6

I have been trying to detect hard coded passwords in source code files.

Currently I am checking for variable assignments and comparison for identifiers with a sub-string matching with password,pswd.

But it is leading to lots of false positives like in this case(Reading passwords from a config file)

String PASSWORD_KEY = "server.password";
String password = prop.getProperty(PASSWORD_KEY);

I can flag out some sub-strings like Key,location,path for which i can skip the error generation but apart from this I cannot think of a better approach.

All suggestions are appreciated.

Mrinal Ahlawat
  • 115
  • 1
  • 10
  • maybe is too broad, but a nice question.... it want to be an universal or your passwords have some pattern (I mean, `UPPERCASE`, `LOWERCASE`, `SYMBOLS` mandatory?? – Jordi Castilla Dec 16 '15 at 09:43
  • @JordiCastilla I want something that might work across different code bases. The current checks i have imposed do matching irrespective of case. I have been reading and trying to make it more generic so as to cater to different coding styles. – Mrinal Ahlawat Dec 16 '15 at 09:46
  • So if its decided that all hard coded passwords would be a **String Type**, I think you can search code base for all hard coded Strings with regular expression "*" then you can filter passwords out of it. – Sabir Khan Dec 16 '15 at 09:52
  • @Sabir_Khan Currently it is not just String Type but even if it was the main challenge is to filter passwords out of those hard coded Strings. Any insights on the same? – Mrinal Ahlawat Dec 16 '15 at 09:54
  • actually, if you passwords can be any word, there is not possible, you passwords must match some pattern or your app wont be able to discriminate them – Jordi Castilla Dec 16 '15 at 09:55
  • @JordiCastilla I do understand that its an open ended challenge but i am trying to get it to flag out as many flaws as it can without generating any false positives. – Mrinal Ahlawat Dec 16 '15 at 09:58
  • 1
    but, how you know `String secret = "apple"` or `String myString = "k$%&crde46"` is or not a password? variable names are not a good idea, you only can search by string patterns – Jordi Castilla Dec 16 '15 at 10:02
  • I guess what you need is the domain of some specialized softwares in code audit domain. Manually, Searching for literals with regex & patterns and then manually filtering out seems to be the way if you are not using any softwares. – Sabir Khan Dec 16 '15 at 10:05
  • @JordiCastilla The variable name was one of the first thing that struck me. Passwords in general would not hold any particular pattern(if generated randomly,personal information,etc). How do you suggest going about it? – Mrinal Ahlawat Dec 16 '15 at 10:05
  • @Sabir_Khan I am currently using Understand to do the basic parsing for me and calling its API to set the specific rules that i can think of. Apart from the naive implementation(Similar to the one i have implemented) in FindBugs i could not find any other auditing software/approach for the same. – Mrinal Ahlawat Dec 16 '15 at 10:07
  • Also remember, that passwords should not be saved as a String. Use a char[] instead (http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords-in-java) – Tom Cools Dec 16 '15 at 14:21
  • @TomCools Thanks for that, but it is not relevant to this topic. – Mrinal Ahlawat Dec 17 '15 at 06:57

1 Answers1

1

Real world cases of hidden backdoors learn that the code is typically far more obscured to use a variable name that indicates the purpose.

So to get to something foolproof, you'd need to do a full static analysis and have "intelligence" in the code checker to understand the code and find where the authentication happens and then work backwards to verify there are no hidden ways to achieve this.

IMHO it's cheaper to hire somebody to do (security) code reviews than to try to automate this.