Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: auditing

From: "Paco Hope" <bhope () cigital com>
Date: Mon, 03 May 2004 23:10:05 +0100
On 5/3/04 11:48 AM, "ljknews" <[EMAIL PROTECTED]> wrote:


At 10:04 AM -0500 5/3/04, jnf wrote:


Someone just suggested ctags, I've never heard of ctags or cscope- I will
look at them. I don't really know what I was looking for, I often find it
quite furstrating trying to keep track of whats going on across XX global
variables inside of XX internal functions, and so on


What you are looking for is a tool, and a debugger really is not it
(for a thorough job), since a debugger just deals with the current
active call, not all situations in which a subprogram might be called.


One commercial tool that I have had some reasonable success with is called
SourceInsight (http://www.sourceinsight.com/).  It builds a database of all
the function calls, variable definitions, macros, etc.  You can right click
on any variable, data structure, file, etc and click on things like "where
is this defined?" or "where is this called?"  If you're editing under a
Borland or Microsoft MFC environment, it also can import the system files to
help navigate dependencies on system calls.

They intend it to be a full-fledged code editor for development, but I've
never used it that way.  It's never going to replace emacs for me, and it
doesn't run native under MacOS X, either.  So if you're auditing Windows
code using a Windows box, it's highly relevant.  If you're auditing
UNIX-oriented code, it's a little less relevant.  You can copy the UNIX code
to a Windows box and run it, and you get many of the benefits.  You can run
it under VirtualPC on MacOS X, but it's a bit slow.

When I do source code audits of very large projects and I have to grok large
sets of intertwining code, this is a decent navigation tool.

Paco
-- 
Paco Hope, CISSP
Senior Software Security Consultant
Cigital, Inc. http://www.cigital.com/
[EMAIL PROTECTED] -- +1.703.404.5769



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: