Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Introduction to C Programming
Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
PPT Slides by Dr. Craig Tyran & Kraig Pencil The editor in charge of business books for Prentice Hall, I have traveled the length and breadth of.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Static code check – Klocwork
Static Analysis of the VoteHere VHTi Reference Implementation Using Flawfinder and RATS Markus Dale December 2005.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Using Cabal and the Hackage Package Database. Hackage Hackage is a database of Haskell packages (or modules) written by others and available for public.
Vulnerability Analysis Borrowed from the CLICS group.
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
Blog A Blog is a website where entries are written in chronological order and commonly displayed in reverse chronological order.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.
2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Host-Based Intrusion Detection software TRIPWIRE & MD5.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
1 Buffer Overflow Attacks and Format String bugs.
Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )
Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.
Flawfinder N ă stase George-Daniel MSI2. About Written in python Relatively fast(examined approx. 17milion lines of code in about 6.5minutes) Extremely.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Secure Product Development How to avoid being 0wnz0r3d by h4x04z.
Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Lecture 02CS311 – Operating Systems 1 1 CS311 – Lecture 02 Outline UNIX/Linux features – Redirection – pipes – Terminating a command – Running program.
Information Networking Security and Assurance Lab National Chung Cheng University Yaha.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools
Linux File Security. What is Permission ? Specifies what right are granting to users to access the resources available in the computer. So that important.
Static Analysis for Security Amir Bazine Per Rehnberg.
Secure Coding Weasel nomad mobile research centre.
The Harris-MSI Report Navigator Webinar. 2 The Harris/MSI Report Navigator “Learn about the details of the Harris/MSI Report Navigator. This exciting.
Presented by Heorot.net.  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools.
A Security Review Process for Existing Software Applications
Computer Security and Penetration Testing
Attacking Applications: SQL Injection & Buffer Overflows.
Graduate School of Information Security MIN CHUL, KIM HACKING – THE ART OF EXPLOITATION Ox28O BUILDING ON BASIC - ANALYSIS SOURCE CODE.
LINUX Tuesday, 5 July :00 pm. Remote Login l Use Secure Shell (ssh) l Machine name/IP address E.g. ssh hydra.sma.nus.edu.sg Or ssh
Detecting C Program Vulnerabilities Tomsk State University Anton Ermakov, Natalia Kushik Presented by Olga Kondratyeva.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
Introduction to Eclipse Al-Zahra Univerisity Advanced Programming Arash N. Kia.
E a s y S h a r e Jung Son Ky Le. Operational Concepts Recent years, huge number of growth in Internet users and broadband usage File-sharing become extremely.
1 Introduction to Safe Programming l Producing Safe Code l Source code audits l Software Forensics –Black Box, White Box Techniques l Improvements outside.
5.6 String Processing Part 2. Sprintf(destnvar,…..regularprintf) Write formatted data to string Same as printf except the output is put in variable. A.
Static Analysis of Anomalies and Security Vulnerabilities in Executable Files Presented by Jay-Evan Tevis Department of Computer Science Western Illinois.
A Brief Overview of Unix Brandon Bohrer. Topics What is Unix? – Quick introduction Documentation – Where to get it, how to use it Text Editors – Know.
CS426Fall 2010/Lecture 141 Computer Security CS 426 Lecture 14 Software Vulnerabilities: Format String and Integer Overflow Vulnerabilities.
Analyzing Code with CAST RPA SCAN. IDENTIFY. ACT..
Tools for Code Review Static Analysis Handles unfinished code
File permissions Operating systems I800
Manuel Brugnoli, Elisa Heymann UAB
Security Testing Methods
Secure Source Code Analysis.
CS703 - Advanced Operating Systems
Data Access Session 7.
Buffer Overflows.
Data Warehousing Data Mining Privacy
FlawFinder Chris Durham CS297 June 30th, 2005.
Presentation transcript:

Information Networking Security and Assurance Lab National Chung Cheng University Flawfinder

Information Networking Security and Assurance Lab National Chung Cheng University 2 Contents Overview Environment Install Flawfinder Usage of Flawfinder Example How does Flawfinder Work?

Information Networking Security and Assurance Lab National Chung Cheng University 3 Overview Flawfinder search through C/C++ source code looking for potential security flaw. Flawfinder can integrate well with text editors and integrated development environments.

Information Networking Security and Assurance Lab National Chung Cheng University 4 Install Flawfinder Download Flawfinder

Information Networking Security and Assurance Lab National Chung Cheng University 5 Install Flawfinder (cont.) Unpacking the Package

Information Networking Security and Assurance Lab National Chung Cheng University 6 Usage of Flawfinder Synopsis

Information Networking Security and Assurance Lab National Chung Cheng University 7 Example: wu-ftpd 2.6.0

Information Networking Security and Assurance Lab National Chung Cheng University 8 Example: wu-ftpd (cont.)

Information Networking Security and Assurance Lab National Chung Cheng University 9 Example: wu-ftpd (cont.)

Information Networking Security and Assurance Lab National Chung Cheng University 10 Example: wu-ftpd (cont.)

Information Networking Security and Assurance Lab National Chung Cheng University 11 How does Flawfinder Work? Flawfinder works by using a built-in database of C/C++ functions with well-known problems.  Buffer Overflow Risks strcpy(), strcat(), gets(), sprintf(), and the scanf() family  Format String Problems [v][f]printf(), [v]snprintf(), and syslog()

Information Networking Security and Assurance Lab National Chung Cheng University 12 How does Flawfinder Work? (cont.)  Race Conditions access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()  Potential Shell Meta-character Dangers Most of the exec() family, system(), popen()  Poor Random Number Acquisition Such as random()

Information Networking Security and Assurance Lab National Chung Cheng University 13 Risk in the Hitlist

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.