This shows you the differences between two versions of the page.
|
tools [2013/04/01 15:19] coreycb |
tools [2026/03/13 15:09] (current) twiggy |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| This page will give you some hints about various tools that might be used | This page will give you some hints about various tools that might be used | ||
| to uncover security vulnerabilities and perform code reviews. | to uncover security vulnerabilities and perform code reviews. | ||
| + | |||
| + | Please note that the tools listed here have been recommended by various individuals who participate in the oss-security mailing list and there are no guarantees, so please take time to carefully evaluate any tools that you use. | ||
| ===== Static Analysis ===== | ===== Static Analysis ===== | ||
| Line 9: | Line 11: | ||
| Compiler with static analysis capabilities for C/C++. | Compiler with static analysis capabilities for C/C++. | ||
| - | Clang and very recent GCC also have dynamic "sanitizers": | + | [[http://clang-analyzer.llvm.org/]] |
| + | |||
| + | [[http://clang.llvm.org/]] | ||
| + | |||
| + | Clang and very recent GCC also have dynamic "sanitizers". For example: | ||
| [[http://clang.llvm.org/docs/AddressSanitizer.html]] | [[http://clang.llvm.org/docs/AddressSanitizer.html]] | ||
| Line 20: | Line 26: | ||
| A tool for matching and fixing source code for C, C++, and other languages. | A tool for matching and fixing source code for C, C++, and other languages. | ||
| - | [[http://coccinelle.lip6.fr/]] | + | [[https://coccinelle.gitlabpages.inria.fr/website/]] |
| ==== Coverity ==== | ==== Coverity ==== | ||
| Provides static analysis tools for C, C++, and other languages (requires license). | Provides static analysis tools for C, C++, and other languages (requires license). | ||
| - | [[http://www.coverity.com/]] | + | [[https://www.synopsys.com/software-integrity.html]] |
| + | |||
| + | Free scanning for open source C/C++ and Java projects (no license required): | ||
| + | |||
| + | [[https://scan.coverity.com/]] | ||
| ==== cppcheck ==== | ==== cppcheck ==== | ||
| Line 50: | Line 60: | ||
| The gcc compiler has extensive warning flags that can, among other things, find possible security vulnerabilities by locating variables that are used before being set, dangerous printf formats, mismatches between printf formats and arguments, and so forth. For example, you can use: | The gcc compiler has extensive warning flags that can, among other things, find possible security vulnerabilities by locating variables that are used before being set, dangerous printf formats, mismatches between printf formats and arguments, and so forth. For example, you can use: | ||
| - | WARNINGS = -g -O -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wendif-labels -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wjump-misses-init -Wlogical-op -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Werror | + | WARNINGS = -g -O -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wendif-labels -Wformat=2 -Winit-self -Wswitch-enum -Wdeclaration-after-statement -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wjump-misses-init -Wlogical-op -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wnested-externs -Wundef -Wformat-security -Werror |
| with GCC (4.6 or later). Many of those are not security-related, of course, but -Wformat=2 certainly is, and some of the -Wall and -Wextra warnings are as well. | with GCC (4.6 or later). Many of those are not security-related, of course, but -Wformat=2 certainly is, and some of the -Wall and -Wextra warnings are as well. | ||
| [[http://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html]] | [[http://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html]] | ||
| - | |||
| ==== JLint ==== | ==== JLint ==== | ||
| A static analysis tool to find race conditions, locking errors, null pointer uses, | A static analysis tool to find race conditions, locking errors, null pointer uses, | ||
| Line 61: | Line 70: | ||
| [[http://artho.com/jlint/index.shtml]] | [[http://artho.com/jlint/index.shtml]] | ||
| + | |||
| + | ==== klocwork ==== | ||
| + | |||
| + | Klockwork tools analyze source code on-the-fly, simplify peer code reviews, and extend the life of complex software (requires license). | ||
| + | |||
| + | [[http://www.klocwork.com/]] | ||
| ==== PMD ==== | ==== PMD ==== | ||
| Line 71: | Line 86: | ||
| [[http://www.debian.org/security/audit/examples/pscan]] | [[http://www.debian.org/security/audit/examples/pscan]] | ||
| + | |||
| + | ==== Pylint ==== | ||
| + | Pylint is a Python static analysis tool. | ||
| + | |||
| + | [[http://www.pylint.org/]] | ||
| ==== RATS ==== | ==== RATS ==== | ||
| Line 119: | Line 139: | ||
| ===== System Security Checking ===== | ===== System Security Checking ===== | ||
| + | |||
| + | ==== exec-notify ==== | ||
| + | exec-notify globally shows which programs are executed on a system. This allows to | ||
| + | track down shell escaping problems in larger applications which execute external programs | ||
| + | every now and then or in bootup scripts. | ||
| + | |||
| + | [[http://www.suse.de/~krahmer/exec-notify.c]] | ||
| + | |||
| + | ==== Fsnoop ==== | ||
| + | |||
| + | Fsnoop is a tool to monitor file operations on GNU/Linux systems. Its primary purpose is to detect bad temporary file usages and therefore, file race condition vulnerabilities. | ||
| + | |||
| + | [[http://vladz.devzero.fr/fsnoop.php]] | ||
| + | |||
| + | ==== inotify ==== | ||
| + | inotify can observe directories like /tmp for changes, e.g. insecure creation | ||
| + | of files etc. | ||
| + | |||
| + | [[http://www.suse.de/~krahmer/inotify.cc]] | ||
| + | |||
| + | ==== lsof ==== | ||
| + | List open files - "lsof" - is a tool to gather information about | ||
| + | processes' open file descriptors (not only files itself). This information includes | ||
| + | the name and PID of the process, the type of file and so on. Many Linux and BSD distributions | ||
| + | ship lsof. | ||
| + | |||
| + | [[ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/]] | ||
| ==== openscap ==== | ==== openscap ==== | ||
| Line 129: | Line 176: | ||
| [[http://code.google.com/p/unix-privesc-check]] | [[http://code.google.com/p/unix-privesc-check]] | ||
| + | |||
| ===== Penetration Testing ===== | ===== Penetration Testing ===== | ||
| Line 137: | Line 185: | ||
| [[http://www.metasploit.com/]] | [[http://www.metasploit.com/]] | ||
| - | ===== Fuzz Testing ===== | + | ==== OpenVAS ==== |
| - | ==== Trinity ==== | + | The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. |
| - | A Linux System call fuzz tester. | + | |
| - | [[http://codemonkey.org.uk/projects/trinity/]] | + | [[http://www.openvas.org/]] |
| + | |||
| + | ===== Fuzz Testing ===== | ||
| ==== fsfuzzer ==== | ==== fsfuzzer ==== | ||
| Line 148: | Line 197: | ||
| [[https://www.ee.oulu.fi/research/ouspg/fsfuzzer]] | [[https://www.ee.oulu.fi/research/ouspg/fsfuzzer]] | ||
| + | |||
| + | ==== Peach Fuzzing Platform ==== | ||
| + | |||
| + | Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing. Peach has been under active development since 2004 and is in its second major version with the third currently under development. Peach was created and is actively developed by Michael Eddington of Deja vu Security. | ||
| + | |||
| + | [[http://peachfuzzer.com/]] | ||
| + | |||
| + | ==== Trinity ==== | ||
| + | A Linux System call fuzz tester. | ||
| + | |||
| + | [[http://codemonkey.org.uk/projects/trinity/]] | ||
| + | |||
| ===== Source Code Navigation ===== | ===== Source Code Navigation ===== | ||
| Line 221: | Line 282: | ||
| [[http://sourceware.org/insight/]] | [[http://sourceware.org/insight/]] | ||
| - | ===== Others ===== | + | ===== Vulnerability Management ===== |
| - | ==== exec-notify ==== | + | ==== Faraday ==== |
| - | exec-notify globally shows which programs are executed on a system. This allows to | + | With [[https://github.com/infobyte/faraday|Faraday]] you may focus on discovering vulnerabilities while we help you with the rest. Just use it in your terminal and get your work organized on the run. Faraday was made to let you take advantage of the available tools in the community in a truly multiuser way. |
| - | track down shell escaping problems in larger applications which execute external programs | + | Faraday aggregates and normalyzses the data you load, allowing exploring it into different visualizations that are useful to managers and analyst alike. |
| - | every now and then or in bootup scripts. | + | |
| - | [[http://www.suse.de/~krahmer/exec-notify.c]] | + | ===== Others ===== |
| - | + | ||
| - | ==== inotify ==== | + | |
| - | inotify can observe directories like /tmp for changes, e.g. insecure creation | + | |
| - | of files etc. | + | |
| - | + | ||
| - | [[http://www.suse.de/~krahmer/inotify.cc]] | + | |
| - | + | ||
| - | ==== lsof ==== | + | |
| - | List open files - "lsof" - is a tool to gather information about | + | |
| - | processes' open file descriptors (not only files itself). This information includes | + | |
| - | the name and PID of the process, the type of file and so on. Many Linux and BSD distributions | + | |
| - | ship lsof. | + | |
| - | + | ||
| - | [[ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/]] | + | |
| ==== symboldb ==== | ==== symboldb ==== | ||
| Line 253: | Line 299: | ||
| [[https://victims-websec.rhcloud.com/]] | [[https://victims-websec.rhcloud.com/]] | ||
| - | |||
| - | |||