Source Code Analyzers

Paladion
By Paladion

March 15, 2005

As early as the year 2002, Gartner's research had shown that over 70% of all successful attacks make use of application vulnerabilities. And the last thing we do in security is looking at our own code for any problems. Coding is tough enough, and secure coding from the word go itself can sometimes seem an almost impossible task. However, we do have some good news.

As early as the year 2002, Gartner's research had shown that over 70% of all successful attacks make use of application vulnerabilities. And the last thing we do in security is looking at our own code for any problems. Coding is tough enough, and secure coding from the word go itself can sometimes seem an almost impossible task. However, we do have some good news.

Static code analyzers take the source code to be tested as input and analyze the code against built in vulnerability database. The database will contain a list of known vulnerable functions or calls, potential buffer overflow conditions, possible SQL injection, time-of-check to time-of-use (TOCTOU) race exploits and race conditions.

Static code analyzers also use lexical analysis to identify potential security issues. Lexical Analysis is the process of taking an input string of characters (such as the source code of a computer program) and producing a sequence of symbols called "lexical tokens", which may be handled more easily by a parser. The tokens and their context can then be interpreted for vulnerable conditions, data privacy in objects and function or method calls.

Output from a code scanner will typically contain details like brief description of problem, relative assessment of severity of the problem on various scales ranging from no risk to most risky, an indication of what type of analysis to perform whenever a particular function is found and whether or not function can retrieve input from external sources such as file or socket.

Flawfinder
Flawfinder examines source code and reports possible security weaknesses sorted based on risk level. Flawfinder works on UNIX platform and is open source under the GPL license. It works by using a built-in database of C/C++ functions with well-known problems like buffer overflow risks, potential shell meta-character dangers and poor pseudo random number generations. Other open source code scanners with similar features are RATS and CQual.

CodeAssure Workbench
CodeAssure Workbench is capable of on-demand, automated discovery and assessment of security vulnerabilities in application source code. Based on static analysis technologies and a rich knowledge base of security problems, CodeAssure Workbench automatically highlights insecure code during the development process. CodeAssure Workbench supports analysis and assessments of programs written in Java, C, and C++

Ounce Labs - Prexis
By using a contextual analysis engine, Prexis tries to detect vulnerabilities within source code. Contextual analysis determines if an implemented system call is truly vulnerable. It is done through analysis of interrelationships between system calls, data elements, modules, processes and links. It is capable of identifying Buffer overflows, Race conditions, improper DB access, Cross site scripting, DOS, SQL injections, Dynamic code vulnerabilities and more. It supports Java, JSP, C and C++ on both Windows and Linux platforms.

Fortify - Audit Workbench
Fortify's Source Code Analysis Engine makes use of four specialized analyzers. Each of the analyzers detects different kinds of security vulnerabilities in its own specialized area of analysis namely data flow, semantic control flow, configuration thus providing good security coverage for your applications. It can scan languages C, C++, Java, JSP, PL/SQL and C#.

Finally, it is worth noting that source code scanners do not really comprehend the semantics of any code - They simply do pattern matching on code and report on any problems based on a list of known or probable issues. The best approach to code security is, of course, having a manual audit of the whole code base. However audits can take a lot of time and money though the payback is well worth the investment. Source code scanners complement the security testing efforts by detecting weaknesses in code early in the development life cycle.

Links to Source Code Analyzers

  1. Flawfinder (C, C++)
  2. CodeAssure Workbench (Java, C, C++)
  3. Ounce Labs' Prexis (Java, JSP, C, C++)
  4. Fortify's Audit Workbench (Java, JSP, C, C++, C#, PL/SQL)
  5. RATS (C, C++, Perl, PHP, Python)
  6. ITS4 (C, C++)

Tags: Technical

About

Paladion