1. FlawFinder
Chris Durham
CS297
June 30th, 2005

2. What is FlawFinder? Unix/Linux Static Analysis Tool
For C/C++ application code
Written in Python
Built-in 'dictionary' of vulnerabilities
Give it a directory of source code
produces a list of vulnerabilities by filename/line number/function, and summary report

3. Vulnerability Levels
Six vulnerability levels, but not exactly defined:
0: comment/miscellaneous
1: string length/null termination
2: fixed length array access, string copies, temp file creation
3: environment manipulation/access; commmand line parsing
4: printf() family vulnerabilities, some race conditions
5: other race conditions

4. Besides what you would expect...
The previous slide shows that flawfinder checks for a number of standard C vulnerabilities. But it also checks for a number of more esooteric but common Unix OS system call vulnerabilities, and it considers system call race conditions to be high risk (level 4 and 5).

5. My Test Sendmail Source: 8.13.1
Flawfinder found 1293 potential vulnerabilities, 4 level 5s
Spot check of levels 0-4: false positives
Level 5: reviewed each vulnerability, found that all but one was a false positive
Last one: probably also a false positive involving OS guarantee that filenames have trailing nulls

6. Summary
Flawfinder does not do context checking, thus checks against a static list of pre-definied potential issues
Hard to add new checks: have to edit the python source
Good as an initial check, but you must do our own analysis

7. Let's take a look!

8. References Flawfinder Home page: http://www.dwheeler.com/flawfinder
Linux Secure Programming HOWTO:
Checking for Race Conditions in File Accesses, Matt Bishop and Matt Dilger, UCSD
RATS page: