Manual Source Code Auditing
What can you do when an application is programmed in a language that is not supported
by an automated scanner? How can you verify all the areas of a program that the
automated scanners may have missed? How do you analyze programming constructs
that are too complex for automated analysis tools to follow? In these cases, manual
auditing of the source code may be your only option. Your primary focus should be on
the ways in which user-supplied data is handled within the application. Since most vulnerabilities
are exploited when programs fail to properly handle user input, it is important
to first understand how data is passed to an application, and second, to understand
what happens with that data.
Sources of User-Supplied Data
The following list contains just a few of the ways in which an application can receive user
input and some of the C functions used to obtain that input. (This list by no means represents
all possible input mechanisms or combinations.)
??? Command-line parameters argv manipulation
??? Environment variables getenv()
??? Input data files read(), fscanf(), getc(), fgetc(), fgets(), vfscanf()
??? Keyboard input/stdin read(), scanf(), getchar(), gets()
??? Network data read(), recv(), recvfrom()
It is important to understand that in C, any of the file-related functions can be used to
read data from any file, including the standard C input file stdin.
Pages:
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514