Upload
lionel-duffy
View
27
Download
0
Embed Size (px)
DESCRIPTION
Chris Durham CS297 June 30th, 2005. FlawFinder. What is FlawFinder?. Unix/Linux Static Analysis Tool For C/C++ application code Written in Python Built-in 'dictionary' of vulnerabilities Give it a directory of source code - PowerPoint PPT Presentation
Citation preview
FlawFinder
Chris DurhamCS297
June 30th, 2005
What is FlawFinder?
● Unix/Linux Static Analysis Tool● For C/C++ application code ● Written in Python● Built-in 'dictionary' of vulnerabilities
– Give it a directory of source code
– produces a list of vulnerabilities by filename/line
number/function, and summary report
Vulnerability Levels
Six vulnerability levels, but not exactly defined:
0: comment/miscellaneous
1: string length/null termination
2: fixed length array access, string copies, temp file creation
3: environment manipulation/access; commmand line parsing
4: printf() family vulnerabilities, some race conditions
5: other race conditions
Besides what you would expect...
The previous slide shows that flawfinder checks for a
number of standard C vulnerabilities. But it also
checks for a number of more esooteric but common
Unix OS system call vulnerabilities, and it considers
system call race conditions to be high risk (level 4 and
5).
My Test● Sendmail Source: 8.13.1● Flawfinder found 1293 potential vulnerabilities, 4
level 5s● Spot check of levels 0-4: false positives● Level 5: reviewed each vulnerability, found that
all but one was a false positive● Last one: probably also a false positive involving
OS guarantee that filenames have trailing nulls
Summary
● Flawfinder does not do context checking, thus checks against a static list of pre-definied potential issues
● Hard to add new checks: have to edit the python source
● Good as an initial check, but you must do our own analysis
References
Flawfinder Home page:
http://www.dwheeler.com/flawfinder
Linux Secure Programming HOWTO:
http://www.dwheeler.com/secure-programs
Checking for Race Conditions in File Accesses, Matt Bishop and Matt Dilger, UCSD
http://www.cs.ucsb.edu/~vigna/courses/CS595/bishop96-race_conditions.pdf
RATS page:
http://www.securesoftware.com/resources/tools.html