RATS Source Code Analyzer

    One of the methods for finding vulnerabilities in software is the use of source analyzers. In this post I want to talk about one of them, namely, RATS (Rough Auditing Tool for Security). Mention of RATS met more than once in respected sources, namely here , here and here . However, there was no real example of use anywhere.

    And so, RATS was created by Fortify, designed to find bugs in code written in C / C ++, Perl, Ruby, PHP and Python, and, importantly, is distributed free of charge. You should not expect special miracles from this utility, however, we will find a place to use "risky" functions.

    Installation

    Let's start by installing RATS, then an example for the Debian OS (wheezy), the RATS package can be taken here . Download the wget deb package ftp.us.debian.org/debian/pool/main/r/rats/rats_2.3-1_amd64.deb and install sudo dpkg –i / path / package.deb.
    Check if everything is installed correctly, for this in the console we type rats :
    $ rats
    Entries in perl database: 33
    Entries in ruby ​​database: 46
    Entries in python database: 62
    Entries in c database: 334
    Entries in php database: 55
    Total lines analyzed: 0
    Total time 0.000010 seconds
    0 lines per second

    Here we see how many typical error patterns are contained in the RATS database (version 2.3-1).

    Example 1

    Now let's try the RATS “in battle”. To do this, we write a code that obviously contains a classic buffer overflow error and save it to the vuln_code1.c file:

    #include 
    int main (int argc, char **argv)
    {
    	char buffer[10];
    	strcpy(buffer, argv[1]);
    }
    

    Now let's show this RATS file: $ rats vuln_code1.c

    Analyzing vuln_code1.c
    vuln_code1.c: 4: High: fixed size local buffer
    Extra care should be taken to ensure that character arrays that are allocated
    on the stack are used safely. They are prime targets for buffer overflow
    attacks.

    vuln_code1.c: 5: High: strcpy
    Check to be sure that argument 2 passed to this function call will not copy
    more data than can be handled, resulting in a buffer overflow.

    Total lines analyzed: 7
    Total time 0.000154 seconds
    45454 lines per second


    RATS tells us about two errors, with both of them assigning a high level of danger.
    The first is “ fixed size local buffer"- using a fixed buffer size in line 4 - char buffer [10].
    The second “ buffer overflow ” is the buffer overflow on line 5 — when using the strcpy () function . If you use gets () instead of the strcpy () function , the RATS message will look like this: vuln_code1.c: 5: High: gets Gets is unsafe !!! No bounds checking is performed, buffer is easily overflowable by user. Use fgets (buf, size, stdin) instead



    Example 2

    We’ll check how RATS reacts to code that contains format string vulnerabilities. To do this, we write defective code, the printf function receives an input string, according to which the function expects two arguments to be put on the stack before it is called if the program is started with the specifiers "% x % x "as a parameter, you can see the contents of 4 bytes of the stack.

    #include 
    int main(int argс, char* argv[ ])
    {
    if(argc > 1)
    printf(argv[1]);
    return 0;
    }
    

    RATS saw the error and reported:

    vuln_code3.c: 5: High: printf
    Check to be sure that the non-constant format string passed as argument 1 to
    this function call does not come from an untrusted source that could have added
    formatting characters that the code is not prepared to handle.


    Example 3

    In this example, we use code containing a buffer overflow error when interacting with environment variables:

    #include 
    int main(int argc, char *argv[ ])
    {
     char *env;
     char buf[100];
     env = getenv("PATH");
     if ( env == NULL ) { return 0; }
     sprintf(buf, "%s", env);
     return 0;
    }
    

    Here the RATS found 3 errors:

    vuln_code4.c: 5: High: fixed size local buffer
    Extra care should be taken to ensure that character arrays that are allocated
    on the stack are used safely. They are prime targets for buffer overflow
    attacks.

    vuln_code4.c: 6: High: getenv
    Environment variables are highly untrustable input. They may be of any length,
    and contain any data. Do not make any assumptions regarding content or length.
    If at all possible avoid using them, and if it is necessary, sanitize them and truncate
    them to a reasonable length.

    Since environment variables can be of any length, we should carefully check how long the buffer we allocate to work with them.

    vuln_code4.c: 8: High: sprintf
    Check to be sure that the format string passed as argument 2 to this function
    call does not come from an untrusted source that could have added formatting
    characters that the code is not prepared to handle. Additionally, the format
    string could contain `% s' without precision that could result in a buffer
    overflow.


    Example 4

    Let's see how things are with other programming languages, and test RATS on a vulnerable perl script:

    open(f,$filename);
     while()
     {
      print;
     }
    

    if you enter “| command” to the input of such a script, the command will be executed. There is such a vulnerability in the RATS database, he advises us to carefully analyze the input data when using the open () function:
    test9.pl:1: Medium: open
    The filename argument of open should be carefully checked if it is being created with any user-supplied string as a compontent of it. Strings should be checked for occurences of path backtracking / relative path components (../ as an example), or nulls, which may cause the underlying C call to interpret the filename to open differently than expected. It is also important to make sure that the final filename does not end in a "|", as this will cause the path to be executed.


    Features of use

    • as a checked object, you can specify a directory containing the source texts, RATS will independently find and check all attached files
    • the -l flag allows you to force the language of the source being checked
    • the -noheader flag allows you to disable the display of the information header
    • the -h flag displays a list and description of other flags

    Conclusion

    Over the years, it is not worth considering RATS as a comprehensive analyzer of vulnerabilities in serious projects, however, it is quite suitable as a training option for identifying and understanding textbook errors.

    References

    More information about buffer overflow vulnerabilities: www.securitylab.ru/contest/212095.php
    A good but complicated book about analyzing and searching for vulnerabilities in software: www.ozon.ru/context/detail/id/5238324
    An article about security in cgi- scripts: www.getinfo.ru/article358.html

    Also popular now: