2. About
Examines source code and reports possible
2
security weaknesses (“flaws”)
Written in python
Can be accessed via command-line interface, no
GUI
Categorizes issues by risk level
Similar to RATS, PScan and ITS4
Software Security, FCS Iasi, 2013
3. How does it work
Based on a build-in database (ruleset) of C/C++
functions with well known problems:
Buffer overflow risks (strcpy, strcat, gets, sprintf,
scanf)
Format string problems(printf, snprintf, syslog)
Race conditions (access, chown, chgrp, chmod,
etc)
Potential shell metacharacter dangers (exec,
system, popen)
Poor random number acquisition(random)
3
Software Security, FCS Iasi, 2013
5. 1. Buffer Overflow
strcpy (a, b);
Risk level 4: Does not check for buffer overflows when
copying to destination. Consider using strncpy or strlcpy
(warning, strncpy is easily misused)
strncpy (a, b, sizeof(b));
Risk level 1: Easily used incorrectly; doesn’t always 0terminate or check for invalid pointers.
5
Software Security, FCS Iasi, 2013
6. 2. Uncontrolled format string
printf(a);
Risk level 4: If format strings can be influenced by an attacker,
they can be exploited. Use a constant for the format
specification.
printf(“%s”, a);
No level / Level 0: If format strings can be influenced by an
attacker, they can be exploited. Use a constant for the format
specification. Constant format string, so not considered very
risky (there’s some residual risk, especially in a loop).
6
Software Security, FCS Iasi, 2013
7. 3. Shell metacharacter dangers
CreateProcess(NULL, "C:Program
FilesGoodGuyGoodGuy.exe -x",
"");
Risk level 3: This causes a new process to execute and is
difficult to use safely. Specify the application path in the first
argument, NOT as part of the second, or embedded spaces
could allow an attacker to force a different program to run.
7
Software Security, FCS Iasi, 2013
8. 4. Race conditions
FILE* f = fopen("/etc/passwd", "r");
Risk level 2: Check when opening files - can an attacker redirect
it (via symlinks), force the opening of special file type (e.g.,
device files), move things around to create a race condition,
control its ancestors, or change its contents?
8
Software Security, FCS Iasi, 2013
9. Comparison: RATS
Supports C, C++, Perl, PHP, Python
Written in C, uses flex & Expat
Detects Buffer Overflows, Format String
Problems, Shell Executions, Insecure Tmpfiles,
Race Conditions, Access Violations, Weak
Random, User Input
As output, RATS prints problems sorted by
severity, by function name, file and line number,
followed by an explanation of the problem
9
Software Security, FCS Iasi, 2013
10. Comparison: PScan
Supports only C
Written in C, uses flex
Detects Format string problems in printf-style C-
Functions
The output consists just in the filename and linenumber of the potential issue
10
Software Security, FCS Iasi, 2013
11. Comparison: ITS4
Supports C and C++
Written in C, uses just a C compiler
Detects Buffer Overflows, Format String
Problems, Shell Executions, TOCTOU, Usage of
weak random number generation, User Input
The output prints the filename, line-number and
the name of the found function and also a short
description of the issue and other suggestions.
11
Software Security, FCS Iasi, 2013
12. FlawFinder: Advantages
Lightweight
Can ignore comments and understands
FlawFinder directives (like FlawFinder: ignore)
Can use diffs as input and can manage hitlists
Written in python, does not require additional
tools or dependencies
Open source software
12
Software Security, FCS Iasi, 2013
13. Bibliography
FlawFinder homepage -
http://www.dwheeler.com/flawfinder/
Martin Johns, A Practical Guide to Vulnerability
Checkers, Secologic Project
http://www.secologic.org/downloads/testing/0603
13_secologic_a_prcatical_guide_to_vulnerability_
checkers.pdf
13
Software Security, FCS Iasi, 2013