Research on Source Code Review -C

Hi,  

Am looking to develop source code review guidelines for code written in c/c++. I have found a few documents on the net but nothing that could be really followed along to do source code review. I also wanted to know what people in the field are actually doing and also if they could provide first hand experience as to what all they look for and how.  

Some of the software we write also is used on different flav. of UNIX, thus how would that impact on finding such as heap overflows (simply would it even be a finding if the software is run on solaris as opposed to linux where dl malloc is used and it is actually a heap overflowetc) ? I want to try and build and exaustive list of functions and a detailed document of what all functions, steps to look at on while performing a ssource code review.  

I have started with a list of functions for stack already, they have been compiled by looking at most of the pre-existing tools (Flawfinder/RATS etc) and am also trying to classify all the different types of flaws that could occur. I am sure there are a lot of people on this list who have a lot more information, I want to just try to collate it all and in the end shall try and post it to the list too so every can gain from this if possible.  

Thanks in advance for all your help.  

/DK  

I have some examples here as to what flaws to look for please add more and give some description or provide a link, thanks.  

1. Stack Problem functions listed in stack_func.txt attached.

Ways to stop stack overflows are either use other functions which validate the input or disable stack execution ( however if return into libc is used, this attack will still be successful for disabled stack execution so always use validated functions or compile with safe versions of gcc).  

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

B) Heap
Problems that could arise in the heap due to use of contiguos blocks to store data and the first variable overwrites data into the second block. The overhead part of each block, which contains the address of the next location to execute could be overwritten and thus /bin/sh could be called or something along those lines.  

Functions that couse cause such problems are -  

Possible solutions using canary values between variables, what else could be possible solutions? What are the possible functions on this?    

C) Format string
locating all "F" class of functions and validating the format.  

D) Off by one    

E) Race Condition    

F) Dead lock  

G) Implementations of Malloc and other such tools (I found dl malloc on phrack but other implementations on os's like aix / sun any pointers ??)    

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Additional vectors

1. Integer Overflow (could lead to either stack or heap overflow) -
   • Evaluating the value stored in a integer (store a value greater than the maximum value allowed in an integer variable thus causing an integer overflow) Fix would be to add an additional loop to check for the size of the value All possible scenarios they could be used under ?
2. Signed Overflow Signed overflows occur when a signed variable is interpreted as an unsigned variable. Fix using the correct ‘type’ required for the variable. What are all the different singed variables that could be misinterpreted and used ?

Thanks again for all the help.   Received on Tue Jun 10 22:12:33 2003