1 / 8

FlawFinder

Chris Durham CS297 June 30th, 2005. FlawFinder. What is FlawFinder?. Unix/Linux Static Analysis Tool For C/C++ application code Written in Python Built-in 'dictionary' of vulnerabilities Give it a directory of source code

boerner
Download Presentation

FlawFinder

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chris Durham CS297 June 30th, 2005 FlawFinder

  2. What is FlawFinder? • Unix/Linux Static Analysis Tool • For C/C++ application code • Written in Python • Built-in 'dictionary' of vulnerabilities • Give it a directory of source code • produces a list of vulnerabilities by filename/line number/function, and summary report

  3. Vulnerability Levels Six vulnerability levels, but not exactly defined: 0: comment/miscellaneous 1: string length/null termination 2: fixed length array access, string copies, temp file creation 3: environment manipulation/access; commmand line parsing 4: printf() family vulnerabilities, some race conditions 5: other race conditions

  4. Besides what you would expect... The previous slide shows that flawfinder checks for a number of standard C vulnerabilities. But it also checks for a number of more esooteric but common Unix OS system call vulnerabilities, and it considers system call race conditions to be high risk (level 4 and 5).

  5. My Test • Sendmail Source: 8.13.1 • Flawfinder found 1293 potential vulnerabilities, 4 level 5s • Spot check of levels 0-4: false positives • Level 5: reviewed each vulnerability, found that all but one was a false positive • Last one: probably also a false positive involving OS guarantee that filenames have trailing nulls

  6. Summary • Flawfinder does not do context checking, thus checks against a static list of pre-definied potential issues • Hard to add new checks: have to edit the python source • Good as an initial check, but you must do our own analysis

  7. Let's take a look! http://www.cbdurham.org/flawfinder

  8. References Flawfinder Home page: http://www.dwheeler.com/flawfinder Linux Secure Programming HOWTO: http://www.dwheeler.com/secure-programs Checking for Race Conditions in File Accesses, Matt Bishop and Matt Dilger, UCSD http://www.cs.ucsb.edu/~vigna/courses/CS595/bishop96-race_conditions.pdf RATS page: http://www.securesoftware.com/resources/tools.html

More Related