Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

From: Adam Shostack <adam () homeport org>
Date: Fri, 10 Aug 2001 17:48:42 -0400
ITS4, RATS, flawfinder, Lopht Slint, fuzz.

The immunix suite is worth looking at, as is David Wagner's thesis (I
don't think the code is available, but hey, sometimes its worth
reading the paper, not the code.)

Static analysis and computer security: New techniques for software
assurance http://www.cs.berkeley.edu/~daw/papers/phd-dis.ps

Adam


On Wed, Aug 08, 2001 at 07:42:23AM -0700, Predrag Zivic wrote:
| Does anyone have a compiled list of code scanners? 
| I am interested in source code scanners, code
| scanners(binary?) and buffer overflow tools.
| 
| Any input would be greatly appreciated. I know about
| ITS4.
| 
| I am gratefull forever for any info on this topic.
| 
| Pez
| 
| --- Darren Reed <darrenr () reed wattle id au> wrote:
| > In some email I received from Adam Shostack, sie
| > wrote:
| > > 
| > > Clearly, you don't understand my message.  If you
| > look at the tools I
| > > mentioned, you'll see that they are code scanners,
| > not vulnerability
| > > scanners.   A code scanner (ITS4, RATS) examines
| > the source code to an 
| > > app to find calls to dangerous functions, etc.
| > 
| > Ah yes, that was my fault.  I saw the word "scanner"
| > and immeadiately
| > thought of vulnerability scanner (not source code). 
| > Given that I now
| > have a better understanding of what you meant
| > (blinkers are off), I do
| > agree with the things you were saying.
| > 
| > [...]
| > > Regression testing only looks for bugs that have
| > been found before, to 
| > > ensure that you don't regress.
| > 
| > That is important.  Regression testing should also
| > ensure things continue
| > to work, as well as not work.
| > 
| > > Unit tests, in my experience, fall
| > > into two sets; those written by the engineer who
| > wrote the code, which 
| > > never find anything until the code is handed over
| > to someone else,
| > > because the engineer already dealt with the cases
| > that he wrote tests
| > > for, and those written by a junior QA guy, which
| > find fenceposts, and
| > > off-by-one and that sort of thing.  Neither tends
| > to find security
| > > flaws, unless you have a really unusual person
| > writing the tests.
| > 
| > Given my experience as a s/w engineer, I can say
| > that unless you have
| > someone else writing the tests, you're not likely to
| > find half the problems.
| > 
| > Testing absurd input, like passing strings with
| > linefeeds in them to
| > getpwnam() or making environment variables (where
| > used) 4K long with
| > junk content, etc, needs to become part of the
| > standard unit testing.
| > 
| > Darren
| > _______________________________________________
| > firewall-wizards mailing list
| > firewall-wizards () nfr com
| >
| http://list.nfr.com/mailman/listinfo/firewall-wizards
| 
| 
| __________________________________________________
| Do You Yahoo!?
| Make international calls for as low as $.04/minute with Yahoo! Messenger
| http://phonecard.yahoo.com/
| _______________________________________________
| firewall-wizards mailing list
| firewall-wizards () nfr com
| http://list.nfr.com/mailman/listinfo/firewall-wizards

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: