How to Use FlawFinder-python Tool to Find Vulnerabilities in C/C++ Code?

FlawFinder is a python based tool that helps in finding vulnerabilities in a C/C++ source code. It examines the source code and gives the list of possible vulnerabilities/flaws in the code as the output.

Installation

There is a pre-packaged version of this tool for Unix systems like Debian, Fedora, Ubuntu, etc. For Ubuntu, this tool can be installed using the following command-

sudo apt-get install flawfinder

For Windows OS, this tool can be directly installed using the pip command-

pip install flawfinder

It is recommended to use the Anaconda environment to implement this tool. 

Anaconda Installation:

For installing Anaconda refer to the following steps-

Step 1: Download the Anaconda using this link:https://www.anaconda.com/products/individual#windows

Step 2: Once installed click on Launch.

Step 3: Click Next.

Step 4: Read the licensing terms and click “I Agree”.

Step 5: Select an install for “Just Me” and click Next.

Step 6- Select a destination folder to install Anaconda and click the Next button. 

Step 7: Under the Advanced Installation Options. Select the Register option and then install. 

Step 8: It is recommended to install Pycharm.

Step 9: After the installation is completed, click the Finish button.

Implementation: Write a basic C code in a text file of copying a string into another variable.

// C program to demonstrate 
// Flawfinder
#include <stdio.h>
#include <string.h>

// Driver code
int main()
{
    char temp[100];
    char str[] = "hello";
    strcpy(temp, str);
    printf("%s", temp);
    return 0;
}

Output:

Step 1: Save the code with .c  extension inside the folder where the flawfinder is installed.

Step 2: Open Anaconda Prompt from the Start menu.

Step 3: Once the window opens, navigate to the directory where the code file is saved. Here the path is flawfinder\Test.

Step 4: Run this command

flawfinder your_program_name.c

The tool produces two hits i.e. potential risks. 

1. One is due to the use of strcpy function. It does not check for buffer overflows when copying to the destination. The tool also suggests alternatives such as using inbuilt functions such as snprintf, strcpy_s, or strlcpy.
2. Another vulnerability is the use of a char array. Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues. Instead, functions can be used to check the limit length and ensure that size is larger than the maximum possible length.

Pros of Flawfinder Tool:

• Determines level of risk- Flawfinder renders a list of potential security vulnerabilities which are sorted by risk. Functions and parameters used in the code determine the level of risk. For example, constant string values are less risky in comparison to variable strings. In some cases, FlawFinder may be able to determine that the construct isn’t risky at all, reducing false positives.
• Provides analysis summary- It produces an analysis summary as output and mentions the no. of hits i.e. vulnerabilities found in the code.
• Code is not compiled- The source code is never compiled and hence even if the code is not working the tool will still render the list of vulnerabilities almost immediately.

Cons of FlawFinder Tool-

• Does not guarantee to find all the vulnerabilities- Every hit produced doesn't imply a security vulnerability and neither is every vulnerability found. For instance, in a simple division program, a number is divided by 0. Ideally, the tool should show division by 0 as a hit but it fails to do so. This is because the tool cannot understand the logic of the program.
•  Cannot detect malicious codes- Flawfinder looks for specific patterns known to be common mistakes in application code. Thus, it is likely to be less effective in analyzing programs that might contain malicious codes.