Presentation
Download
Report
Transcript Presentation
FlawFinder
Chris Durham
CS297
June 30th, 2005
What is FlawFinder?
●
Unix/Linux Static Analysis Tool
●
For C/C++ application code
●
Written in Python
●
Built-in 'dictionary' of vulnerabilities
–
Give it a directory of source code
–
produces a list of vulnerabilities by filename/line
number/function, and summary report
Vulnerability Levels
Six vulnerability levels, but not exactly defined:
0: comment/miscellaneous
1: string length/null termination
2: fixed length array access, string copies, temp file creation
3: environment manipulation/access; commmand line parsing
4: printf() family vulnerabilities, some race conditions
5: other race conditions
Besides what you would expect...
The previous slide shows that flawfinder checks for a
number of standard C vulnerabilities. But it also
checks for a number of more esooteric but common
Unix OS system call vulnerabilities, and it considers
system call race conditions to be high risk (level 4 and
5).
My Test
●
●
●
●
●
Sendmail Source: 8.13.1
Flawfinder found 1293 potential vulnerabilities, 4
level 5s
Spot check of levels 0-4: false positives
Level 5: reviewed each vulnerability, found that
all but one was a false positive
Last one: probably also a false positive involving
OS guarantee that filenames have trailing nulls
Summary
●
●
●
Flawfinder does not do context checking, thus
checks against a static list of pre-definied
potential issues
Hard to add new checks: have to edit the python
source
Good as an initial check, but you must do our
own analysis
Let's take a look!
http://www.cbdurham.org/flawfinder
References
Flawfinder Home page:
http://www.dwheeler.com/flawfinder
Linux Secure Programming HOWTO:
http://www.dwheeler.com/secure-programs
Checking for Race Conditions in File Accesses, Matt Bishop and Matt Dilger, UCSD
http://www.cs.ucsb.edu/~vigna/courses/CS595/bishop96-race_conditions.pdf
RATS page:
http://www.securesoftware.com/resources/tools.html