Flawfinder

1. Flawfinder Alex Mack

2. Table of Contents Intro Flawfinder Options Python Python Features Installation How Does Flawfinder Work? Hit Density References

3. Intro Flawfinder was developed by a coder named David Wheeler. Flawfinder is a program that examines C/C++ source code and reports possible security flaws sorted by risk level. During the scanning process, flawfinder can tell the difference between strcpy() from a constant sized string and variable length strings, and tell the difference between vulnerabilities and false hits.

4. Intro Flawfinder understands the gettext libraries and their use in internationalization. Flawfinder uses an internal database called the “ruleset”, which identifies functions that are common causes of security flaws.

5. Flawfinder Options help - Show usage (help) information. version - Shows (just) the version number and exits. patch patchfile - P patchfile Only report hits that are changed by the given patch file. allowlink - Allow the use of symbolic links; normally symbolic links are skipped. I - Show only functions that obtain data from outside the program; this also sets minlevel to 0.

6. Flawfinder Options (cont) m X - Set minimum risk level to X for inclusion in hitlist. This can be from 0 (‘‘no risk’’) to 5(‘‘maximum risk’’); the default is 1. F - Do not include hits that are likely to be false positives. n - Never ignore security issues, even if they have an ‘‘ignore’’ directive in a comment.

7. Flawfinder Options (cont) flawfinder /usr/src/linux-2.4.12 Examine all the C/C++ files in the directory /usr/src/linux-2.4.12 and all its subdirectories (recursively), reporting on all hits found. flawfinder --minlevel=4 . Examine all the C/C++ files in the current directory and its subdirectories (recursively); only report vulnerabilities level 4 and up (the two highest risk levels). flawfinder --inputs mydir Examine all the C/C++ files in mydir and its subdirectories (recursively), and report functions that take inputs (so that you can ensure that they filter the inputs appropriately).

8. Flawfinder Options (cont) flawfinder --neverignore mydir Examine all the C/C++ files in the directory mydir and its subdirectories, including even the hits marked for ignoring in the code comments. flawfinder -QD mydir Examine mydir and report only the actual results (removing the header and footer of the output).

9. Python Python is a programming language that lets you work more quickly and integrate your systems more effectively. Python is available for all major operating systems: Windows, Linux/Unix, OS/2, Mac, Amiga, among others. Python can run on .NET, the Java Virtual machine, and Nokia Series 60 cell phones.

10. Python Features very clear, readable syntax strong introspection capabilities intuitive object orientation natural expression of procedural code full modularity, supporting hierarchical packages exception-based error handling very high level dynamic data types extensive standard libraries and third party modules for virtually every task extensions and modules easily written in C, C++ (or Java for Jython, or .NET languages for IronPython) embeddable within applications as a scripting interface

11. Installation Requires Python 1.5 or higher Flawfinder works on Unix-like systems (GNU/Linux) Port to Windows systems Debian users download and install flawfinder: apt-get install flawfinder RPM files, download and install: rpm -Uvh flawfinder-*.noarch.rpm

12. Installation (cont) NetBSD users: NetBSD's pkgsrc installs flawfinder Mac OS X, has a Fink flawfinder package Red Hat Linux system – make INSTALL_DIR=/usr INSTALL_DIR_MAN=/usr/share/man install Cygwin systems (for Microsoft Windows) - make PYTHONEXT=.py install

13. How Does Flawfinder Work? Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as: buffer overflow risks (strcpy(), strcat(), gets(), sprintf(), and the scanf() family) format string problems ([v][f]printf(), [v]snprintf(), and syslog()) race conditions (access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp())

14. How Does Flawfinder Work? (cont) potential shell metacharacter dangers (most of the exec() family, system(), popen()) poor random number acquisition (such as random()) Flawfinder matches the source code text against those names, while ignoring text inside comments and strings Flawfinder produces a list of ``hits'' (potential security flaws), sorted by risk The riskiest hits are shown first.

15. How Does Flawfinder Work? (cont) The risk level depends on the function, and on the parameter values of the function Constant strings are often less risky than fully variable strings in many contexts. Flawfinder doesn't know about the data types of function parameters, and it doesn't do control flow or data flow analysis

16. Hit Density Flawfinder reports hit density, which is hits per thousand lines of source code. Programs with higher hit density are usually the ones with the worse security record. Smaller programs might have a larger hit density yet still be secure Smaller programs are much easier to evaluate directly, so direct review is more likely to counter vulnerabilities

17. References http://www.dwheeler.com/flawfinder/ http://www.linuxjournal.com/article/5673 http://www.dwheeler.com/flawfinder/flawfinder.pdf http://python.org/ http://python.org/about/