Code Audits 101
Lecture
Homework
Find and describe three flaws in a sample application (sample usage). Assume the application runs on Linux and is compiled with gcc.
- Identify the affected line(s) of code
- Briefly explain the bug class
- Trace user-controllable input to the vulnerable code
- Identify what effect the bug would have on a running application
- Calculate a CVSS score for the bug
This network service simulates a text-based terminal application. The general purpose of the application is to act as a "news server" or text file service. There are two types of users: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files).
Required Reading
- Integer Overflows from Wikipedia and Catching Integer Overflows by Felix von Leitner
- TAOSSA Chapter 6: C Language Issues
- The Fortify Taxonomy of Software Security Flaws (useful reference for the homework)
Discussion
Share Article 