Thursday, April 8, 2010

Flawfinder - Source code examiner tool

Flawfinder, nice source code examiner tool for security issues and vulnerability. It is a source code static analysis tool written by David Wheeler and it managed to detect several RealNetwork application flaw in year 2005. Even this happened quite a while ago, I believe that the tool has the real value and applicable for certain extent.

How it works?


As stated from the site http://www.dwheeler.com/flawfinder/, Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()). The good thing is that you don't have to create this database - it comes with the tool.

Flawfinder then takes the source code text, and matches the source code text against those names, while ignoring text inside comments and strings (except for flawfinder directives).

Installation

Simple as normal.

gento@localhost~:$sudo apt-get install flawfinder

How to use?

gento@localhost~:$flawfinder directory-contain-sourcecode

The testing can be done with the offcial test.c

I have create a simple C program, to read input from stdio and output it to a temp.txt The code as below :

#include
#include

int main()
{
char *string_input;
int bytes_read;
int nbytes = 50;

FILE *fp;
char outputFilename[] = "temp.txt";
puts ("Coded by gento_");
puts ("Please enter the text. Your input will be stored in temp.txt : ");

string_input = (char *) malloc (nbytes + 1);
bytes_read = getline (&string_input, &nbytes, stdin);

fp = fopen(outputFilename, "w");

if (!fp)
{
puts ("ERROR : Cannot write to tmp.txt. Please check the folder and file permission ");
}

if (bytes_read == -1)
{
puts ("ERROR!");
}
else
{
puts ("The input that you typed:");
puts (string_input);
fputs(string_input,fp);
}

free(string_input);
fclose(fp);
return 0;
}

The test result of flawfinder as below :

3 comments: