SoftwareSecurity2014/Group 11/Code Scanning Reflection

Uit Werkplaats
< SoftwareSecurity2014‎ | Group 11
Versie door Erik Poll (overleg | bijdragen) op 10 jun 2014 om 14:49 (RATS)
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Reflection on scanners

Fortify

Its a very big and thorough scanner and gives quite intelligent messages back. Wordpress is written in old school PHP. The code is messy and not using a lot of OO. While this makes it harder to read for humans it does make it easier for analysers to figure out what goes where etc. So we think Fortify was able to give us good output regarding Wordpress. We do not know if Fortify also works well with a highly OO with loads of magic written PHP projects. Frameworks that uses a lot of dynamic system to pass on data etc (Erik: This sentence is a bit mysterious - what do you mean. ) . We think Fortify really will have troubles picking up the data flows. (Erik: but earlier you say that you think that Fortify was able to give good output. So your verdict about Fortify is a bit unclear to me.

RATS

RATS which obviously is far far far weaker (just look at the size (300kb)) it produces some very simple straight forward output. It is database driven (Erik:Not sure that that is the best - or meaningful - way of saying it. I had no clue what you meant till I read the next sentences. ). In other words, there exists a file rats-php.xml which contain entries like:

<Vulnerability>
  <Name>mail</Name>
  <Info>
    <Severity>High</Severity>
    <Description>
      Arguments 1, 2, 4 and 5 of this function may be passed to an external 
      program. (Usually sendmail). Under Windows, they will be passed to a
      remote email server. If these values are derived from user input, make
      sure they are properly formatted and contain no unexpected characters or
      extra data.
    </Description>
  </Info>
</Vulnerability>
<Vulnerability>
  <Name>is_dir</Name>
  <RaceCheck>1</RaceCheck>
</Vulnerability>

So RATS just scans through the source and finds all function names matching a vulnerability name (function name) and lists this as an issue. This makes RATS just a glorified find tool and does not add a lot to security audit.

Conclusion

So we think Fortify did a great job on scanning Wordpress and giving us a lot of pointers where to look and where there are potential issues. RATS on the other hand is just nothing more then a find tool. So it does not add a lot. The only thing it adds is a list of dangerous functions. But this is common knowledge if you have experience writing PHP (as in the docs its always explicitly noted when functions are dangerous).