Executive Instruments

During a black box COTS application assessment, we wanted to identify dangerous functions that could possibly be abused to gain code execution. Flawfinder, an elementary source code focused tool designed for exactly this purpose was a good starting point. Embedded in the source code are a good list of functions that are considered dangerous.

Four problems with flawfinder:

1. It only works on the source code. No COTS products for me.
2. Signatures are embedded in the code. Not easily reusable.
3. Not supported (last update 2007). I've submitted a patch to Dan Wheeler (the flawfinder author) before and never heard back.
4. Not exhaustive. I think Michael Howard did a great job changing the Microsoft SDL to prohibit certain functions from being used for software development.  Flawfinder doesn't include many of these functions.

I decided to attempt a little experiment and port some of the flawfinder functionality to IDA Pro. In the end, I moved the flawfinder database to raw XML and added the functions that Michael Howard banned from the Microsoft SDL. My XML file describing dangerous functions is available here.

SHA256: 6695bb84bd1e9536c930b3599426cca04bfc02b31d66d9a61ca00ac7f0e1a686

MD5: c6b712a94962dd583974fa34ba19e23f

Please let me know if you would like to submit any additional functions and I will add them to the file. In the future I will probably modify flawfinder to use this xml database as well.

I also created a little python script using IDA python that iterates over function names and finds any references to known dangerous functions. We are using these references as input for mynav in order to calculate execution pathes that may lead to exploitable situations which in turn helps us to tune our fuzzers. My dangerous_functions.py script for achieving this is available here.

SHA256: bac5d21a7861b4387c0600ed5e825029e10560ab2fad33984ffa935342101f5f

MD5: be6c18777e755662a5fcccdb697dbd93

In order to use it, you may have to modify the 'dangerous_functions_file' on line 7 of the aforementioned dangerous_functions.py script in order to accurately point to your location of dangerous_functions.xml. Then load up the binary in which you want to locate dangerous functions in IDA Pro and run the following ida python command

execfile(r"C:\path\to\dangerous_functions.py")

Please note that this script is just an experiment (Read: primitive) and makes no attempt to actually verify if the functions are being used safely or not.  Additionally, please note that this script was developed and tested using IDA Pro 6.0 and IDApython version 1.4.3.

I would like to thank Dan Clemens of Packet Ninjas for inspiration and of course the hex-rays team for such a great tool. I would also like to thank Dan Wheeler for writing flawfinder and Michael Howard for doing such a great job improving the Microsoft SDL and releasing the information for general consumption. Don't hesitate to drop us a line to offer constructive criticism or offer improvements/suggestions.

Please note Halvar provides a similar project though I have not yet thoroughly reviewed the source:

http://sourceforge.net/projects/bugscam/

Also, this project looks interesting as well:

http://sourceforge.net/projects/ida-pro-code/