FlawFinder

1. Chris Durham CS297 June 30th, 2005 FlawFinder

2. What is FlawFinder? • Unix/Linux Static Analysis Tool • For C/C++ application code • Written in Python • Built-in 'dictionary' of vulnerabilities • Give it a directory of source code • produces a list of vulnerabilities by filename/line number/function, and summary report

3. Vulnerability Levels Six vulnerability levels, but not exactly defined: 0: comment/miscellaneous 1: string length/null termination 2: fixed length array access, string copies, temp file creation 3: environment manipulation/access; commmand line parsing 4: printf() family vulnerabilities, some race conditions 5: other race conditions

4. Besides what you would expect... The previous slide shows that flawfinder checks for a number of standard C vulnerabilities. But it also checks for a number of more esooteric but common Unix OS system call vulnerabilities, and it considers system call race conditions to be high risk (level 4 and 5).

5. My Test • Sendmail Source: 8.13.1 • Flawfinder found 1293 potential vulnerabilities, 4 level 5s • Spot check of levels 0-4: false positives • Level 5: reviewed each vulnerability, found that all but one was a false positive • Last one: probably also a false positive involving OS guarantee that filenames have trailing nulls

6. Summary • Flawfinder does not do context checking, thus checks against a static list of pre-definied potential issues • Hard to add new checks: have to edit the python source • Good as an initial check, but you must do our own analysis

7. Let's take a look! http://www.cbdurham.org/flawfinder

8. References Flawfinder Home page: http://www.dwheeler.com/flawfinder Linux Secure Programming HOWTO: http://www.dwheeler.com/secure-programs Checking for Race Conditions in File Accesses, Matt Bishop and Matt Dilger, UCSD http://www.cs.ucsb.edu/~vigna/courses/CS595/bishop96-race_conditions.pdf RATS page: http://www.securesoftware.com/resources/tools.html