Source code auditing with RATS
Software vulnerabilities are the basis of computer security. There are many tools available for source code review, and one of them is RATS.
Rats is a rough auditing tool for security developed by Secure Software, Inc. It is a tool for scanning C, Perl, PHP, and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.
A run through of this RATS on an C-based exploit shows some nice things.
neewt@foursome:~/misc/$ rats HOD-ms05039-pnp-expl.c
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 336
Entries in php database: 55
Analyzing HOD-ms05039-pnp-expl.c
HOD-ms05039-pnp-expl.c:270: High: fixed size local buffer
HOD-ms05039-pnp-expl.c:271: High: fixed size local buffer
HOD-ms05039-pnp-expl.c:273: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely. They are prime targets for buffer overflow
attacks.
HOD-ms05039-pnp-expl.c:290: High: gethostbyname
DNS results can easily be forged by an attacker (or arbitrarily set to large values, etc), and should not be trusted.
HOD-ms05039-pnp-expl.c:352: High: sprintf
Check to be sure that the format string passed as argument 2 to this function
call does not come from an untrusted source that could have added formatting
characters that the code is not prepared to handle. Additionally, the format
string could contain `%s' without precision that could result in a buffer
overflow.
Total lines analyzed: 437
Total time 0.001988 seconds
219818 lines per second
neewt@foursome:~/misc$
RATS reported two vulnerabilities in this 436 character long source code, both classified HIGH. The second instance reports the use of the known dangerous function sprintf, which often is suspectible to buffer overflow. Sprintf is one of the "known vulnerable" functions of C.
More interestingly is actually the first report, about the opening of a socket and use of GET HOST BY NAME. This is not actually a vulnerability in the code itself, but in the way that IP-numbers are resolved. It is however very useful, as a software developer might be less likely to understand aspects of network vulnerabilities, than software vulnerabilities like BO's.