RE: code analysis

["Aleksander P. Czarnowski" <alekc () avet com pl>]

Hi,

Every programmer can produce insecure code in any programming language. This is starting to be addressed by vendors who 
supply programmers with safe version of popular libraries and compiler generated safeguards (like stack protection for 
example in Immunix, ProPolice and MS VC.NET). Secondly if the user can somehow supply input data to application than 
this is the area of code that can be vulnerable and needs to be analyzed. Things like insecure handling of files or use 
of high privileges, storing passwords in clear text in memory can be implemented in basically any language so Delphi 
and Modula-2 are no exception here. While I never touch Modula, Delphi/Pascal can be vulnerable to buffer overflows if 
you are interested in this particular class of vulnerabilities; besically just look at memory management for variables 
to know if particular language is vulnerable to buffer overflows or not. 

I am not aware of any static scanning tool like RATS or ITS4 that provides support for Delphi or Modula-2 however it 
should be quite easy in case of RATS and flawfinder to add such support - thanks to Python you can do it in one night 
probably. However you need to know programming language to design scanning rules for it. 

If you don't know those languages that your next best bet might be dynamic analysis of binary form. Both Delphi and 
Modula-2 are compilers so simply look at native code generated by those tools and try to do assessment at this level. 
At the end both languages need to use system API at some point so you can use it as your starting point. Keep in mind 
however that - as far as I remember - Borland compilers are not always using typical Win32 API for certain windows 
related operations. I think Delphi MessageBox is one of such examples.

Best Regards,
Aleksander Czarnowski
AVET INS



> -----Original Message-----
> From: huber_geo () hotmail com [mailto:huber_geo () hotmail com]
> Sent: Monday, June 20, 2005 4:58 PM
> To: pen-test () securityfocus com
> Subject: code analysis
>
>
> Hello,
>
> In addition to doing security audits for my clients, 
> I occasionally am asked to to code reviews for 
> products my clients are thinging of using.  Normally 
> the code is in C, asm or C++ which I have no 
> problem with.  However, the most recent code base 
> I have been tasked to review has substantial parts 
> written in Bordand Delphi and Modula-2 which I have 
> no experience with.  So I am looking for leads for 
> the following questions:
>
> 1) are are the security vulnerabilites associated 
>    with each of the above languages.  For example, 
>    do these languages have the potentail for 
>    buffer overflows?
>
> 2) are there any auditing tools (ala RATS or 
>    flawfinder) for these languages.
>
> Thanks for your help.  Additionally, if this is 
> not an appropriate forum for these questions, 
> could you direct me to a better one?
>
> thanks,
> George Huber