Project 11: Static Analysis Tool (Basic)

A static analysis tool that scans C source code for common vulnerability patterns—dangerous functions, format string bugs, potential integer overflows, and missing bounds checks.

Quick Reference

Attribute Value
Primary Language Python
Alternative Languages C, Go
Difficulty Level 3: Advanced
Time Estimate 3-4 weeks
Knowledge Area Security Tools / Code Analysis
Tooling pycparser, Clang AST
Prerequisites All previous projects, parsing basics

What You Will Build

A static analysis tool that scans C source code for common vulnerability patterns—dangerous functions, format string bugs, potential integer overflows, and missing bounds checks.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Parsing C code → maps to using pycparser or Clang
  • Pattern matching → maps to AST traversal
  • Reducing false positives → maps to context-aware analysis
  • Reporting findings → maps to useful output format

Key Concepts

  • Abstract Syntax Trees: Compiler textbooks
  • Taint Analysis: “Secure Programming with Static Analysis” Ch. 4
  • Pattern-Based Detection: Semgrep approach

Real-World Outcome

$ ./cscan vulnerable.c

═══════════════════════════════════════════════════════════════════
                    C Security Scanner Report
═══════════════════════════════════════════════════════════════════

File: vulnerable.c

[HIGH] Dangerous Function: gets()
  Line 15: gets(buffer);
  Issue: gets() has no bounds checking. Use fgets() instead.
  CWE: CWE-120 (Buffer Copy without Checking Size)

[HIGH] Format String Vulnerability
  Line 23: printf(user_input);
  Issue: User-controlled format string. Use printf("%s", ...).
  CWE: CWE-134 (Use of Externally-Controlled Format String)

[MEDIUM] Potential Integer Overflow
  Line 31: size_t total = count * element_size;
  Issue: Multiplication may overflow. Use safe_mul().
  CWE: CWE-190 (Integer Overflow)

[MEDIUM] Unbounded String Copy
  Line 45: strcpy(dest, source);
  Issue: strcpy() has no bounds check. Use strncpy() or strlcpy().
  CWE: CWE-120

[LOW] Unchecked Return Value
  Line 52: malloc(size);
  Issue: malloc() return value not checked for NULL.
  CWE: CWE-252 (Unchecked Return Value)

═══════════════════════════════════════════════════════════════════
Summary: 2 HIGH, 2 MEDIUM, 1 LOW findings
═══════════════════════════════════════════════════════════════════

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: LEARN_SECURE_C_AND_EXPLOIT_AWARENESS.md
  • “Secure Coding in C and C++” by Robert C. Seacord