Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder."— Presentation transcript:

1 Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder

2 Information Networking Security and Assurance Lab National Chung Cheng University 2 INSA@CCU Contents Overview Environment Install Flawfinder Usage of Flawfinder Example How does Flawfinder Work?

3 Information Networking Security and Assurance Lab National Chung Cheng University 3 INSA@CCU Overview Flawfinder search through C/C++ source code looking for potential security flaw. Flawfinder can integrate well with text editors and integrated development environments.

4 Information Networking Security and Assurance Lab National Chung Cheng University 4 INSA@CCU Install Flawfinder Download Flawfinder http://www.dwheeler.com/flawfinder/

5 Information Networking Security and Assurance Lab National Chung Cheng University 5 INSA@CCU Install Flawfinder (cont.) Unpacking the Package

6 Information Networking Security and Assurance Lab National Chung Cheng University 6 INSA@CCU Usage of Flawfinder Synopsis

7 Information Networking Security and Assurance Lab National Chung Cheng University 7 INSA@CCU Example: wu-ftpd 2.6.0

8 Information Networking Security and Assurance Lab National Chung Cheng University 8 INSA@CCU Example: wu-ftpd 2.6.0 (cont.)

9 Information Networking Security and Assurance Lab National Chung Cheng University 9 INSA@CCU Example: wu-ftpd 2.6.0 (cont.)

10 Information Networking Security and Assurance Lab National Chung Cheng University 10 INSA@CCU Example: wu-ftpd 2.6.0 (cont.)

11 Information Networking Security and Assurance Lab National Chung Cheng University 11 INSA@CCU How does Flawfinder Work? Flawfinder works by using a built-in database of C/C++ functions with well-known problems.  Buffer Overflow Risks strcpy(), strcat(), gets(), sprintf(), and the scanf() family  Format String Problems [v][f]printf(), [v]snprintf(), and syslog()

12 Information Networking Security and Assurance Lab National Chung Cheng University 12 INSA@CCU How does Flawfinder Work? (cont.)  Race Conditions access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()  Potential Shell Meta-character Dangers Most of the exec() family, system(), popen()  Poor Random Number Acquisition Such as random()

13 Information Networking Security and Assurance Lab National Chung Cheng University 13 INSA@CCU Risk in the Hitlist

Download ppt "Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Introduction to C Programming

Introduction to C Programming
Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.

Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
PPT Slides by Dr. Craig Tyran & Kraig Pencil The editor in charge of business books for Prentice Hall, 1957. I have traveled the length and breadth of.

PPT Slides by Dr. Craig Tyran & Kraig Pencil The editor in charge of business books for Prentice Hall, I have traveled the length and breadth of.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Static code check – Klocwork

Static code check – Klocwork
Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.

Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Using Cabal and the Hackage Package Database. Hackage Hackage is a database of Haskell packages (or modules) written by others and available for public.

Using Cabal and the Hackage Package Database. Hackage Hackage is a database of Haskell packages (or modules) written by others and available for public.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.

Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)

Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
Blog A Blog is a website where entries are written in chronological order and commonly displayed in reverse chronological order.

Blog A Blog is a website where entries are written in chronological order and commonly displayed in reverse chronological order.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University

2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

Similar presentations

Ads by Google