Code Audits 101

Introduction to Source Code Auditing by Brandon Edwards, Senior Security Researcher at McAfee.

Homework

The homework for this week is to find 3 bugs in htpasswd.c (assume it is running on Linux and is compiled with gcc).

  • Identify the affected line(s) of code
  • Briefly explain the bug class
  • Trace user-controllable input to the vulnerable code
  • Identify what effect the bug would have on a running application

Background: htpasswd.c is used to update flat-files that store usernames. When you provide the htpasswd application with the correct username/password to authenticate to it, you are allowed to add usernames to a given flat-file userlist. Users in that userlist are then allowed to access whatever service that passwd file applies to.

The following resource may be able to help you. Fortify keeps a document online called "The Fortify Taxonomy of Software Security Flaws" that explains a large number of bug classes with example code and technical writeups. Also, man pages are your friends.

Reading Material

CommentPost a Comment |

Code Audits 102

This is a continuation of Code Audits 101 with Brandon Edwards.

  • Slides (not posted yet)

Homework

The homework this week is to find and describe three flaws in a sample application. Assume the application runs on Linux and is compiled with gcc.

  • Identify the affected line(s) of code
  • Briefly explain the bug class
  • Trace user-controllable input to the vulnerable code
  • Identify what effect the bug would have on a running application
  • Calculate a CVSS score for each bug

This network service simulates a text-based terminal-application. The general purpose of the application is to act as a "news server," or text file service. There are two types of user: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files).

Reading Material

CommentPost a Comment |