Differences

This shows you the differences between two versions of the page.

--- tools [2009/09/23 12:05]
krahmer
+++ tools [2026/03/13 15:09] (current)
twiggy
@@ Line 1: / Line 1: @@
-====== Source Code Security Audit Tools ======
+====== Tools ======
-This page will give you some hints about which tools might be used
+This page will give you some hints about various tools that might be used
-to gather useful information during a code review such as debuggers,
+to uncover security vulnerabilities and perform code reviews.
-static and dynamic code analysis tools etc.
-===== cscope =====
+Please note that the tools listed here have been recommended by various individuals who participate in the oss-security mailing list and there are no guarantees, so please take time to carefully evaluate any tools that you use.
-With the help of cscope, reviewers can comfortable search for symbols in the source code
-of programs. It allows to search for definitions/declarations and calls of certain functions,
-macro definitions etc.. Most Linux and BSD distributions ship cscope.
-[[http://cscope.sourceforge.net/]]
+===== Static Analysis =====
-===== ctags ======
-Ctags builds a cross-reference file (similar to cscope) from a source code tree called a
-"tag-file".
-This allows reviewers with the
-help of a tag-file supporting editor (such as vim) to follow function calls while auditing
-and to step down into functions just as one would do at runtime with gdb.
-Despite its name, ctags supports a plenty of languages, not just C.
-[[http://ctags.sourceforge.net/]]
+==== Clang ====
+Compiler with static analysis capabilities for C/C++.
-===== exec-notify =====
+[[http://clang-analyzer.llvm.org/]]
-exec-notify globally shows which programs are executed on a system. This allows to
-track down shell escaping problems in larger applications which execute external programs
-every now and then or in bootup scripts.
-[[http://www.suse.de/~krahmer/exec-notify.c]]
+[[http://clang.llvm.org/]]
+Clang and very recent GCC also have dynamic "sanitizers".  For example:
+[[http://clang.llvm.org/docs/AddressSanitizer.html]]
+[[http://clang.llvm.org/docs/ThreadSanitizer.html]]
+[[http://clang.llvm.org/docs/MemorySanitizer.html]]
+==== Coccinelle ====
+A tool for matching and fixing source code for C, C++, and other languages.
+[[https://coccinelle.gitlabpages.inria.fr/website/]]
+==== Coverity ====
+Provides static analysis tools for C, C++, and other languages (requires license).
+[[https://www.synopsys.com/software-integrity.html]]
+Free scanning for open source C/C++ and Java projects (no license required):
+[[https://scan.coverity.com/]]
+==== cppcheck ====
+Cppcheck is a static analysis tool for C/C++ code. Unlike C/C++ compilers and many other analysis tools it does not detect syntax errors in the code. Cppcheck primarily detects the types of bugs that the compilers normally do not detect. The goal is to detect only real errors in the code (i.e. have zero false positives).
+[[http://cppcheck.sourceforge.net/]]
-===== findbugs =====
+==== findbugs ====
 FindBugs looks for bugs in Java programs.  It is based on the concept of bug patterns.
 A bug pattern is a code idiom that is often an error.
@@ Line 35: / Line 48: @@
 [[http://findbugs.sourceforge.net]]
-===== gdb ======
+==== Flawfinder ====
-The GNU Debugger - "gdb" - is a general purpose debugger which also helps
+Flawfinder is an free/open source static analysis tool and works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()). The good thing is that you don't have to create this database - it comes with the tool.
-in source code reviews if you want to estimate whether a certain vulnerability
-is really exploitable. This is not always the case since the generated binary code
-makes exploitation impossible for example due to stack alignments or optimizations.
-[[http://sourceware.org/gdb/]]
+[[http://www.dwheeler.com/flawfinder/]]
-===== inotify =====
+[[http://sourceforge.net/projects/flawfinder/]]
-inotify can observe directories like /tmp for changes, e.g. insecure creation
-of files etc.
-[[http://www.suse.de/~krahmer/inotify.cc]]
+[[http://www.debian.org/security/audit/examples/flawfinder]]
+==== gcc ====
+The gcc compiler has extensive warning flags that can, among other things, find possible security vulnerabilities by locating variables that are used before being set, dangerous printf formats, mismatches between printf formats and arguments, and so forth.  For example, you can use:
-===== insight =====
+WARNINGS = -g -O -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wendif-labels -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wjump-misses-init -Wlogical-op -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wundef -Wformat-security -Werror
-insight is a Tcl/Tk based graphical frontend to gdb with many features and an intuitive
-interface. What sets insight apart from other gdb GUIs is its active and continuous
-development, and its integration with sourcenav (see below).
-[[http://sourceware.org/insight/]]
+with GCC (4.6 or later).  Many of those are not security-related, of course, but -Wformat=2 certainly is, and some of the -Wall and -Wextra warnings are as well.
-===== JLint =====
+[[http://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html]]
+==== JLint ====
 A static analysis tool to find race conditions, locking errors, null pointer uses,
 and a number of other problems in Java programs.
@@ Line 63: / Line 71: @@
 [[http://artho.com/jlint/index.shtml]]
-===== kscope =====
+==== klocwork ====
-kscope uses the index file generated by cscope and gives developers a graphical frontend
-to generate call-graphs, search and edit functions etc.. A very convenient tool to browse
-large software projects such as the Linux kernel.
-[[http://kscope.sourceforge.net/]]
+Klockwork tools analyze source code on-the-fly, simplify peer code reviews, and extend the life of complex software (requires license).
-===== lsof =====
+[[http://www.klocwork.com/]]
+==== PMD ====
+PMD scans Java source code for potential problems.
+[[http://pmd.sourceforge.net/]]
+==== pscan ====
+pscan is a package which is designed to audit C and C++ source files for format string vulnerabilities.
+[[http://www.debian.org/security/audit/examples/pscan]]
+==== Pylint ====
+Pylint is a Python static analysis tool.
+[[http://www.pylint.org/]]
+==== RATS ====
+RATS is a general purpose scanner for detecting potential security problems in a number of programming languages.  RATS understands several programming languages, C, Perl, PHP, and Python and will treat each as valid source to examine.
+[[http://www.debian.org/security/audit/examples/RATS]]
+==== Smatch ====
+A static analysis tool for C.
+[[http://smatch.sourceforge.net/]]
+==== Sparse ====
+Sparse, the semantic parser, provides a compiler frontend capable of parsing most of ANSI C as well as many GCC extensions, and a collection of sample compiler backends, including a static analyzer also called "sparse". Sparse provides a set of annotations designed to convey semantic information about types, such as what address space pointers point to, or what locks a function acquires or releases.
+Sparse works similarly to clang. It was hacked up by the kernel folks for finding potential errors in the linux
+kernel.  It has very few false positives. That means it's actually viable to strive
+for "no warnings" from it and run it as part of automated testsuites.
+[[https://sparse.wiki.kernel.org/index.php/Main_Page]]
+==== Splint ====
+Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.
+[[http://www.splint.org/]]
+==== More tools ====
+https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
+===== Dynamic Analysis =====
+==== Valgrind ====
+Detect many memory management and threading bugs, and profile your programs in detail.
+[[http://valgrind.org/]]
+==== KEDR ====
+Provides runtime analysis of Linux kernel modules including device drivers, file system modules, etc.
+[[http://kedr.berlios.de/]]
+==== kmemcheck, kmemleak ====
+Linux Kernel debugging features for detecting memory issues.
+[[http://lxr.linux.no/linux+v3.8.5/Documentation/kmemcheck.txt]]
+[[http://lxr.linux.no/linux+v3.8.5/Documentation/kmemleak.txt]]
+===== System Security Checking =====
+==== exec-notify ====
+exec-notify globally shows which programs are executed on a system. This allows to
+track down shell escaping problems in larger applications which execute external programs
+every now and then or in bootup scripts.
+[[http://www.suse.de/~krahmer/exec-notify.c]]
+==== Fsnoop ====
+Fsnoop is a tool to monitor file operations on GNU/Linux systems. Its primary purpose is to detect bad temporary file usages and therefore, file race condition vulnerabilities.
+[[http://vladz.devzero.fr/fsnoop.php]]
+==== inotify ====
+inotify can observe directories like /tmp for changes, e.g. insecure creation
+of files etc.
+[[http://www.suse.de/~krahmer/inotify.cc]]
+==== lsof ====
 List open files - "lsof" - is a tool to gather information about
 processes' open file descriptors (not only files itself). This information includes
@@ Line 78: / Line 167: @@
 [[ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/]]
-===== ltrace =====
+==== openscap ====
+Security auditing tool based on the SCAP line of system security compliance standards managed by NIST.
+[[http://www.open-scap.org/page/Main_Page]]
+==== unix-privesc-check ====
+Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
+[[http://code.google.com/p/unix-privesc-check]]
+===== Penetration Testing  =====
+==== Metasploit ====
+Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports.
+[[http://www.metasploit.com/]]
+==== OpenVAS ====
+The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
+[[http://www.openvas.org/]]
+===== Fuzz Testing =====
+==== fsfuzzer ====
+The fsfuzzer is a filesystem fuzzer tool that does stress tests of various filesystems in a reproducible and logged way.
+[[https://www.ee.oulu.fi/research/ouspg/fsfuzzer]]
+==== Peach Fuzzing Platform ====
+Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing.  Peach has been under active development since 2004 and is in its second major version with the third currently under development. Peach was created and is actively developed by Michael Eddington of Deja vu Security.
+[[http://peachfuzzer.com/]]
+==== Trinity ====
+A Linux System call fuzz tester.
+[[http://codemonkey.org.uk/projects/trinity/]]
+===== Source Code Navigation =====
+==== cscope ====
+With the help of cscope, reviewers can comfortable search for symbols in the source code
+of programs. It allows to search for definitions/declarations and calls of certain functions,
+macro definitions etc.. Most Linux and BSD distributions ship cscope.
+[[http://cscope.sourceforge.net/]]
+==== ctags =====
+Ctags builds a cross-reference file (similar to cscope) from a source code tree called a
+"tag-file".
+This allows reviewers with the
+help of a tag-file supporting editor (such as vim) to follow function calls while auditing
+and to step down into functions just as one would do at runtime with gdb.
+Despite its name, ctags supports a plenty of languages, not just C.
+[[http://ctags.sourceforge.net/]]
+==== Debian Code Search ====
+Debian Code Search (DCS) is a search engine for source code — it searches all the open source projects which are included in the Debian archive.
+[[http://codesearch.debian.net/]]
+==== kscope ====
+kscope uses the index file generated by cscope and gives developers a graphical frontend
+to generate call-graphs, search and edit functions etc.. A very convenient tool to browse
+large software projects such as the Linux kernel.
+[[http://kscope.sourceforge.net/]]
+==== ltrace ====
 ltrace allows to trace the execution of library calls in programs and processes.
 By carefully observing the order and arguments of certain calls such as open(3) or chown(3)
@@ Line 85: / Line 248: @@
 [[http://ltrace.alioth.debian.org/]]
-===== PMD =====
+==== sourcenav ====
-PMD scans Java source code for potential problems.
-[[http://pmd.sourceforge.net/]]
-===== sourcenav =====
 sourcenav, or the Source-Navigator, is a source code analysis tool. It aids the process of
 code visualization during code reviews by displaying the relationships between functions and
@@ Line 98: / Line 256: @@
 [[http://sourcenav.sourceforge.net/]]
-===== strace =====
+==== strace/ktrace/truss ====
 strace, similar to ltrace, allows to trace the execution of system calls in programs
 and processes. This helps to determine whether arguments are passed correctly during runtime,
 for example to chroot(2) or execve(2). Most Linux distributions ship strace and install it
-by default. BSD systems have a similar tool called "truss".
+by default. BSD systems have a similar tool called "truss" although strace is available.
 [[http://sourceforge.net/projects/strace/]]
+[[http://www.freebsd.org/cgi/man.cgi?ktrace]]
-====== Other Resources ======
+===== Debugging =====
+==== gdb =====
+The GNU Debugger - "gdb" - is a general purpose debugger which also helps
+in source code reviews if you want to estimate whether a certain vulnerability
+is really exploitable. This is not always the case since the generated binary code
+makes exploitation impossible for example due to stack alignments or optimizations.
+[[http://sourceware.org/gdb/]]
+==== insight ====
+insight is a Tcl/Tk based graphical frontend to gdb with many features and an intuitive
+interface. What sets insight apart from other gdb GUIs is its active and continuous
+development, and its integration with sourcenav (see below).
+[[http://sourceware.org/insight/]]
+===== Vulnerability Management =====
+==== Faraday ====
+With [[https://github.com/infobyte/faraday|Faraday]] you may focus on discovering vulnerabilities while we help you with the rest. Just use it in your terminal and get your work organized on the run. Faraday was made to let you take advantage of the available tools in the community in a truly multiuser way.
+Faraday aggregates and normalyzses the data you load, allowing exploring it into different visualizations that are useful to managers and analyst alike.
+===== Others =====
+==== symboldb ====
+Tool used to locate certain issues in RPM packages.  SQL queries can be created to detect candidate vulnerabilities.
+[[https://github.com/fweimer/symboldb/tree/master/doc/examples]]
+==== victi.ms ====
+Java/J2EE library JARs are typically included as dependencies for an application using build tools like maven that draw them from public repositories.  Some of the maven central repository JARs are versions with known flaws.  victi.ms maintains a web based DB of vulnerable JARs.  victi.ms enforces scans of dependencies against known vulnerability DB.
+[[https://victims-websec.rhcloud.com/]]
+===== More Lists of Tools =====
+==== Debian Security Audit Project ====
 The [[http://www.debian.org/security/audit/|Debian Security Audit Project]] maintains a list of [[http://www.debian.org/security/audit/tools|Security Auditing Tools]], mostly for automated static source code analysis, along with [[http://www.debian.org/security/audit/examples/|Automated Audit Examples]].
+==== Debian Automated Code Analysis Tools ====
+[[http://qa.debian.org/daca/]]
+==== OWASP ====
+[[https://www.owasp.org/index.php?title=Phoenix/Tools]]
+==== securitytools.wikidot.com ====
+[[http://securitytools.wikidot.com/defensive-programming]]
+[[http://securitytools.wikidot.com/penetration-vulnerability-ids-ips]]
+[[http://securitytools.wikidot.com/fuzzing]]
+==== wikipedia ====
+[[http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis]]
+[[http://en.wikipedia.org/wiki/Dynamic_program_analysis]]