安全漏洞--C/C++代码安全漏洞审计技术学习分享
来源:互联网 发布:g92多头螺纹编程实例 编辑:程序博客网 时间:2024/06/05 09:11
0x01 简介
代码审计,大家估计见到最多的一般是web程序的代码审计。然而c/c++这种语言的代码审计估计就很少了。
今天我们要来学习一下,工欲善其事必先利其器,今天介绍一款审计的利器Flawfinder(当然同类的还有很多工具,比如
RATS,RIPS,VCG,Fortify SCA,GOLD,YASCA等等)。该工具我搭建运行在ubuntu16.0.4LTS系统之上。
Flawfinder是一个C/C++代码的开源安全审查工具,采用内建语法缺陷数据库,能够标记类似缓冲溢出、格式字符串、竞争条件、随
机数获取方面的问题。Flawfinder是一个非常简单的工具,采用的算法也不复杂,可以看做是一个基于词典的源代码静态分析器。
Flawfinder的开发者David Wheeler表示:很多软件开发者都在不断重复犯相同的错误,开发人员应当在软件部署前就
用Flawfinder审查代码。 官方地址http://www.dwheeler.com/flawfinder/
0x02 flawfinder
root@ubuntu:~/Desktop# flawfinder --h*** getopt error: option --h not a unique prefixflawfinder [--help | -h] [--version] [--listrules] [--allowlink] [--followdotdir] [--nolink] [--patch filename | -P filename] [--inputs | -I] [--minlevel X | -m X] [--falsepositive | -F] [--neverignore | -n] [--context | -c] [--columns | -C] [--dataonly | -D] [--html | -H] [--immediate | -i] [--singleline | -S] [--omittime] [--quiet | -Q] [--loadhitlist F] [--savehitlist F] [--diffhitlist F] [--] [source code file or source root directory]+ The options cover various aspects of flawfinder as follows. Documentation: --help | -h Show this usage help. --version Show version number. --listrules List the rules in the ruleset (rule database). Selecting Input Data: --allowlink Allow symbolic links. --followdotdir Follow directories whose names begin with ".". Normally they are ignored. --nolink Skip symbolic links (ignored). --patch F | -P F Display information related to the patch F (patch must be already applied). Selecting Hits to Display: --inputs | -I Show only functions that obtain data from outside the program; this also sets minlevel to 0. -m X | --minlevel=X Set minimum risk level to X for inclusion in hitlist. This can be from 0 (``no risk'') to 5 (``maximum risk''); the default is 1. --falsepositive | -F Do not include hits that are likely to be false positives. Currently, this means that function names are ignored if they're not followed by "(", and that declarations of char- acter arrays aren't noted. Thus, if you have use a vari- able named "access" everywhere, this will eliminate refer- ences to this ordinary variable. This isn't the default, because this also increases the likelihood of missing important hits; in particular, function names in #define clauses and calls through function pointers will be missed. --neverignore | -n Never ignore security issues, even if they have an ``ignore'' directive in a comment. --regex PATTERN | -e PATTERN Only report hits that match the regular expression PATTERN. Selecting Output Format: --columns | -C Show the column number (as well as the file name and line number) of each hit; this is shown after the line number by adding a colon and the column number in the line (the first character in a line is column number 1). --context | -c Show context (the line having the "hit"/potential flaw) --dataonly | -D Don't display the headers and footers of the analysis; use this along with --quiet to get just the results. --html | -H Display as HTML output. --immediate | -i Immediately display hits (don't just wait until the end). --singleline | -S Single-line output. --omittime Omit time to run. --quiet | -Q Don't display status information (i.e., which files are being examined) while the analysis is going on. Hitlist Management: --savehitlist=F Save all hits (the "hitlist") to F. --loadhitlist=F Load hits from F instead of analyzing source programs. --diffhitlist=F Show only hits (loaded or analyzed) not in F. For more information, please consult the manpage or available documentation.
0x03 示例
代码
命令
flawfinder --columns --context main.c --html
也可以保存成文档
flawfinder --columns --context main.c --html > result.html
0x04 结果分析
Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.Number of rules (primarily dangerous function names) in C/C++ ruleset: 169Examining main.cWarning: Skipping non-existent file --htmlFINAL RESULTS:main.c:7:2: [5] (buffer) gets: Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.gets(ch,stdin);main.c:6:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length.char ch[50];ANALYSIS SUMMARY:Hits = 2Lines analyzed = 9 in approximately 0.01 seconds (1170 lines/second)Physical Source Lines of Code (SLOC) = 9Hits@level = [0] 0 [1] 0 [2] 1 [3] 0 [4] 0 [5] 1Hits@level+ = [0+] 2 [1+] 2 [2+] 2 [3+] 1 [4+] 1 [5+] 1Hits/KSLOC@level+ = [0+] 222.222 [1+] 222.222 [2+] 222.222 [3+] 111.111 [4+] 111.111 [5+] 111.111Minimum risk level = 1Not every hit is necessarily a security vulnerability.There may be other security vulnerabilities; review your code!See 'Secure Programming for Linux and Unix HOWTO'(http://www.dwheeler.com/secure-programs) for more information.
main.c:7:2: [5] (buffer) gets: //第七行 没有检查buffer缓存会溢出。
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
gets(ch,stdin);
main.c:6:2: [2] (buffer) char: //第六行 静态分配的数组大小会被溢出。
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
char ch[50];
ANALYSIS SUMMARY: //分析总结
Hits = 2 //两个可疑点
Lines analyzed = 9 in approximately 0.01 seconds (1170 lines/second) //总共9行代码用时0.01s
Physical Source Lines of Code (SLOC) = 9
Hits@level = [0] 0 [1] 0 [2] 1 [3] 0 [4] 0 [5] 1
Hits@level+ = [0+] 2 [1+] 2 [2+] 2 [3+] 1 [4+] 1 [5+] 1
Hits/KSLOC@level+ = [0+] 222.222 [1+] 222.222 [2+] 222.222 [3+] 111.111 [4+] 111.111 [5+] 111.111
Minimum risk level = 1
Not every hit is necessarily a security vulnerability. //注意此处,不是所有的可疑点都是安全漏洞
There may be other security vulnerabilities; review your code!
See 'Secure Programming for Linux and Unix HOWTO'
(http://www.dwheeler.com/secure-programs) for more information.
0x05 总结
自动化的静态代码审计工具虽然可以在某种程度节省代码审计的人力成本,时间成本。
是提高代码审计效率的重要手段。然而需要注意的是,自动化工具并非是完全智能准确的,
跟所有的检测扫描工具一样,误报率的存在仍然是必须面对的现实问题。因此,检测结果
中显示的漏洞还是需要审计人员,手动验证或者手工进一步确认是否真的存在。
- 安全漏洞--C/C++代码安全漏洞审计技术学习分享
- 安全漏洞
- 安全漏洞
- 安全漏洞
- 安全漏洞
- Linux安全漏洞审计工具Lynis
- APP安全漏洞学习笔记
- C语言代码漏洞审计技巧笔记分享
- bash代码注入的安全漏洞
- bash代码注入的安全漏洞
- bash代码注入的安全漏洞
- Bash代码注入安全漏洞{Cool}
- bash代码注入的安全漏洞
- bash代码注入的安全漏洞
- bash代码注入的安全漏洞
- bash代码注入的安全漏洞
- bash代码注入的安全漏洞
- bash代码注入的安全漏洞
- Android状态栏显示蓝牙耳机电量
- cocoapods:常见错误总结
- JS调用微信API实现微信支付
- android ipc
- Junit测试
- 安全漏洞--C/C++代码安全漏洞审计技术学习分享
- 如何在vs2010中修改栈的大小
- win 7 64 bit IntelliJ IDEA 中 详细图解 如何使用GitHub(git)来实现项目的版本控制和管理
- 我的CSDN博客
- eclipse中maven插件新建web项目
- test
- zookeeper的安装和配置
- Think in java笔记: Annotation
- 一个数组除了一个元素只出现一次,其他元素全都出现了三次,输出出现一次的元素