FlawFinder

Chris DurhamCS297

June 30th, 2005

What is FlawFinder?

● Unix/Linux Static Analysis Tool● For C/C++ application code ● Written in Python● Built-in 'dictionary' of vulnerabilities

– Give it a directory of source code

– produces a list of vulnerabilities by filename/line

number/function, and summary report

Vulnerability Levels

Six vulnerability levels, but not exactly defined:

0: comment/miscellaneous

1: string length/null termination

2: fixed length array access, string copies, temp file creation

3: environment manipulation/access; commmand line parsing

4: printf() family vulnerabilities, some race conditions

5: other race conditions

Besides what you would expect...

The previous slide shows that flawfinder checks for a

number of standard C vulnerabilities. But it also

checks for a number of more esooteric but common

Unix OS system call vulnerabilities, and it considers

system call race conditions to be high risk (level 4 and

5).

My Test● Sendmail Source: 8.13.1● Flawfinder found 1293 potential vulnerabilities, 4

level 5s● Spot check of levels 0-4: false positives● Level 5: reviewed each vulnerability, found that

all but one was a false positive● Last one: probably also a false positive involving

OS guarantee that filenames have trailing nulls

Summary

● Flawfinder does not do context checking, thus checks against a static list of pre-definied potential issues

● Hard to add new checks: have to edit the python source

● Good as an initial check, but you must do our own analysis

Let's take a look!

http://www.cbdurham.org/flawfinder

References

Flawfinder Home page:

http://www.dwheeler.com/flawfinder

Linux Secure Programming HOWTO:

http://www.dwheeler.com/secure-programs

Checking for Race Conditions in File Accesses, Matt Bishop and Matt Dilger, UCSD

http://www.cs.ucsb.edu/~vigna/courses/CS595/bishop96-race_conditions.pdf

RATS page:

http://www.securesoftware.com/resources/tools.html