Security Professional - Paul Jang

cygwin에 security란 항목으로 툴이 몇가지 추가되었다.

bcrypt: Cross platform file encryption utility using blowfish
flawfinder: Examine source code and look for security weaknesses
integrit: File integrity checker, like Tripwire
outguess: Universal Steganographic tool for PNM and JPG files
pscan: Format string security checker for C files
pwget: Automatic Password generation

flawfinder나 pscan은 소스코드 검증에 유용한 툴이다.

다음은 flawfinder로 본인이 제작한 ssldigger를 검증한 결과이다.

$flawfinder sslclient.c
Flawfinder version 1.27, (C) 2001-2004 David A. Wheeler.
Number of dangerous functions in C/C++ ruleset: 160
Examining sslclient.c
sslclient.c:34:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination. Make
  sure destination can always hold the source data.
sslclient.c:39:  [2] (buffer) sprintf:
  Does not check for buffer overflows. Use snprintf or vsnprintf. Risk
  is low because the source has a constant maximum length.
sslclient.c:62:  [2] (buffer) char:
  Statically-sized arrays can be overflowed. Perform bounds checking,
  use functions that limit length, or ensure that the size is larger than
  the maximum possible length.
sslclient.c:63:  [2] (buffer) char:
  Statically-sized arrays can be overflowed. Perform bounds checking,
  use functions that limit length, or ensure that the size is larger than
  the maximum possible length.
sslclient.c:65:  [2] (buffer) char:
  Statically-sized arrays can be overflowed. Perform bounds checking,
  use functions that limit length, or ensure that the size is larger than
  the maximum possible length.
sslclient.c:67:  [2] (buffer) char:
  Statically-sized arrays can be overflowed. Perform bounds checking,
  use functions that limit length, or ensure that the size is larger than
  the maximum possible length.
sslclient.c:101:  [2] (buffer) bcopy:
  Does not check for buffer overflows when copying to destination. Make
  sure destination can always hold the source data.
sslclient.c:106:  [2] (integer) atoi:
  Unless checked, the resulting number can exceed the expected range.
  If source untrusted, check both minimum and maximum, even if the input
  had no minus sign (large numbers can roll over into negative number;
  consider saving to an unsigned value if that is intended).

Hits = 8
Lines analyzed = 271 in 0.56 seconds (4839 lines/second)
Physical Source Lines of Code (SLOC) = 181
Hits@level = [0]   0 [1]   0 [2]   8 [3]   0 [4]   0 [5]   0
Hits@level+ = [0+]   8 [1+]   8 [2+]   8 [3+]   0 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 44.1989 [1+] 44.1989 [2+] 44.1989 [3+]   0 [4+]   0 [5+
]   0
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!

$

다음은 pscan을 사용하여 format string attack 을 검증한 결과이다.

pscan.exe -v sslclient.c
Scanning sslclient.c ...
sslclient.c:39 FUNC sprintf Last argument is constant string: OK
sslclient.c:44 FUNC printf format string with 1 parameters: OK
sslclient.c:83 FUNC printf Last argument is variable or reference: BAD
sslclient.c:95 FUNC fprintf format string with 1 parameters: OK
sslclient.c:113 FUNC printf Last argument is variable or reference: BAD
sslclient.c:114 FUNC printf Last argument is variable or reference: BAD
sslclient.c:115 FUNC printf Last argument is variable or reference: BAD
sslclient.c:116 FUNC printf format string with 1 parameters: OK
sslclient.c:117 FUNC printf format string with 1 parameters: OK
sslclient.c:118 FUNC printf format string with 1 parameters: OK
sslclient.c:119 FUNC printf Last argument is variable or reference: BAD
sslclient.c:120 FUNC printf Last argument is variable or reference: BAD
sslclient.c:126 FUNC fprintf Last argument is constant string: OK
sslclient.c:131 FUNC fprintf Last argument is constant string: OK
sslclient.c:174 FUNC printf format string with 1 parameters: OK
sslclient.c:222 FUNC fprintf Last argument is constant string: OK
sslclient.c:227 FUNC fprintf Last argument is constant string: OK
sslclient.c:259 FUNC printf Last argument is variable or reference: BAD
sslclient.c:261 FUNC printf Last argument is variable or reference: BAD
sslclient.c:263 FUNC printf Last argument is variable or reference: BAD
sslclient.c:265 FUNC printf Last argument is variable or reference: BAD
Total problems identified: 10

$

조만간 수정 작업에 착수하지 않으면...안되겠군..