When it comes to embedded system applications, security is one of the most important requirements. In addition to embedded security topics such as Bluetooth encryption, SSH, and TLS, modern firmware developers use a static analysis tool that checks for vulnerabilities in your source code. There are many existing static analysis tools (Cppcheck, Clang Sanitizers, etc.) that can do the job but today I’d like to focus on one of our favorites, Flawfinder.

Flawfinder is an open-source tool developed by David A. Wheeler, a security expert. Like all static analysis tools, this tool scans your C/C++ source codes to look for weaknesses or flaws.

Installation

Since Flawfinder is written in Python it can be used on most platforms. You can install Flawfinder by using the Python pip installer as shown below.

pip3 install flawfinder

To use Flawfinder, it is as easy as calling the following command.

# Scan a single file
flawfinder <SOURCE_CODE>

OR

# Scan all files in a directory
flawfinder <SOURCE_CODE_DIRECTORY>

Calling the command above prints the results on the terminal. and it is only useful at the moment you run it. If Flawfinder is integrated into a CI pipeline, the outputs will be saved for further review. To refer back to the previous Flawfinder outputs, all you have to do is to look at the pipeline’s build log.

There are command-line options that you can use to customize the scanning experience. The combination of options we recommend is minlevel, html, and context. The minlevel option lets you choose the minimum risk level from 0 (very low risk) to 5 (high risk) to be shown on the terminal. By default, the results of level 1 or higher are shown. If we are only concerned about high-risk outputs, we can set the minlevel to 4. The html and context options will put the output in HTML format and show the lines of code that are potential security vulnerabilities. With these options, the command will now look like the following.

flawfinder --minlevel=4 --html --context <SOURCE_CODE> > flawfinder_report.html

Add the Security Screening to Your Automated Build

If you’ve never heard of automated builds or are not sure how to get started using them, take a look at our blog on setting up automated firmware builds as a quick tutorial.

Then, consider this: In the airport, you can only get on the plane after passing through a number of stages, check-in, security, terminals, and then entering the plane itself. This is the same concept for your build – you have to take several steps before deployment. Therefore, we want to create a job for running Flawfinder (security screening) on your code before deploying it (enter the plane).

  1. First, we want to create an isolated environment for this job. This can be done by creating a simple Flawfinder Docker image.
# A base image with Python is needed to install Flawfinder   
FROM python:3.8.5-slim-buster

ARG FLAWFINDER_VERSION=2.0.11

# Install a specific version Flawfinder
# I'm using version 2.0.11
RUN pip3 install flawfinder==$FLAWFINDER_VERSION
  1. Once the Flawfinder Docker image is created, you can now use it in your automated pipelines. In the script section of your YAML file, call the Flawfinder command and provide the path to the source directory you want to check. A snippet of a Flawfinder job in a .gitllab-ci.yml file is shown below.
flawfinder:
	stage: static analysis
	image: flawfinder:v2.0.11
	script:
		- mkdir flawfinder_report
		- flawfinder --minlevel=4 --html --context src/ > flawfinder_report/flawfinder_test_report.html
	artifacts:
		paths:
			- flawfinder_report/
  1. With the job above, it’d be like running bags through the scanner and no one looking at the screen to see what’s in them. We can set up the job to fail if the number of items (flaws) found is over a threshold, go check out our blog on how CI pipeline scripts and exit codes interact to learn more about it.

So, there you have it. Setting up a static analysis for your code can be as easy as a line of command. Having Flawfinder in your software development cycle not only make you more confident with the code but also protect your end product from potential criminals.

If you’d like to make sure your firmware is secure, reach out! At DojoFive, we have talented engineers on hand ready to help you with all aspects of your EmbedOps journey. We are always happy to help with interesting problems that need solving, from security audits to firmware development. You can reach out at any time on LinkedIn or through email!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.