Flawfinder: A static analysis tool for C/C++

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

This documentation shows how to install and use Flawfinder, a static analysis tool for C/C++ source code. This tool aims to report possible security weaknesses (“flaws”) sorted by risk level to remove at least some potential security problems before the release of a program. It works on Unix-like systems and on Windows by using Cygwin. But in this documentation, it is explained using Ubuntu as a reference.

The advantages of this static analysis tool, is the fact that the code does not need to be either compiled nor runnable, but it is possible to start an analysis at any time during the development to look for possible vulnerabilities within the program. The disadvantage is that now all errors and vulnerabilities can be found, therefore multiple tools should be used to run an analysis.

Requirements

This tool requires:

  • Python 2.7 or Python 3

The tool was tested on a self-implemented C program, which intentionally contains a Buffer Overflow, using the Ubuntu on WSL2 on Windows 11.

Description

Installation and usage

To install pip for Python 3 run:

sudo apt update
sudo apt install python3-pip

Then, to install Flawfinder run:

sudo pip install flawfinder

After installing it, run:

flawfinder <directory_with_source_code>

Demo

Code Example in C

This is the code example which was implemented to test the tools against a Buffer Overflow vulnerability.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "secret.h"

#define MIN(X, Y) (((X) < (Y)) ? (X) : (Y))

int auth(char *usedusername, char *usedpw)
{
	int result = 0;
	char pw_user[28];

	strcpy(pw_user, usedpw);
	printf("\n\nUser: %s\n", usedusername);
	printf("Password: %s\n", usedpw);

	
	if(strlen(password) != strlen(usedpw)) {
		printf("Password Length is not correct\n");
	}

	for(int i = 0; i<strlen(password);i++) {
		if(strchr(usedpw,usedpw[i]) != strrchr(usedpw,usedpw[i])) {
			printf("No Double Char '%c' allowed\n", usedpw[i]);
			break;
		}
	}

    if(strcmp(usedusername, username) != 0) {
		printf("No such Username. Pleasce contact Admin\n");
	} else {
	    if(strcmp(password, usedpw) == 0) {
    		result = 1;
    	} else {
    		printf("Password %s is incorrect: ", usedpw);	
    		for(int k = 0; k < MIN(strlen(password), strlen(usedpw));k++) {
    			if(usedpw[k] != password[k]) {
    			    printf("Invalid Character '%c' in Password\n", usedpw[k]);
    			    break;
    			}
    		}
    	}
	}
	return result;
}

void printUsage()
{
	printf("Usage: <username> <password>\n");
	exit(-1);
}

int main(int argc, char *argv[])
{
	if(argc < 3)
		printUsage();

	if(auth(argv[1], argv[2]) != 0)
	{
		printf("\n\n#####################################################\n");
		printf("#                                                   #\n");
		printf("#                !ACCESS GRANTED!                   #\n");
		printf("#                                                   #\n");
		printf("#####################################################\n\n\n");
		printf("Welcome %s!\n", argv[1]);

	}
	else
	{
		printf("\n\n#####################################################\n");
		printf("#                                                   #\n");
		printf("#                 !ACCESS DENIED!                   #\n");
		printf("#                                                   #\n");
		printf("#####################################################\n\n\n");
	}


	return 0;
}

Usage of Flawfinder

From the same directory of the code run:

flawfinder .

Report of Flawfinder

After running the tool against the example code from above, the generated report will be:


alt Report generated from Flawfinder

Results

From the results, it can be seen at which line of code a potential vulnerability is present and how high the risk level is. In the example above, the first hit has the risk level 4, which is almost the highest level. It provides a brief description of the vulnerability with the related CWE-ID. In addition, Flawfinder propose the usage of alternatives methods. The [MS-banned]-Tag means, the used method, which in this case is "strcpy" was added from Microsoft into its official list of banned methods and should therefore not be used anymore.

Flawfinder is CWE-Compatible, which means, among other things, that every hit will have a related CWE-ID which can be used to search for it withing the CWE database: this makes it easy to filter and found information.

References