lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <467BF066.9010107@observed.de>
Date: Fri, 22 Jun 2007 17:53:10 +0200
From: Paul Sebastian Ziegler <psz@...erved.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Static Code Analysis - Nuts and Bolts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi list,

due to personal interest I'd like to ask on your opinion regarding best
practices for static code analysis.
I guess most of us are accustomed to this method. After all - if you
want to find a vulnerability that basically means that either luck,
fuzzing or statical analysis will have something to do in the process.

Now statical analysis of many languages can be quite fun. Take PHP and
Python for example. You can mostly read the code like a book and mark
down interesting passages to further analyze later on. Grep and a good
editor are about all we need.

However other languages often tend to become really nasty. Let's say we
want to analyze a 2MB C-source split up into several thousand files.
"cat * | grep strcpy" will most probably return about a hundred results.
I just did a lot of static analysis lately and sometimes it took me more
than half an hour to trace back _one_ of the strcpy()-calls and check if
 the copied bits could be controlled in some way.

Of course not every dangerous call takes this long to check (also I
might be a little slow), however I think that you all know what I'm
talking about here.

So after not having slept for about a week I started to search for tools
to ease working on my projects. (Yes, I did drop my plans of auditing
2MB C-sources using only vim and grep...)
Now this is where I'd like to open up an exchange on best practices and
tool-combinations.
What program(s) do you use in static code analysis? It doesn't matter if
you are a hardcore grep+editor researcher or if you use complex
frameworks: Tell me (and also the rest of the list) about it.

I took a quick look at flawfinder and rats. However they do nothing that
grep couldn't accomplish as well. For browsing the code and finding
references to functions or declarations of variables I am currently
using redhat's source-navigator.
It is by no means perfect and has been unmaintained for a while -
however it is still a great help.
That is just my two cents.

Any remarks/hints/ideas/concepts/nuts would be greatly appreciated by me
as well as a lot of other people interested in the matter. (At least I
hope so.)

So please share your knowledge.

Many Greetings
Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGe/BlaHrXRd80sY8RCgUSAJ9Y9+LCr4hZ1vs6gOrZHa6O9Wv91wCgypM9
1fxdotQfIdgcpXJg9RAP0xs=
=ni/j
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ