Static Code Analysis using FlawFinder
Security in Software Application | Project 1
1. Introduction
This project involves using Flawfinder a static analysis tool, to scan a C code fragment for potential security vulnerabilities. The goal is to identify and address these flaws, demonstrating the tool’s effectiveness while highlighting the need for manual code review to catch any issues that may have been missed.
2. Tool Analysis
Strengths
- Quickly identifies common vulnerabilities like buffer overflows;
Weakness
- Frequently can’t find configuration issues, since they are not represented in the code;
- Limited analysis capabilities beyond pattern matching, prone to false positives;
3. Code Fragment Overview
The code provided contains several syntax errors and the use of statements not present in the C language such as try/catch and the omission of some libraries.
Click to see source code4. Flawfinder Output
Click to see the report in HTML
5. Analysis of Findings
- Line 7 [char Array]: Static arrays can overflow if they’re not correctly bounded. This warning may be a false positive if input length is restricted or validated.
- Line 7 [strlen]: strlen may cause over-read if strings are not null-terminated. This is a potential risk but may be low-impact if all inputs are verified.
- Line 8 [strncpy]: strncpy may not automatically null-terminate, risking memory issues. If null termination is manually enforced, this could be a false positive.
- Line 8 [strlen]: Similar to the previous warning, strlen risks over-read without null-terminated strings. Proper input validation may reduce this risk.
- Line 9 [strlen]: Repeats the over-read risk in non-terminated strings. This can be managed with reliable input controls.
- Line 16 [read]: Boundary checks in loops are important to avoid overflow with read operations. However, if loops are properly bounded, this could be low-risk.
- Line 21 [read]: Like the previous read warning, ensuring boundary checks here prevents buffer issues, with low risk in controlled cases.
- Line 27 [char Array]: Like the previous warning, static arrays require bounds checking. If input is tightly controlled, this could be a low-risk or false positive.
- Line 32 [char Array]: Another static array warning, indicating potential overflow risks if boundaries aren’t respected. Controlled input makes this lower-risk.
- Line 33 [strncpy]: strncpy may fail to null-terminate. Adding a manual null-terminator could turn this into a false positive if handled correctly.
- Line 34 [strcat]: The strcat function lacks inherent bounds checking, which could cause overflow; however, since the source here is a constant, this is likely low-risk.
- Line 41 [strcpy]: The use of strcpy can lead to buffer overflow if the source exceeds the destination size. While this is typically risky, if inputs are controlled, the risk may be minimal. Consider strncpy for a safer alternative.
- Line 55 [fprintf]: Format strings can be vulnerable if an attacker controls them. Using a constant format specification, instead of a variable, reduces this risk significantly.
6. Additional Vulnerabilities
These are additional vulnerabilities found through manual inspection:
- while Loop in main - Array Out-of-Bounds Access: The loop while (y >= 0) { a[y] = y; y--; } accesses a[10], which is out-of-bounds for a 10-element array, leading to memory corruption.
7. Code Correction
The corrected code fragment after removing all vulnerabilities:
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>
#include <unistd.h> // for read()
// Copying a String Safely
void func1(char *src) {
// length validation
size_t src_len = strlen(src);
if (src_len > 1023) {
fprintf(stderr, "Error: input too large\n");
return;
}
char dst[1024]; // fixed maximum buffer size to prevent overflow
strncpy(dst, src, src_len);
dst[src_len] = '\0'; // ensure null-termination
}
// Reading from a File Descriptor Safely
void func2(int fd) {
char *buf;
size_t len;
if (read(fd, &len, sizeof(len)) != sizeof(len)) {
fprintf(stderr, "Error reading length\n");
return;
}
if (len > 1024) {
fprintf(stderr, "Error: data length exceeds buffer limit\n");
return;
}
buf = (char *)malloc(len + 1); // allocate buffer with an extra byte for null-termination
if (buf == NULL) {
fprintf(stderr, "Error: memory allocation failed\n");
return;
}
if (read(fd, buf, len) != (ssize_t)len) {
fprintf(stderr, "Error reading data\n");
free(buf);
return;
}
buf[len] = '\0'; // ensure null-termination
free(buf); // free allocated memory to avoid memory leaks
}
// Reading User Input with Bounds Checking
void func3() {
char buffer[1024];
printf("Please enter your user ID: ");
if (fgets(buffer, sizeof(buffer), stdin) == NULL) {
fprintf(stderr, "Error reading input\n");
return;
}
if (!isalpha((unsigned char)buffer[0])) {
char errormsg[1044];
snprintf(errormsg, sizeof(errormsg), "%.1023s is not a valid ID", buffer);
fprintf(stderr, "%s\n", errormsg); // print error message securely
}
}
// Buffer Allocation and Safe Copying
void func4(char *foo) {
size_t foo_len = strlen(foo);
if (foo_len >= 10) {
fprintf(stderr, "Error: input too large for buffer\n");
return;
}
char *buffer = (char *)malloc(10 * sizeof(char));
if (buffer == NULL) {
fprintf(stderr, "Error: memory allocation failed\n");
return;
}
strncpy(buffer, foo, 9); // safely copy up to 9 characters
buffer[9] = '\0'; // null-terminate to ensure safety
free(buffer); // free allocated memory
}
int main() {
int y = 10;
int a[10];
func4("fooooooooooooooooooooooooooooooooooooooooooooooooooo");
// Simplified error handling for non-C++ code
func3();
FILE *aFile = fopen("output.txt", "w"); // declare and open a file securely
if (aFile == NULL) {
fprintf(stderr, "Error opening file\n");
return 1;
}
fprintf(aFile, "%s\n", "hello world"); // use safe file handling functions
fclose(aFile); // close file after writing to it
while (y > 0) {
if (y < 10) {
a[y] = y; // safely use within bounds
}
y--;
}
return 0;
}
8. Conclusion
This project demonstrates the utility of Flawfinder in catching basic vulnerabilities while also showing the importance of manual review for deeper analysis.