Research on Source Code Review -C

[dwar keeper <dwarkeeper () hotmail com>]

In-Reply-To: <KFEMINDBKGBEMHACCJHCOEJKCNAA.brett () softwarecreations co nz>

Hi,
 
Am looking to develop source code review guidelines for code written in 
c/c++. I have found a few documents on the net but nothing that could be 
really followed along to do source code review. I also wanted to know what 
people in the field are actually doing and also if they could provide 
first hand experience as to what all they look for and how.
 
Some of the software we write also is used on different flav. of UNIX, 
thus how would that impact on finding such as heap overflows (simply would 
it even be a finding if the software is run on solaris as opposed to linux 
where dl malloc is used and it is actually a heap overflowetc) ? I want to 
try and build and exaustive list of functions and a detailed document of 
what all functions, steps to look at on while  performing a ssource code 
review. 
 
I have started with a list of functions for stack already, they have been 
compiled by looking at most of the pre-existing tools (Flawfinder/RATS 
etc) and am also trying to classify all the different types of flaws that 
could occur. I am sure there are a lot of people on this list who have a 
lot more information, I want to just try to collate it all and in the end 
shall try and post it to the list too so every can gain from this if 
possible.
 
Thanks in advance for all your help.
 
/DK
 
I have some examples here as to what flaws to look for please add more and 
give some description or provide a link, thanks.
 
A) Stack
Problem functions listed in stack_func.txt attached.
 
Ways to stop stack overflows are either use other functions which validate 
the input or disable stack execution ( however if return into libc is 
used, this attack will still be successful for disabled stack execution so 
always use validated functions or compile with safe versions of gcc). 
 
B) Heap
Problems that could arise in the heap due to use of contiguos blocks to 
store data and the first variable overwrites data into the second block. 
The overhead part of  each block, which contains the address of the next 
location to execute could be overwritten and thus /bin/sh could be called 
or something along those lines.
 
Functions that couse cause such problems are  - 
 
Possible solutions using canary values between variables, what else could 
be possible solutions? What are the possible functions on this?
 
 
C) Format string
locating all "F" class of functions and validating the format.
 
D) Off by one
 
 
E) Race Condition
 
 
F) Dead lock 
 
G) Implementations of Malloc and other such tools (I found dl malloc on 
phrack but other implementations on os's like aix / sun any pointers ??)
 
 
Additional vectors
--------------------
1) Integer Overflow (could lead to either stack or heap overflow) -
    - Evaluating the value stored in a integer (store a value greater than 
the maximum value allowed in an integer variable thus causing an integer 
overflow)
        Fix would be to add an additional loop to check for the size of 
the value     
    All possible scenarios they could be used under ?
 
2) Signed Overflow
    Signed overflows occur when a signed variable is interpreted as an 
unsigned variable.
    Fix using the correct ‘type’ required for the variable.
    What are all the different singed variables that could be mis-
interpreted and used ?
 
Thanks again for all the help.