| |
Some tools may help you detect security problems before
you field the result.
If you're building a common kind of product where many standard
potential flaws exist (like an ftp server or firewall), you might
find standard security scanning tools useful.
One good one is
Nessus; there are many others.
Of course, running a ``secure'' program on an insecure platform
configuration makes little sense;
you may want to examine hardening systems such as
Bastille available at
http://www.bastille-linux.org. You may find some tools helpful for finding potential security flaws.
Here are a few:
ITS4 from Cigital (formerly Reliable Software Technologies, RST)
statically checks C/C++ code.
ITS4 works by performing
pattern-matching on source code, looking for patterns known to be
possibly dangerous (e.g., certain function calls).
It is available free for non-commercial use, including its source code
and with certain modification and redistribution rights.
One warning; the tool's licensing claims can be initially misleading.
Cigital claims that ITS4 is ``open source'' but, in fact, its license
does not meet the
Open
Source Definition (OSD).
In particular, ITS4's license fails point 6, which forbids
``non-commercial use only'' clauses in open source licenses.
It's unfortunate that Cigital insists on using the term
``open source'' to describe their license.
ITS4 is a fine tool, released under a
fairly generous license for commercial software, yet
using the term this way can give the appearance of a company
trying to gain the cachet of ``open source'' without actually
being open source.
Cigital says that they simply don't accept the OSD definition and
that they wish to use a different definition instead.
Nothing legally prevents this, but the OSD definition is used by
over 5000 software projects (at least all those hosted by SourceForge
at http://www.sourceforge.net),
Linux distributors, Netscape (now AOL), the W3C,
journalists (such as those of the Economist),
and many other organizations.
Most programmers don't want to wade through license agreements,
so using this other definition can be confusing.
I do not believe Cigital has any intention to mislead; they're
a reputable company with very reputable and honest people.
It's unfortunate that this particular position of theirs
leads (in my opinion) to unnecessary confusion.
In any case, ITS4 is available at
http://www.rstcorp.com/its4. LCLint is a tool for statically checking C programs.
With minimal effort, LCLint can be used as a better lint.
If additional effort is invested adding annotations to programs,
LCLint can perform stronger checking than can be done by any standard lint.
The software is licensed under the GPL and is available from
http://lclint.cs.virginia.edu. BFBTester, the Brute Force Binary Tester, is licensed under the GPL.
This program does quick security checks of binary programs.
BFBTester performs checks of single and multiple argument
command line overflows and environment variable overflows.
Version 2.0 and higher can also watch for tempfile creation activity
(to check for using unsafe tempfile names).
At the time of this writing, BFBTesting doesn't run on Linux due to
a technical issue in Linux's POSIX threads implementation, but this
may have changed by the time you read this.
More information is available at
http://my.ispchannel.com/~mheffner/bfbtester. The
fuzz
program
is a tool for testing other software.
It tests programs by bombarding the program being evaluated with random data.
This tool isn't really specific to security.
|
