python run.py -c $\\\\{WORKSPACE\\\\}/src/main.cpp'
Analyse automatisée
# Scan all C/C++ files in project
find . -name "*.cpp" -o -name "*.c"|while read file; do
echo "Analyzing $file"
python run.py -c "$file" -l gpt-4o-mini
done
# Generate combined report
cat results/*_summary.md > combined_security_report.md
Meilleures pratiques
Utilisation efficace
# Start with faster models for initial assessment
python run.py -c code.cpp -l gpt-3.5-turbo
# Use advanced models for detailed analysis
python run.py -c critical_code.cpp -l o1-preview -k 25
# Maintain reasonable iteration limits
python run.py -c code.cpp -m 100 # Good balance
# Focus analysis on specific functions
python run.py -c auth.cpp -f login_handler
Considérations en matière de sécurité
# Always test in isolated environment
# Never run on production systems
# Obtain proper authorization before testing
# Review generated exploits carefully
# Use for educational/research purposes only
Dépositaire : [URL___] License: GPL-3.0 Langue: Python (94,7 %), C++ (4,6%), C (0,7%) Étoiles: 151 + Fourches: 19 +