Re: running pscan, rats. flawfinder and splint on classpath

2006-04-03 Thread Archie Cobbs

Dalibor Topic wrote:

functions. Some of those are a little odd, for example it is not clear
to me what to do if JNI function call ThrowNew fails. rats and


Good question.. I think the only reasonable answer is "proceed with
the knowledge that an exception was posted, but perhaps not the one
you asked for (e.g., OutOfMemoryError or somesuch)".

-Archie

__
Archie Cobbs  *CTO, Awarix*  http://www.awarix.com



Re: running pscan, rats. flawfinder and splint on classpath

2006-04-03 Thread Dalibor Topic
On Mon, 2006-04-03 at 15:14 -0500, Archie Cobbs wrote:
> Dalibor Topic wrote:
> > functions. Some of those are a little odd, for example it is not clear
> > to me what to do if JNI function call ThrowNew fails. rats and
> 
> Good question.. I think the only reasonable answer is "proceed with
> the knowledge that an exception was posted, but perhaps not the one
> you asked for (e.g., OutOfMemoryError or somesuch)".

Yeah. 

I was just wondering if "if throw fails, check if an exception was
thrown, and dump the exception to stderr before continuing/exiting" was
maybe the intent of the API author, but found nothing like that in the
literature. I have some trouble figuring out why one would make throw*
not return void otherwise.

cheers,
dalibor topic




running pscan, rats. flawfinder and splint on classpath

2006-04-03 Thread Dalibor Topic
Hi all,

I've played around a bit with C vulnerability checkers today, and ran a
few on them on the classpath code base, so I figured I'd tell you how to
it, too.

The first one I tried was pscan [1], which checks for format string
vulnerabilities. I've fixed all the pscan warnings today.

Running pscan is easy:

In the classpath directory, run

find . -name "*.[ch]" | xargs pscan

there should be no output now. ;)

The next one I looked at was flawfinder [2], which checks for general
potential security issues. It quantifies them in classes, according to
potential for mischief. 5 is the highest category, 0 the lowest.

In the classpath source directory, running

flawfinder .

results in a lot of output about potential security problems.

Next I fired up rats[3], which checks for similar problems that
flawfinder covers as well. It returned similar results, too, though
ordered by potentially vulnerable C function, which would make it easier
to fix all the issues at once.

To run rats, in the classpath source directory run

rats .

Finally, I ran splint[4]. Split is a static C checker. It produces
massive loads of output, and has some trouble parsing gcc-specific code,
which is why it breaks trying to analyze headers included from gtk,
java-net, etc. It also has trouble with C++ code, so I left the qt peers
out. I've ended up invoking it like this:

find native/jni/classpath/ native/jni/java-io/ native/jni/java-nio/
native/jni/java-util/ native/jni/xmlj/ -name "*.[ch]" | xargs splint
+posixlib -fileextensions -badflag  -I include/
-I ../build-classpath/include/ -I native/jni/classpath/ -I
native/fdlibm/ -I /usr/include/gtk-2.0/ -I /usr/include/pango-1.0/
-I /usr/include/glib-2.0/ -I /usr/include/cairo/ -I native/jni/gtk-peer/
-I /usr/include/freetype2/ -I native/target/Linux/ -I
native/target/generic/ -D__i386__ -I /usr/include/libxml2/
-I /usr/include/ -weak

I'd say that pscan is fun to use to find format issues, flawfinder &
rats are both nice for finding places to audit, and splint is gcc
-WAnalyzeDeeply.

All the tools are pretty fast, and can analyze the code in less than a
minute. A quick scan of the results shows that splint detects some type
mismatch issues, and cases where we ignore the return values of
functions. Some of those are a little odd, for example it is not clear
to me what to do if JNI function call ThrowNew fails. rats and
flawfinder mostly ruffle their noses over the use *printf class of
functions without approriate protection, string manipulation functions,
and similar potential issues.

I'll be back at fixing the normal gcc warnings on Kaffe's code base, but
if someone wants to go ahead from here with a full scale security audit
of the C code, I hope this e-mail helps them get started.

cheers,
dalibor topic

[1] http://www.striker.ottawa.on.ca/~aland/pscan/
[2] http://www.dwheeler.com/flawfinder/
[3] http://www.securesw.com/rats
[4] http://splint.org