Finding Security Bugs in C++ Programs

Finding Security Bugs in C++ Programs


Recently, I was reading some stuff on static code analysis. I thought about doing a post on some good static analysis tool/script and started finding some. After some struggle, I found a tool that works great. Since most of the large programs are written in C++, I thought I should go for C++ too. Below is a little experiment and usage of the tool to show how it can be used to find flaws in C++ programs.

This can be of great help for C++ programmers who don’t pay much heed to the security of their programs. I found this tool to be amazing because of how comprehensively it found security bugs in my programs.

Also, many organizations write a lot of C++ code but don’t test it well. This can be the first step in the testing process where you just give the script your codes and get back as many vulnerabilities as the tool can find.

Finding Security Bugs in C++ Programs

Static Code Analysis for C++ programs using FlawFinder

Installation:

First of all, download FlawFinder from its homepage.

Its a python tool and I really wanted to work with something related to python.

The steps for installation are given on the page. Just install it and run it. Lets see how it performs.

Usage and Results:

So, I wrote a little vulnerable C++ script to see what comes out of flaw finder. Here’s the script.

Since we are taking input into a string and then doing strcpy, the tool should mark it as a sensitive vulnerability. Lets look at the results after typing “flawfinder test.cpp”.

That’s great, right? Not only does it tell us about the flaws in our program, it also gives us a little description and info on how to mitigate the vulnerability. I tested it with some lengthy scripts and the results were pretty amazing.

That’s it folks.

PS: This tool is not mine and I had no part in developing it. I just found it to be quite good.

Let me know what do you think.

Categories

+ There are no comments

Add yours