Security Auditing Tools

There are several packages available within the Debian archive which are designed to aid source code audits. These include:

Also, notice there are other tools specific to a given set of security vulnerabilities which might not have been packaged for Debian yet but might be useful for an auditor. These include:

None of the tools are perfect and can only be used as guidelines for further study, but given how simple they are to use it is worth taking the time to try them out.

Each of the tools has different strengths and weaknesses so using more than one is advisable.

Flawfinder

flawfinder is a Python tool which is designed to analyze C and C++ source code looking for potential security flaws.

When ran against a directory containing source code it will output a report of the potential problems it has detected, sorted by risk (where risk is an integer 1–5). To tune out minor risks it is possible to tell the program not to report about flaws below a particular level of risk. By default the output will appear in plain text, but an HTML report is also available.

The program works by scanning the code and looking for the use of functions which are contained inside its database of functions which are commonly misused.

To aid the reading of the report it is possible to cause the output report to contain the line which contains the function being used, this can be useful to immediately detect a problem, or likewise rule it out.

You can see an example of how flawfinder is used, and it's output in the auditing examples section.

ITS4

ITS4 is a tool contained in the non-free section of the Debian archive, it is only available for the woody distribution.

ITS4 may be used to scan both C and C++ code for potential security holes, much like flawfinder.

The output it produces tries to be intelligent, ruling out some of the cases where the calls to dangerous functions have been made carefully.

RATS

RATS is a similar tool to those listed above, with the exception that it comes with support for a much wider range of languages. Currently it has support for C, C++, Perl, PHP and Python.

The tool uses a simple XML file to read its vulnerabilities from which makes it one of the easiest of the available tools to modify. New functions can be added easily for each of the supported languages.

You can see an example of how RATS is used, and it's output in the auditing examples section.

pscan

pscan differs from the previous tools which have been described because it is not a general purpose scanner at all. Instead it is a program specifically aimed at detecting format string bugs.

The tool will attempt to find potential issues with the use of variadic functions within C and C++ source code, such as printf, fprintf and syslog.

Format string bugs are fairly simple to detect and fix, although they are the most recent new class of software attacks the majority of them have probably been found and repaired already.

You can see an example of how pscan is used, and it's output in the auditing examples section.

Understanding Scanner Output

Each of the general scanning tools will include output describing the flaw detected, and possibly giving advice on how the code can be fixed.

For example the following is taken from the output of RATS describing the dangers of getenv:

"Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length."

If you need any further advice on how to correct a hole which has been reported you should study a book on programming securely, such as the Secure Programming for Linux and Unix HOWTO by David A. Wheeler.

(Remember that when reporting security issues a patch closing the hole is greatly appreciated)

Discussion related to closing a particularly problematic piece of code can also be held upon the debian-security mailing list, as this is a public mailing list with public archives just be careful not to make it obvious which program contains the flaw.