Flawfinder - PowerPoint PPT Presentation
1 / 13
Title:
Flawfinder
Description:
Flawfinder search through C/C source code looking for potential security flaw. ... Unpacking the Package. INSA_at_CCU. Information Networking Security and Assurance Lab ... – PowerPoint PPT presentation
Number of Views:53
Avg rating:3.0/5.0
Title: Flawfinder
1
Flawfinder
2
Contents
- Overview
- Environment
- Install Flawfinder
- Usage of Flawfinder
- Example
- How does Flawfinder Work?
3
Overview
- Flawfinder search through C/C source code
looking for potential security flaw. - Flawfinder can integrate well with text editors
and integrated development environments.
4
Install Flawfinder
- Download Flawfinder
- http//www.dwheeler.com/flawfinder/
5
Install Flawfinder (cont.)
- Unpacking the Package
6
Usage of Flawfinder
- Synopsis
7
Example wu-ftpd 2.6.0
8
Example wu-ftpd 2.6.0 (cont.)
9
Example wu-ftpd 2.6.0 (cont.)
10
Example wu-ftpd 2.6.0 (cont.)
11
How does Flawfinder Work?
- Flawfinder works by using a built-in database of
C/C functions with well-known problems. - Buffer Overflow Risks
- strcpy(), strcat(), gets(), sprintf(), and the
scanf() family - Format String Problems
- vfprintf(), vsnprintf(), and syslog()
12
How does Flawfinder Work? (cont.)
- Race Conditions
- access(), chown(), chgrp(), chmod(), tmpfile(),
tmpnam(), tempnam(), and mktemp() - Potential Shell Meta-character Dangers
- Most of the exec() family, system(), popen()
- Poor Random Number Acquisition
- Such as random()
13
Risk in the Hitlist
