SoftwareSecurity2014/Group 10/Code Scanning Reflection
Inhoud
Fortify Source Code Analyzer
Capabilities
Fortify is very thorough Code Analyzer. After a code check, it returns a great deal of potential errors, several of which are relevant to our security requirements. In combination with the Audit Workbench the Fortify SCA truly excels. The Audit Workbench enables the user to view each error grouped by importance (Critical, High, Medium, Low), and it enables sorting by multiple groupings, such as category, file, source, or even the OWASP top 10. The GUI enables you to quickly head to the file and location of the error, and even track such errors through multiple files, making it easier to find the location of the error even in large projects. In addition, the sorting makes it easier to focus on solving errors of the same type.
Available analyzers
HP Fortify SCA has 6 analyzers: data flow, control flow, semantic, structural, configuration, and buffer. Each analyzer finds different types of vulnerabilities.
Data flow
This type of analyzer detects potential vulnerabilities that involve tainted data (user- controlled input) put to potentially dangerous use. The data flow analyzer uses global, inter- procedural taint propagation analysis to detect the flow of data between a source (site of user input) and a sink (dangerous function call or operation).
Control flow
This analyzer detects potentially hard sequences of operations. By analyzing control flow paths in a program, the control flow analyzer determines to see if a set of operations which are executed in specific order. For example, the control flow analyzer detects time of check/time of use issues and uninitialized variables, and checks whether utilities, such as XML readers, are configured properly before being used.
Buffer
This analyzer detects buffer overflow vulnerabilities that involve writing or reading more data than a buffer can hold. This is, however, not that much of an issue in a memory-safe language such as PHP, though.
Limitations
Firstly, Fortify takes a while to analyze code, making it costly to check projects on the go. Secondly, there are still multiple false positives to be found, which may be annoying to solve. Undoubtedly, there will be false negatives as well. Lastly, Fortify requires a lot of memory in order to go over each file and find each error. Thus, it might not be suitable for machines with low specs.
Verdict
Fortify is a strong tool capable of finding many potential errors, and the GUI makes it easier to effectively track down these errors. Therefor, it provides a good user experience and is useful in finding gaps in security.
RATS
Capabilities
RATS is very versatile due to the number of languages that it is able to scan for vulnerabilities. (Erik: This might have its drawbacks, because it's not clear to me that RATS is really good at many of these languages; it seems to have a bit of a C/Linux bias) In addition, it also has a nice suite of features which includes:
- Ability to add XML reporting features using expat. XML parsing library.
- Time-of-check, time-of-use race conditions occur when between the time in which a given resource is checked, and the time that resource is used, a change occurs in the resource to invalidate the results of the checks.
- Access control: The attacker can gain access to otherwise unauthorized resources.
- Authorization: Race conditions such as these may be employed to gain read or write access to resources which are not normally readable or writable by the user in question.
In addition, RATS is a lot faster than fortify. Its main use appears to be a quick check for certain common vulnerabilities.
Limitations
As RATS is not as thorough, it seems to find relatively few errors. Most errors it finds are of specific types, such asTOCTOU (Time Of Check, Time Of Use) vulnerabilities or unchecked input vulnerabilities, which are plentiful. A few other vulnerabilities are also found and reported. While these errors might be useful, RATS seems to find relatively few errors relevant for our security requirements.
Verdict
While RATS is quick to use, it does not find a lot of vulnerabilities. In addition, feedback is sparse, but enough to find the place of the error in the code.