-
Initial value assignments (failure to assign initial values can lead to vulnerabilities).
-
Memory corruption (see Memory_Exploits folder).
-
Static analysis tools:
- commercial: Fortify, Klockwork, Coverity
- free: LLVM Clang Static Analyzer, FindBugs (Java), RATS
-
Information Collection:
- Assets
- Entry points
- External entities
- External trust levels
- Major components
- User Scenarios
- Developer interviews
- Developer documentation
- Standards documentation
- Sources profiling
- System profiling: File system layout, code reuse, import/exports, sandboxing, scanning.
-
Application architecture modeling:
- UML
- Data flow diagrams (DFD)
-
Threat identification:
- Attack trees: each subnode states an attack methodology that could be used to achieve the goal in the root node. Arc between nodes are AND connectors. Circular nodes are mitigation. Dashed lines indicated unlikely attack vector.
- Textual representation.
-
Documentation of findings:
- Thread, Affected Component, Description, Result, Mitigation strategy.
- DREAD Risk Ratings (damage potential, reproducibility, exploitability, affected users, discoverability), with scores from 1 to 10.
-
Prioritizing the implementation review
- Source only (static analysis)
- Binary only (live analysis and reverse engineering)
- Both source and binary access
- Checked build: an binary with no source code but with debugging information.
- Source black box: black box and fuzz testing (example: web applications). Example: auditing a web server with entry point at TCP port 80, you use a HTTP protocol fuzzer.