Automated Audit Example: RATS
RATS is a general purpose scanner for detecting potential security problems in a number of programming languages.
Running RATS is as simple as invoking the command with a directory to process. Each of the recognised source files it finds will be processed. RATS understands several programming languages, C, Perl, PHP, and Python and will treat each as valid source to examine.
There are several options which may be given in addition to a directory name to scane, these are described in the manpage.
The most useful of the options are those concerning the output, such as:
- --warning <level> (Set the level of flaws to be reported upon)
- 1 includes only default and high severity.
- 2 includes medium severity (default).
- 3 includes low severity vulnerabilities.
- --xml (Output in XML)
- --html (Output in HTML)
Assuming that we have the test file located in the current directory, with no other source files we can invoke the scanner with the following command:
rats --warning 1 --html . >output.html
This will produce an HTML file containing the results of the scan, which can be loaded by a browser.
Running RATS against our sample code produces the following output:
Issue: fixed size global buffer
Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks.
Lines: 10 11 12
Check to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.
Environment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length.
Lines: 22 24
Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.
Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.
Check to be sure that the non-constant format string passed as argument 1 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.
Total lines analyzed: 49
Total time 0.000288 seconds
170138 lines per second
This output is quite volumous, despite the code itself being very short - this shows one of the downsides of automated scanning which is the sheer volume of output.
Understanding The Output
The output that has been produced is basically a description of the functions which it encountered, the line number of which the flaw was detected and a description of the problem. (As we used the "--warning" level to restrict the output to only "high" level functions we've reduced the output somewhat.)
Each of the issues that have been discovered should be manually examined to see if there is something really wrong, or if it was a false positive (ie. a function that may be misused being used correctly).
In this case we can see that all of the vulnerabilities in our code have been spotted, but it's not exactly clear without going through the code with an editor and matching up the lines.
One big omission is that the output doesn't include the lines which are reported upon - something that flawfinder does allow you to include.