Flawfinder is a program that examines source code and reports possible security weaknesses (flaws) sorted by risk level. It’s very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public. It’s a static analysis source code auditing tool.

Flawfinder is specifically designed to be easy to install and use. After installing it, at a command line just type:

flawfinder directory_with_source_code

Flawfinder works on Unix-like systems today (it’s been tested on GNU/Linux), and it should be easy to port to Windows systems. It requires Python 1.5 or greater to run (Python 1.3 or earlier won’t work).

Speed

Flawfinder is written in Python, to simplify the task of writing and extending it. Python code is not as fast as C code, but for the task I believe it’s just fine. Flawfinder version 0.12 on a 400Mhz Pentium II system analyzed 51055 lines in 39.7 seconds, resulting in an average of 1285 analyzed lines/second. Flawfinder 1.20 and later will report their speed (in analyzed lines/second) if you’re curious.

How it works

Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()). The good thing is that you don’t have to create this database – it comes with the tool.

Flawfinder then takes the source code text, and matches the source code text against those names, while ignoring text inside comments and strings (except for flawfinder directives). Flawfinder also knows about gettext (a common library for internationalized programs), and will treat constant strings passed through gettext as though they were constant strings; this reduces the number of false hits in internationalized programs.

You can download Flawfinder here:

flawfinder-1.27.tar.gz

Or read more here.

The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do a static analysis for known limitations like vulnerabilities. However it will flag code for a particular interaction type or control and allow the developer to understand which Operational Security (OpSec) holes are not protected even if it can’t say the effectiveness of that protection at this time.

This computation will provide a final SCARE value, like the RAV, where 100% is the proper balance between controls to OpSec holes and no Limitations. Conversely, less than that shows an imbalance where too few Controls protect OpSec holes or Limitations in OpSec and Controls degrade the security.

The SCARE analysis tool is run against source code. Currently only C code is supported. The output file will contain all operational interactions possible which need controls (the current version does not yet say if and what controls are already there). At the bottom of the list are three numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged into the RAV Calculation spreadsheet available at http://www.isecom.org/ravs. The Delta value is then subtracted from 100 to give the SCARE percentage which indicates the complexity for securing this particular application. The lower the value, the worse the SCARE.

At this stage, the tool cannot yet tell which interactions have controls already or if those controls are applicable however once that is available it will change the RAV but not the SCARE. The SCARE will also not yet tell you where the bugs are in the code however if you are bug hunting, it will extract all the places where user inputs and trusts with user-accessible resources can be found in the code.

Currently, SCARE is designed to work for any programming language. While this methodology shows the C language, they need input and feedback from developers of other languages to expand this further.

If you are interested in helping with this project please contact ISECOM.

You can download SCARE here:

scare_analyst.zip

Or you can read more here.

Skavenger? Yes, because scavenger is already used?!?

What is skavenger? Skavenger is a source code auditing tool, firstly though for php, but also used for any kind of source code file; as long as you know what to look for…

Yes I thought is as a replacement tool for egrep/sed under Windows! because not everybody installs cygwin (for example) under there windows boxes to perform source code auditing. I’ve seen people who most of the time used notepad to audit source code!

And more…
Skavenger is more than a replacement for egrep/sed because it has the ability to parse conforming to a regular expression or a series of regular expressions more than one file; even a directory; and prints out line number… isn’t that sup4 l33t?

Anyway… for download and more info check out http://code.google.com/p/skavenger/, because you can have a lot of fun with it; did I mention it was a console application?

P.S. You need php in order to use this script. Default values in regex.def check for primordial sql injection and XSS….
P.P.S. For more things to search for under php, check my article at http://insanesecurity.wordpress.com/2007/10/30/source-code-audit-php/

Happy auditing!

LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project.

LAPSE targets the following Web application vulnerabilities:

• Parameter manipulation
• SQL injections
• Header manipulation
• Cross-site scripting
• Cookie poisoning
• HTTP splitting
• Command-line parameters
• Path traversal

What should you do to avoid these vulnerabilities in your code? How do we protect Web applications from exploits? The proper way to deal with these types of attacks is by sanitizing the tainted input. Please refer to the OWASP guide to find out more about Web application security.

If you are interested in auditing a Java Web application, LAPSE helps you in the following ways:

• Identify taint sources
• Identify taint sinks
• Find paths between sources and sinks

LAPSE is inspired by existing lightweight security auditing tools such as RATS, pscan, and FlawFinder. Unlike those tools, however, LAPSE addresses vulnerabilities in Web applications. LAPSE is not intended as a comprehensive solution for Web application security, but rather as an aid in the code review process. Those looking for more comprehensive tools are encouraged to look at some of the tools produced by Fortify or Secure Software.

Read more about LAPSE HERE.

You can download LAPSE here:

LAPSE: Web Application Security Scanner for Java

Spike is an Open Source tool based on the popular RATS C based auditing tool implemented for PHP.

The tool Spike basically does static analysis of php code for security exploits, PHP5 and call-time pass-by-reference are currently required, but a PHP4 version is coming out this week.

This tool is especially welcomed by Darknet as there aren’t many static analysis tools out there that are free, and there are very few tools for auditing PHP code..which as we all known tends to be coded quite insecurely at times (just look at phpBB and PhpNUKE).

You can find the latest version here:

Spike PHP Audit Tool