Some tools may help you detect security problems before
you field the result.
They can't find all such problems, of course, but they can help
catch problems that would overwise slip by.
Here are a few tools, emphasizing open source / free software tools.
One obvious type of tool is a program to examine the source code
to search for patterns of known potential security problems
(e.g., calls to library functions in ways are often the source
of security vulnerabilities).
These kinds of programs are called ``source code scanners''.
Here are a few such tools:
RATS (Rough Auditing Tool for Security)
from Secure Software Solutions is available at
http://www.securesw.com/rats.
This program scans C/C++ source code for common problems, and
is licensed under the GPL.
Flawfinder, which I"ve developed; it's available at
http://www.dwheeler.com/flawfinder.
This is also a program that scans C/C++ source code for common problems,
and is also licensed under the GPL.
Unlike RATS, flawfinder is implemented in Python.
The developers of RATS and Flawfinder have agreed to find a way to
work together to create a single ``best of breed'' open source program.
ITS4 from Cigital (formerly Reliable Software Technologies, RST)
also statically checks C/C++ code.
It is available free for non-commercial use, including its source code
and with certain modification and redistribution rights.
Note that this isn't released as ``open source'' as defined by the
Open
Source Definition (OSD) -
In particular, OSD point 6 forbids
``non-commercial use only'' clauses in open source licenses.
ITS4 is available at
http://www.rstcorp.com/its4.
LCLint is a tool for statically checking C programs.
With minimal effort, LCLint can be used as a better lint.
If additional effort is invested adding annotations to programs,
LCLint can perform stronger checking than can be done by any standard lint.
For example, it can be used to statically detect likely buffer overflows.
The software is licensed under the GPL and is available from
http://lclint.cs.virginia.edu.
cqual is a type-based analysis tool for finding bugs in C programs. cqual
extends the type system of C with extra user-defined type qualifiers,
e.g., it can note that values are ``tainted'' or ``untainted''
(similar to Perl's taint checking). The
programmer annotates their program in a few places, and cqual performs
qualifier inference to check whether the annotations are correct. cqual
presents the analysis results using Program Analysis Mode, an emacs-based
interface.
The current version of cqual can detect potential format-string
vulnerabilities in C programs.
A previous incarnation of cqual, Carillon,
has been used to find Y2K bugs in C programs.
The software is licensed under the GPL and is available from
http://www.cs.berkeley.edu/Research/Aiken/cqual.
Cyclone is a C-like language intended to remove C's security weaknesses.
In theory, you can always switch to a language that is ``more secure,''
but this doesn't always help (a language can help you avoid common mistakes
but it can't read your mind).
John Viega has
reviewed Cyclone, and in December 2001 he said:
``Cyclone is definitely a neat language.
It's a C dialect that doesn't feel like it's taking away any power,
yet adds strong safety guarantees, along with numerous features that
can be a real boon to programmers.
Unfortunately, Cyclone isn't yet ready for prime time.
Even with crippling limitations aside, it doesn't yet offer
enough advantages over Java (or even C with a good set of tools)
to make it worth the risk of using what is still a very young technology.
Perhaps in a few years, Cyclone will mature into a robust,
widely supported language that comes dangerously
close to C in terms of efficiency.
If that day comes, you'll certainly see me abandoning C for good.''
The Cyclone compiler has been released under the GPL and LGPL.
You can get more information from the
Cyclone web site.
Another approach is to create test patterns and run the program,
in attempt to find weaknesses in the program.
Here are a few such tools:
BFBTester, the Brute Force Binary Tester, is licensed under the GPL.
This program does quick security checks of binary programs.
BFBTester performs checks of single and multiple argument
command line overflows and environment variable overflows.
Version 2.0 and higher can also watch for tempfile creation activity
(to check for using unsafe tempfile names).
At one time BFBTester didn't run on Linux (due to
a technical issue in Linux's POSIX threads implementation), but this
has been fixed as of version 2.0.1.
More information is available at
http://bfbtester.sourceforge.net/
The
fuzz
program
is a tool for testing other software.
It tests programs by bombarding the program being evaluated with random data.
This tool isn't really specific to security.
There are a number tools that try to give you insight into running
programs that can also be useful when trying to find security problems
in your code.
This includes symbolic debuggers (such as gdb) and trace programs
(such as strace and ltrace).
A program you may not be familiar with is
Fenris (GPL license).
Its documentation describes Fenris as a
``multipurpose tracer, stateful analyzer and partial decompiler
intended to simplify bug tracking,
security audits, code, algorithm or protocol analysis -
providing a structural program trace, general information
about internal constructions, execution path,
memory operations, I/O, conditional expressions and much more.''
Another interesting program along these lines is Subterfugue.
If you're building a common kind of product where many standard
potential flaws exist (like an ftp server or firewall), you might
find standard security scanning tools useful.
One good one is
Nessus; there are many others.
These kinds of tools are very useful for doing regression testing,
but since they essentially use a list of past specific vulnerabilities
and common configuration errors,
they may not be very helpful in finding problems in new programs.
Often, you'll need to call on other tools to implement your secure
infrastructure.
The
Open-Source PKI Book
describes a number of open source programs for
implmenting a public key infrastructure (PKI).
Of course, running a ``secure'' program on an insecure platform
configuration makes little sense.
You may want to examine hardening systems, which attempt to configure
or modify systems to be more resistant to attacks.
For Linux, one hardening system is
Bastille Linux, available at
http://www.bastille-linux.org.