Automated Audit Example: flawfinder
flawfinder is a general purpose scanner for finding and reporting upon potential flaws in both C and C++ source code.
Running flawfinder as simple as invoking the command with the name directories or files to examine. If given a directory name it will then process all the valid source files it can find inside that directory.
In addition to given the program a list of files or directories there are several command line options which may be used to control the tools behaviour.
Each of the options is explained in the manpage, but the following options are particularly useful and will be used in our example:
- Set minimum risk level to X for inclusion in output. Ranges from 1-5, with 1 being "low risk" and 5 being "high risk".
- Format the output as HTML instead of as simple text
- Show context, i.e., the line having the potential flaw.
To output an HTML file containing the results of our program, only caring about "high risk" functions we'd run something like this:
flawfinder --html --context --minlevel=4 test.c > output.html
Running flawfinder against our sample code produces the following output:
- test.c:18:  (buffer) strcpy:
Does not check for buffer overflows when copying to destination.
Consider using strncpy or strlcpy (warning, strncpy is easily misused).
strcpy( dir, argv[ 1 ] );
- test.c:24:  (buffer) sprintf:
Does not check for buffer overflows. Use snprintf or vsnprintf.
sprintf( dir, "%s", getenv( "HOME" ) );
- test.c:33:  (shell) popen:
This causes a new program to execute and is difficult to use safely.
try using a library call that implements the same functionality if
fp = popen( cmd, "r" );
- test.c:42:  (format) printf:
If format strings can be influenced by an attacker, they can be
exploited. Use a constant for the format specification.
printf( buff );
Number of hits = 4
Number of Lines Analyzed = 48 in 0.53 seconds (1392 lines/second)
Understanding The Output
Much like the output of RATS this report is very simple to read. It clearly shows the functions which have been detected as potentially dangerous, as well as a description of the problem.
Including context information is very useful too as it can immediately attract attention to areas of concern, or rule out other reports as being invalid.
The analysis of the our sample code is fairly intelligent, in the sense that it didn't warn about every use of the troublesome strcpy function - only ones which it thought were potentially dangerous.
In this way it has managed to highlight all of our code's flaws whilst having no false positives.