cIFrex 3.1 - Static code analysis tool


cIFrex is a web application written in PHP, which supports search for mistakes in the analysis of the source code. Using the database of filters based on regular expressions, you can quickly locating the code, in which the probability of failure is high. You will just need to have the source code on a computer with the access to cIFrex in order to be able to fully benefit from the possibilities of the new methodology.



How to use?

cIFrex filters are based on regular expressions, describing given kind of mistake together with the CWE identifiers. This enables you to reach a lexical definition at http://cwe.mitre.org fast.

Each filter is based on maximum of nine patterns.

Regular expressions can be divided in three groups:

cIFrex

 

- (V) Value: Regular expression enabling retrieval of the sequences of signs and the attribution of retrieved values to the variable <v1>, <v2> lub <v3> for example the name of array:

char name[128] => char.* (?<v1>\w+)\[(\d+)\]


There is a possibility of using variables <v1>, <v2> and <v3> to search for sequences that are interesting to us.
It allows us to use found values in the patterns of type T (Truth) and F (False).

- (T) Truth: Regular expression, which must be present in the code. for example:

strcpy\(<v1>\,


- (F) False: Regular expression, which cannot be present in the code. for example:

if.*(?:.\=\=.NULL|NULL.\=\=.)


Each expression fulfils given roles. The expressions of type (V) are used mainly to assign the variable names while the expression of type (T) and (F) are mainly used to precise their usage. To put it simply, patterns of type V are used to catch names of variables, used in the unsuitable manner, for example all arrays (<V1>) of type CHAR used in the function strcpy()(<T1>) without controlling the length through strlen()(<F1>).

We will also need to specify directory what we wish to analyse.
It is possible to change default directory by setting $default_directory in the code of cIFrex.

Which means the localization of the analyzed source code.

cIFrex directory

 

To speed up the search process, we mark language which are interesting to us. This allows the script to omit the unneeded files in the filtration process.

 

cIFrex langs

 

We can start scanning the files by pressing the button

cIFrex find

 

By using three types regular expressions, we can create a filter which will be checked in all indicated files. If all expressions will be fulfilled, file will be shown in the search results. This does not mean, that it is susceptible to the given mistake. The efficiency of the method can oscillate on the level several percent, depending on the filter exactness. More details in the regular expressions gives us the larger probability of finding the error.

Let us analyse thoroughly after-mentioned example. It try find name and size of CHAR Table through the pattern: V1

 

char.* (?<v1>\w+)\[(?<v2>.*)\]

 

Thanks to the application of variables <v1> and <v2>, we can dynamically find the name of table and its size. This can help us in the creation of succeeding regular expressions of type T and F. In this case, the expression of type T1 is:

 

(.*strcpy\(<v1>\,.*)

 

If in the given file will be found line with use of strcpy() function and the name <v1> condition will be fulfilled. In contrast to the conditions of type F, which are fulfilled in the situation when a given expression does not appear in the code. For example use of array name <v1> and the string NULL <v1>.*NULL in one line.

 

cIFrex example 1

 

If in the given file all the logic of the expressions will be fulfilled cIFrex will inform us about this in this way:

 

cIFrex example 2

 

It can be seen in the after-mentioned example, that cIFrex helped us to find the use of function strcpy () in the risky manner. Copying the indicator f2 to the board f2copy [1000] without controlling its length, can show in the large degree the appearance of mistake. cIFrex does not state that the error has occurred, but only helps in finding the risky programmers behaviours.

 

cIFrex example 3

 

Another example of cIFrex use is the search of dangerous use of function malloc (), realloc () or calloc (). As we know, each of these functions when lacking the possibility of the allocation of a given data block, returns NULL. If we do not control returned values we can cause NULL pointer dereference error to occur.

 

cIFrex example 1

 

Search results

 

cIFrex example 2

 

Example of bad usage of the *alloc () functions

 

cIFrex example 3

 

There are many other ways to use cIFrex. The more detailed is the regular expression the more accurate are the search results.

 

cIFrex example

 
Remember:

- cIFrex helps to search for the mistakes
- the search results does not guarantee the appearance of the susceptibilities
- the more exact the regular expression, the larger probability of the appearance of the susceptibilities

 


Installation and system requirements

1. Create secure envoirnment mean chroot, SSL, limit ip and authentication.
2. Extract source code to destination
3. Create new database and put 'DATABASE.sql'
4. Edit config.php and default_values.php

In order to entirely enjoy the possibilities of cIFrex, it is necessary to have an installed www demon altogether with PHP. Since version 3.0 you need SQL Database.

Web Server with PHP + SQL Database


It is also advised to turn off the limitations of PHP scripts

- 'max_execution_time' to 0
- 'memory_limit' to 2048MB

You only need to download the latest version of the script and then run it through the browser to enjoy its possibilities.

Example config.php:

// Timezone
    date_default_timezone_set("CET"); 

// Common Web Settings
	$url_config = "http://127.0.0.1/cifrex31/"; // URL of cifrex
    $dir_config = "/path/to/cifrex/"; // Full path to cifrex 

// Database Config
	$cconfig['db_config']['host']="127.0.0.1";
	$cconfig['db_config']['database']="cifrex_database";
	$cconfig['db_config']['login']="name";
	$cconfig['db_config']['password']="secret";

// Security
    $cconfig['core']['internal_openbasedir']='/path/';

// Email Sender Setting
    $cconfig['mail']['Name'] = "Robot cIFrex"; //senders name 
    $cconfig['mail']['email'] = "robot@cifrex.org"; //senders e-mail adress 

Example default_values.php:

    $default['path']='/www/code/C/'; // set default path
    $default['nameOfJob']='Scan '.date("U").''; // name of jobs
    $default['credit']='Anonymous'; // started by ...
    $default['email']='r0b0t@cifrex.org'; // send email to
    $default['saveResult']="True"; // save result in db ? {True,False}
    $default['debugLogCreate']="True"; // generate debugLog ? {True,False}

Security:
cIFrex not guarantee you a full security because with the current security of regular expressions, it's not possible. You have to reduce access to cIFrex using LDAP or .htaccess. Remember about SSL and chroot to protect you internal environment.

 


Download

Download CodePlex Section

Git trunk: # git clone https://github.com/kac89/cifrex3.git

-----------------------------------

Since Version 2 cIFrex on CodePlex

Download the latest stable version of the code:

------------------ VERSION 4.x ------------------

In progress...

------------------ VERSION 3.x ------------------

14.02.2015 - 3.1 - cIFrex Release - Download

01.02.2015 - 3.0 - cIFrex Release - Download

------------------ VERSION 2.x ------------------

20.10.2013 - 2.0 - cIFrex Release - Download

------------------ VERSION 1.x ------------------

09.03.2013 - 1.5 - cIFrex Release - Download

ChangeLog:
- add 'Silent Mode'

02.01.2013 - 1.4 - cIFrex Release - Download

ChangeLog:
- modified default_directory directive
- fixed display of errors

20.11.2012 - 1.3 - cIFrex Release - Download

ChangeLog:
- added support for JAVA JSP etc
- fixed display of results by Kamil Uptas
- optimized engine

16.05.2012 - 1.2 - cIFrex Release - Download

ChangeLog:
- fixes submitted by Kamil Uptas

30.04.2012 - 1.1 - cIFrex Release - Download

ChangeLog:
- added default_directory directive
   Default directory (Default /)
- added default_openbasedir directive
   Restrict directory
   Example:
   $default_directory = /www/phpbb/
   $default_openbasedir = /www/
 
   or if default_openbasedir is empty
 
   $default_directory = /www/phpbb/
   $default_openbasedir =
 
   default_openbasediry is equal to default_directory

- added default_error directive
   [True/False]
- set V1 as required

24.04.2012 - 1.0 - cIFrex Release - Download

ChangeLog:
First official version


Common Weakness Enumeration (CWE)

cIFrex is entirely compatible with the CWE program. This means that each official filter, is equipped with CWE key signature enabling to reach the information about the kind of mistake and the examples of occurrence in other software. CXSecurity is in possession of CWE certificate for the product

World Laboratory of Bugtraq 2

CWE Compatible

therefore we also encourage to use our dictionary, accessible under the address

http://cxsecurity.com/allcwe/

Continually we try to be kept the high standard of our WLB2 database and not only.

We encourage to visit the official CWE site:

http://cwe.mitre.org/

cIFrex CVE Support:

cIFrex CWE Support:


Search: CVE or CWE on cxsecurity.com


History

The idea of program originated in 2010, during the analysis of the code of the library libc of NetBSD system. During the routine use of regular expressions in grep program:

 

find . -name "*.c"|xargs grep -E'...'

 

I have come upon the idea of optimizing the use of regular expressions in the analysis of the code. Thanks to which, in several days the first beta version of the cIFrex script originated working with maximum six of regular expressions. After some time I improved the product in order to improve its efficiency. At the beginning of 2011, the first version of the script with maximum nine regular expressions patterns has been created. From that moment, program began to help me in research. Effects can be seen on:

http://cxsecurity.com/research_list/

For example, the mistakes of NULL pointer dereference type in PHP has been caught with cIFrex.

PHP 5.3.6 multiple null pointer dereference
http://cxsecurity.com/research/101

Program helped also in the finding many mistakes in recurrence, which on the detailed analyse proved the susceptibilities of Resource Exhaustion type in the function fnmatch() in the C library systems from the BSD family. This was shifted on the remote possibility of the suspension of Apache server (mod_autoindex)

Multiple Vendors libc/fnmatch(3) DoS (incl apache)
http://cxsecurity.com/research/98

or a similar error in vsftpd 2.3.2 demon

vsftpd 2.3.2 remote denial-of-service
http://cxsecurity.com/research/95

They are not this all susceptibility which I found with help cIFrex. However in the course of time, I have decided to make the script available to public in 2012 with the hope, that this tool will be useful in the search of mistakes or at least will convince other, that the knowledge of regular expressions pays off.

Let us remember however, that filters does not guarantee us the findings of mistake but they help us to do it.
Let us not rely on the large effects without hard work.

Since 20 October 2013 cIFrex version 2.0 is available. Kacper Rybczynski has joined to cIFrex Team. He has developed and kick off version 2.0 to release.


Version 1

cIFrex 1

Version 2

cIFrex 2

cIFrex 2


Version 3

cIFrex 3


 

Authors

Maksymilian Arciemowicz

Kacper Rybczynski

Grzegorz Terlikowski

 


 

Licence

cIFrex is completely free. You can use, copy and modify it on the base of BSDv2 license. Remember that you can modify this software and you can become an author of cIFrex by translating it to other language than PHP.

------------ Version 1 and 2 ---------------
Copyright (c) 2013, cIFrex TEAM
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
  notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
  notice, this list of conditions and the following disclaimer in the
  documentation and/or other materials provided with the distribution.
* Neither the name of the CXSecurity nor the
  names of its contributors may be used to endorse or promote products
  derived from this software without specific prior written permission.

  THIS SOFTWARE IS PROVIDED BY cIFrex TEAM "AS IS" AND
  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  DISCLAIMED. IN NO EVENT SHALL MAKSYMILIAN ARCIEMOWICZ AND KACPER RYBCZYNSKI
  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
------------ Version 1 and 2 ---------------

------------ Version 3 ---------------  
    cIFrex Tool for Static Code Analysis
    Copyright (C) 2015 cIFrex Team

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see http://www.gnu.org/licenses/.
------------ Version 3 ---------------
    

cIFrex Team © 2015