On Feb 12, 2008 1:40 PM, Randall R Schulz
On Tuesday 12 February 2008 10:24, Anders Johansson wrote:
On Saturday 09 February 2008 04:01:23 Aaron Kulkis wrote:
grep -e "strcmp(\| gets(\|strcat(" *.c *.h
And how many do you think are in the habit of doing that regularly on their source repositories?
Most security vulnerabilities you see reported have been in the code for a moderately long time. There are far more problematic functions than the ones you describe, and grepping for them all is simply not done on a regular basis. But ok, how's this then
buffer_size = 10 char buffer[10];
strncat(buffer, things_read_from_the_net, buffer_size);
and then someone does s/buffer_size = 10/buffer_size = 1000/
grep for that
Obviously, purely textual analysis cannot discover this sort of thing. But if you apply language-oriented analysis, you can pick up a lot more.
Users of JetBrains' (née IntelliJ) IDEA have some notion of just how sophisticated static analysis can be.
Naturally, it cannot catch every bug (nor solve the halting problem, for that matter), but it does help.
Anders
Randall Schulz
I believe the Coverty Checker is still being used for free to evaluate the Linux Kernel. http://www.coverity.com/html/press_story03_12_14_04.html Not sure if they also scan user space tools. Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org