Your SlideShare is downloading. ×
Flaw Finder
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Flaw Finder

201
views

Published on

Published in: Education, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
201
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. FlawFinder alexandra.lacatus@info.uaic.ro FCS Iasi, Software Engineering
  • 2. About  Examines source code and reports possible     2 security weaknesses (“flaws”) Written in python Can be accessed via command-line interface, no GUI Categorizes issues by risk level Similar to RATS, PScan and ITS4 Software Security, FCS Iasi, 2013
  • 3. How does it work Based on a build-in database (ruleset) of C/C++ functions with well known problems:  Buffer overflow risks (strcpy, strcat, gets, sprintf, scanf)  Format string problems(printf, snprintf, syslog)  Race conditions (access, chown, chgrp, chmod, etc)  Potential shell metacharacter dangers (exec, system, popen)  Poor random number acquisition(random) 3 Software Security, FCS Iasi, 2013
  • 4. Usage flawfinder [--help] [--context] [--columns] [--html] [--dataonly] [--minlevel] [--immediate] 4 [--inputs] [ --diffhitlist=F ] [--neverignore] [--listrules] [ --patch=F ] [ source code file or source root [--quiet] directory ]+ [--singleline] [--loadhitlist=F ] [--savehitlist=F ] Software Security, FCS Iasi, 2013
  • 5. 1. Buffer Overflow strcpy (a, b); Risk level 4: Does not check for buffer overflows when copying to destination. Consider using strncpy or strlcpy (warning, strncpy is easily misused) strncpy (a, b, sizeof(b)); Risk level 1: Easily used incorrectly; doesn’t always 0terminate or check for invalid pointers. 5 Software Security, FCS Iasi, 2013
  • 6. 2. Uncontrolled format string printf(a); Risk level 4: If format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. printf(“%s”, a); No level / Level 0: If format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. Constant format string, so not considered very risky (there’s some residual risk, especially in a loop). 6 Software Security, FCS Iasi, 2013
  • 7. 3. Shell metacharacter dangers CreateProcess(NULL, "C:Program FilesGoodGuyGoodGuy.exe -x", ""); Risk level 3: This causes a new process to execute and is difficult to use safely. Specify the application path in the first argument, NOT as part of the second, or embedded spaces could allow an attacker to force a different program to run. 7 Software Security, FCS Iasi, 2013
  • 8. 4. Race conditions FILE* f = fopen("/etc/passwd", "r"); Risk level 2: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? 8 Software Security, FCS Iasi, 2013
  • 9. Comparison: RATS  Supports C, C++, Perl, PHP, Python  Written in C, uses flex & Expat  Detects Buffer Overflows, Format String Problems, Shell Executions, Insecure Tmpfiles, Race Conditions, Access Violations, Weak Random, User Input  As output, RATS prints problems sorted by severity, by function name, file and line number, followed by an explanation of the problem 9 Software Security, FCS Iasi, 2013
  • 10. Comparison: PScan  Supports only C  Written in C, uses flex  Detects Format string problems in printf-style C- Functions  The output consists just in the filename and linenumber of the potential issue 10 Software Security, FCS Iasi, 2013
  • 11. Comparison: ITS4  Supports C and C++  Written in C, uses just a C compiler  Detects Buffer Overflows, Format String Problems, Shell Executions, TOCTOU, Usage of weak random number generation, User Input  The output prints the filename, line-number and the name of the found function and also a short description of the issue and other suggestions. 11 Software Security, FCS Iasi, 2013
  • 12. FlawFinder: Advantages  Lightweight  Can ignore comments and understands FlawFinder directives (like FlawFinder: ignore)  Can use diffs as input and can manage hitlists  Written in python, does not require additional tools or dependencies  Open source software 12 Software Security, FCS Iasi, 2013
  • 13. Bibliography  FlawFinder homepage - http://www.dwheeler.com/flawfinder/  Martin Johns, A Practical Guide to Vulnerability Checkers, Secologic Project http://www.secologic.org/downloads/testing/0603 13_secologic_a_prcatical_guide_to_vulnerability_ checkers.pdf 13 Software Security, FCS Iasi, 2013