FlawFinder
alexandra.lacatus@info.uaic.ro
FCS Iasi, Software Engineering
About
 Examines source code and reports possible







2

security weaknesses (“flaws”)
Written in python
Can be acc...
How does it work
Based on a build-in database (ruleset) of C/C++
functions with well known problems:
 Buffer overflow ris...
Usage
flawfinder
[--help]
[--context]
[--columns]
[--html]
[--dataonly]
[--minlevel]
[--immediate]
4

[--inputs]
[ --diffh...
1. Buffer Overflow

strcpy (a, b);
Risk level 4: Does not check for buffer overflows when
copying to destination. Consider...
2. Uncontrolled format string

printf(a);
Risk level 4: If format strings can be influenced by an attacker,
they can be ex...
3. Shell metacharacter dangers
CreateProcess(NULL, "C:Program
FilesGoodGuyGoodGuy.exe -x",
"");
Risk level 3: This causes ...
4. Race conditions
FILE* f = fopen("/etc/passwd", "r");
Risk level 2: Check when opening files - can an attacker redirect
...
Comparison: RATS
 Supports C, C++, Perl, PHP, Python

 Written in C, uses flex & Expat
 Detects Buffer Overflows, Forma...
Comparison: PScan
 Supports only C

 Written in C, uses flex
 Detects Format string problems in printf-style C-

Functi...
Comparison: ITS4
 Supports C and C++

 Written in C, uses just a C compiler
 Detects Buffer Overflows, Format String

P...
FlawFinder: Advantages
 Lightweight
 Can ignore comments and understands

FlawFinder directives (like FlawFinder: ignore...
Bibliography
 FlawFinder homepage -

http://www.dwheeler.com/flawfinder/
 Martin Johns, A Practical Guide to Vulnerabili...
Upcoming SlideShare
Loading in …5
×

Flaw Finder

594 views

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
594
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Flaw Finder

  1. 1. FlawFinder alexandra.lacatus@info.uaic.ro FCS Iasi, Software Engineering
  2. 2. About  Examines source code and reports possible     2 security weaknesses (“flaws”) Written in python Can be accessed via command-line interface, no GUI Categorizes issues by risk level Similar to RATS, PScan and ITS4 Software Security, FCS Iasi, 2013
  3. 3. How does it work Based on a build-in database (ruleset) of C/C++ functions with well known problems:  Buffer overflow risks (strcpy, strcat, gets, sprintf, scanf)  Format string problems(printf, snprintf, syslog)  Race conditions (access, chown, chgrp, chmod, etc)  Potential shell metacharacter dangers (exec, system, popen)  Poor random number acquisition(random) 3 Software Security, FCS Iasi, 2013
  4. 4. Usage flawfinder [--help] [--context] [--columns] [--html] [--dataonly] [--minlevel] [--immediate] 4 [--inputs] [ --diffhitlist=F ] [--neverignore] [--listrules] [ --patch=F ] [ source code file or source root [--quiet] directory ]+ [--singleline] [--loadhitlist=F ] [--savehitlist=F ] Software Security, FCS Iasi, 2013
  5. 5. 1. Buffer Overflow strcpy (a, b); Risk level 4: Does not check for buffer overflows when copying to destination. Consider using strncpy or strlcpy (warning, strncpy is easily misused) strncpy (a, b, sizeof(b)); Risk level 1: Easily used incorrectly; doesn’t always 0terminate or check for invalid pointers. 5 Software Security, FCS Iasi, 2013
  6. 6. 2. Uncontrolled format string printf(a); Risk level 4: If format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. printf(“%s”, a); No level / Level 0: If format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. Constant format string, so not considered very risky (there’s some residual risk, especially in a loop). 6 Software Security, FCS Iasi, 2013
  7. 7. 3. Shell metacharacter dangers CreateProcess(NULL, "C:Program FilesGoodGuyGoodGuy.exe -x", ""); Risk level 3: This causes a new process to execute and is difficult to use safely. Specify the application path in the first argument, NOT as part of the second, or embedded spaces could allow an attacker to force a different program to run. 7 Software Security, FCS Iasi, 2013
  8. 8. 4. Race conditions FILE* f = fopen("/etc/passwd", "r"); Risk level 2: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? 8 Software Security, FCS Iasi, 2013
  9. 9. Comparison: RATS  Supports C, C++, Perl, PHP, Python  Written in C, uses flex & Expat  Detects Buffer Overflows, Format String Problems, Shell Executions, Insecure Tmpfiles, Race Conditions, Access Violations, Weak Random, User Input  As output, RATS prints problems sorted by severity, by function name, file and line number, followed by an explanation of the problem 9 Software Security, FCS Iasi, 2013
  10. 10. Comparison: PScan  Supports only C  Written in C, uses flex  Detects Format string problems in printf-style C- Functions  The output consists just in the filename and linenumber of the potential issue 10 Software Security, FCS Iasi, 2013
  11. 11. Comparison: ITS4  Supports C and C++  Written in C, uses just a C compiler  Detects Buffer Overflows, Format String Problems, Shell Executions, TOCTOU, Usage of weak random number generation, User Input  The output prints the filename, line-number and the name of the found function and also a short description of the issue and other suggestions. 11 Software Security, FCS Iasi, 2013
  12. 12. FlawFinder: Advantages  Lightweight  Can ignore comments and understands FlawFinder directives (like FlawFinder: ignore)  Can use diffs as input and can manage hitlists  Written in python, does not require additional tools or dependencies  Open source software 12 Software Security, FCS Iasi, 2013
  13. 13. Bibliography  FlawFinder homepage - http://www.dwheeler.com/flawfinder/  Martin Johns, A Practical Guide to Vulnerability Checkers, Secologic Project http://www.secologic.org/downloads/testing/0603 13_secologic_a_prcatical_guide_to_vulnerability_ checkers.pdf 13 Software Security, FCS Iasi, 2013

×