&Associates |
Verifier provides secured open source code verification software to allow you to look for vulnerabilities in software source codes you own.
splint: Security Programming Lint provides annotation-assisted lightweight static checking of C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint. To run splint on a C program use:
/usr/local/Verifiers/splint [program-name]
flawfinder: Flawfinder is a program that examines source code and reports possible security weaknesses (``flaws'') sorted by risk level. It's very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public. Tu run it type:
/usr/local/Verifiers/flawfinder [directory_with_source_code]
PScan: PScan is a limited problem scanner for C source files. PScan scans C source files for problematic uses of printf style functions. To run it type:
/usr/local/Verifiers/pscan [program-name]
rats: Rough Auditing Tool for Security (RATS) is an open source tool developed and maintained by Secure Software security engineers. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. To run RATS:
cd /usr/local/Verifiers/rats rats -w 3 -i -l LANG -d rats-LANG.xml [program-name] where LANG is any of c, perl, php, python
Verifier is NOW available
Program verification looking for security flaws technology produces many false positives - warnings for which no real error exists. It should be viewed more as a guide to understanding where to check a program than as an indicator of program errors. For example, some mathematically verified programs produce voluminous errors that, once checked out, lead nowhere.