1. Introducing the Audit Workbench This exercise examines the results of a successful source code security audit of the Washington University FTP daemon wu-ftpd version 2.6.0 that was performed using the Enterprise version of Fortify Software. In this exercise, you use the Audit Workbench to explore a results file that was generated by the Source Code Analysis Engine and annotated by a code auditor. The files for this lesson are located in the following directory: Install_Directory/Tutorial/understand_AWB
Start Audit Workbench and load the audit. Start Audit Workbench: On Windows, navigate from the Start menu as follows: Start  All Programs  Fortify Software Fortify SCA Suite 3.1.1Demonstration Edition Audit Workbench. Choose the Continue Audit option. Select the wu-ftpd.fpr file.
Examine the information displayed in the Project Summary dialog. Click Skip AuditGuide to close the Project Summary. Examine the information displayed in the navigation tree in the Navigator panel. Expand the items in the tree to see the individual issues. Click on the issues to see how the panels are populated for each issue. For example, notice that the Analyzer Trace panel shows data flow information when the issue is related to issues identified by the Data Flow Analyzer. Examine the Summary and Detail panels for information about the issues. Click the Hotlist, Warnings, and Info buttons to see how the issues are grouped by severity level. Select different options in the "Group by" drop-down list to see the issues in the navigation tree grouped by file name, sink, source, taint flag, or category and analyzer (the default). Locate and select the following issue: ftpd.c:5290 (Format String).
Examine an issue. Read the auditor's comments concerning the issue in the Summary panel and note the settings for the analysis, status, impact, and severity buckets that the auditor has selected for the issue. In this case, the auditor considers the issue to be a remotely exploitable problem that could lead to a root compromise. Click on the four code lines displayed in the Analysis Trace panel to see how the SCA Engine traced the malicious data through the program. Examine the Details panel to read more about auditing format string problems.
Explore other issues. Click the Hotlist, Warning, and Info buttons to explore some of the other buckets. Explore some of the other categories and the issues they contain for an overview of the types of problems that Fortify Software finds in C and C++ programs.
Generate an audit report. Select Generate Report from the Tools menu to generate a report. Select Formatted Text from the "Export As" drop-down list. Read the summary sections at the top of the report and some of the detailed findings that follow. Click Cancel to return to the main audit view.
Exercises for the Reader Beginner How many categories of security vulnerabilities are listed for this application? Starting with buffer overflow, how many vulnerability categories can you name? In your company, what categories of security vulnerabilities are most critical? Can you think of (or write) a line of code that would be acceptable in one program but would cause a serious security problem in another program?
Advanced Describe a scenario in which a security issue that is not currently exploitable can become a critical security issue in the future. What are some common reasons that developers introduce security vulnerabilities? What makes one security issue more important than another? How do you determine the importance of a security issue? Once you have identified and corrected all exploitable security issues, what are the arguments for and against addressing nonexploitable security issues?
|
