[SYSTEM HACKING] FlawFinder를 이용한 C/C++ Source Code 취약점 분석(Vulnerability Analysis)

Application 에 대한 취약점 분석은 굉장히 재미있고 흥미롭습니다. 물론 이 과정에는 조금 지루한 면이 많아 대부분 툴의 도움을 참고하여 진행하게 됩니다.

오늘은 BlackBox Test가 아닌 WhiteBox Test 툴인 FlawFinder에 대한 내용으로 이야기를 써갈까 합니다. 소스코드를 직접 분석하는 WhiteBox Test Tool은 BlackBox Test Tool(ex: Vega, Acunetix 등 여러 WVS)에 비해 개체수도 적어보이고 쓸만한걸 찾기도 어렵습니다.

주로 Web Application에서는 RIPS를 사용하곤 했는데, 찾다보니 flawfinder라는 무난한 툴을 찾았지요. (사실 rats 와 같이 테스트를 하였으나, 개인적인 느낌이 flawfinder가 좋아보여서요..)

FlawFinder 설치하기(Install Flawfinder)

데비안 계열 OS를 사용하신 다면 apt 패키지 관리자로 쉽게 설치가 가능합니다.

apt-get install flawfinder rats

다른 OS를 사용한다면, 웹페이지 or SourceForge에서 다운로드가 가능합니다.

Vendor Site: http://www.dwheeler.com/flawfinder/ SourceForge: http://sourceforge.net/projects/flawfinder/

설치 후 정상적으로 실행됨을 확인하였습니다.


Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 169 *** No input files

FlawFinder를 이용한 WhiteBox Test(Using FlawFinder for Source code Analysis)

일단 FlawFinder의 메뉴얼을 잠깐 보고갈까 합니다.

flawfinder -h

flawfinder [–help | -h] [–version] [–listrules] [–allowlink] [–followdotdir] [–nolink] [–patch filename | -P filename] [–inputs | -I] [–minlevel X | -m X] [–falsepositive | -F] [–neverignore | -n] [–context | -c] [–columns | -C] [–dataonly | -D] [–html | -H] [–immediate | -i] [–singleline | -S] [–omittime] [–quiet | -Q] [–loadhitlist F] [–savehitlist F] [–diffhitlist F] [–] [source code file or source root directory]+

The options cover various aspects of flawfinder as follows.

Documentation: –help | -h Show this usage help. –version Show version number. –listrules List the rules in the ruleset (rule database).

Selecting Input Data: –allowlink Allow symbolic links. –followdotdir Follow directories whose names begin with “.”. Normally they are ignored. –nolink Skip symbolic links (ignored). –patch F | -P F Display information related to the patch F (patch must be already applied).

Selecting Hits to Display: –inputs | -I Show only functions that obtain data from outside the program; this also sets minlevel to 0. -m X | –minlevel=X Set minimum risk level to X for inclusion in hitlist. This can be from 0 (no risk'') to 5 (maximum risk''); the default is 1. –falsepositive | -F Do not include hits that are likely to be false positives. Currently, this means that function names are ignored if they’re not followed by “(”, and that declarations of char- acter arrays aren’t noted. Thus, if you have use a vari- able named “access” everywhere, this will eliminate refer- ences to this ordinary variable. This isn’t the default, because this also increases the likelihood of missing important hits; in particular, function names in #define clauses and calls through function pointers will be missed. –neverignore | -n Never ignore security issues, even if they have an ``ignore'' directive in a comment. –regex PATTERN | -e PATTERN Only report hits that match the regular expression PATTERN.

Selecting Output Format: –columns | -C Show the column number (as well as the file name and line number) of each hit; this is shown after the line number by adding a colon and the column number in the line (the first character in a line is column number 1). –context | -c Show context (the line having the “hit”/potential flaw) –dataonly | -D Don’t display the headers and footers of the analysis; use this along with –quiet to get just the results. –html | -H Display as HTML output. –immediate | -i Immediately display hits (don’t just wait until the end). –singleline | -S Single-line output. –omittime Omit time to run. –quiet | -Q Don’t display status information (i.e., which files are being examined) while the analysis is going on.

Hitlist Management: –savehitlist=F Save all hits (the “hitlist”) to F. –loadhitlist=F Load hits from F instead of analyzing source programs. –diffhitlist=F Show only hits (loaded or analyzed) not in F.

For more information, please consult the manpage or available documentation.

일단 Usage를 보면 별도의 옵션 없이 Argument만 넘겨 바로 사용이 가능합니다. 옵션을 주면 더 디테일한 분석이 가능하겠지요.

FlawFinder가 어떤 파일에서 찾을 수 있는지 간단한 UAF 소스코드를 첨부합니다.


#include <stdio.h>
#include <unistd.h>

// code by owasp / reference site
// https://www.owasp.org/index.php/Using_freed_memory

#define BUFSIZER1   512
#define BUFSIZER2   ((BUFSIZER1/2) - 8)

int main(int argc, char **argv) {   
    char *buf1R1;
    char *buf2R1;
    char *buf2R2;
    char *buf3R2;

    buf1R1 = (char *) malloc(BUFSIZER1);
    buf2R1 = (char *) malloc(BUFSIZER1);


    buf2R2 = (char *) malloc(BUFSIZER2);
    buf3R2 = (char *) malloc(BUFSIZER2);

    strncpy(buf2R1, argv[1], BUFSIZER1-1);


OWASP에서 샘플코드로 제공하는 이 코드를 Flawfinder로 분석을 하면 아래와 같이 결과가 나타납니다.

flawfinder uaf.c

Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 169 Examining uaf.c


uaf.c:21: [1] (buffer) strncpy: Easily used incorrectly; doesn’t always \0-terminate or check for invalid pointers (CWE-120).


Hits = 1 Lines analyzed = 27 in approximately 0.01 seconds (2470 lines/second) Physical Source Lines of Code (SLOC) = 19 Hits@level = [0] 0 [1] 1 [2] 0 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 1 [1+] 1 [2+] 0 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 52.6316 [1+] 52.6316 [2+] 0 [3+] 0 [4+] 0 [5+] 0 Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See ‘Secure Programming for Linux and Unix HOWTO’ (http://www.dwheeler.com/secure-programs) for more information.

진행 과정 중 취약 부분에서 대해서 Output이 발생하고 마지막에 전체적인 평가(?)가 기재됩니다.

uaf.c:21: [1] (buffer) strncpy: Easily used incorrectly; doesn’t always \0-terminate or check for invalid pointers (CWE-120).

21번 줄 strncpy 함수 부분이 취약할 수 있다고 경고합니다. 또한 –regex or -e 옵션을 활용하여 정규식을 적용할 수 있고 –regex PATTERN | -e PATTERN

Ouput 에 대한 설정 또한 가능합니다. -H or –html 옵션으로 웹 페이지 형식으로 바꿔서 표현할 수도 있습니다.

–html | -H

flawfinder –html ftp_scan.c » output.html

fierfox output.html

BlackBox Test는 사람이 직접하는게 좋다고 생각되는데, WhiteBox Test는 코드량이 많아 질수록 툴의 필요성이 많이 늘어나는 것 같습니다. FlawFinder와 같이 코드에 대해 분석을 해주는 툴과 함께라면 좀 더 쉽게 WhiteBox Test를 진행할 수 있겠지요. : )

Licensed under CC BY-NC-SA 4.0
Last updated on Jul 10, 2021 01:05 +0900