Download Presentation

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

One-pass compiler wikipedia, lookup

Pwn2Own wikipedia, lookup

Chris Durham
June 30th, 2005
What is FlawFinder?
Unix/Linux Static Analysis Tool
For C/C++ application code
Written in Python
Built-in 'dictionary' of vulnerabilities
Give it a directory of source code
produces a list of vulnerabilities by filename/line
number/function, and summary report
Vulnerability Levels
Six vulnerability levels, but not exactly defined:
0: comment/miscellaneous
1: string length/null termination
2: fixed length array access, string copies, temp file creation
3: environment manipulation/access; commmand line parsing
4: printf() family vulnerabilities, some race conditions
5: other race conditions
Besides what you would expect...
The previous slide shows that flawfinder checks for a
number of standard C vulnerabilities. But it also
checks for a number of more esooteric but common
Unix OS system call vulnerabilities, and it considers
system call race conditions to be high risk (level 4 and
My Test
Sendmail Source: 8.13.1
Flawfinder found 1293 potential vulnerabilities, 4
level 5s
Spot check of levels 0-4: false positives
Level 5: reviewed each vulnerability, found that
all but one was a false positive
Last one: probably also a false positive involving
OS guarantee that filenames have trailing nulls
Flawfinder does not do context checking, thus
checks against a static list of pre-definied
potential issues
Hard to add new checks: have to edit the python
Good as an initial check, but you must do our
own analysis
Let's take a look!
Flawfinder Home page:
Linux Secure Programming HOWTO:
Checking for Race Conditions in File Accesses, Matt Bishop and Matt Dilger, UCSD
RATS page: