OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Crispin Cowan (crispin_at_wirex.com)
Date: Sat Oct 26 2002 - 18:51:25 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    puja wrote:

    > Thanks for the reply.
    > Can u please name some freely available packages (which you are
    > referrring in your mail ) ,which can be used to find the code is
    > vulnerable or not.
    > Actually as I said earlier that I have bought the code from some third
    > party and also since its size is very bit,its not possible to tell its
    > programmers to explain each and every part of it.
    >
    > I am currently using its4() a tool for static code analysis. It warns
    > me of the use of functions like strcat()which are vulnerable and
    > advices to use strncat instead. This doesn't completely fulfill my
    > requirement.

    I think you're mis-understanding the response you got. You are not going
    to get your requirement fulfilled: it is not practical to scan a piece
    of code and show it to be free of vulnerabilities, unless you are
    planning to invest a *lot* of time and effort into the project. Worse,
    the problem is super-linear: the large the code base, the harder the
    problem gets, until you hit about 100,000 lines of source code, at which
    point it becomes impossible to show the code is safe, even with infinite
    time and money.

    Source code auditing is, in large part, a task for people dedicated to
    source code auditing. It is not something that IT can do in the field in
    a short period of time.

    > I want to ensure that the code doesn't contain any malicious code or
    > any backdoors which might be dangerous for my system.

    Good luck: you are going to need it.

    A practical tip: try RATS instead of ITS4. It takes a similar approach,
    but has numerous additional advances. There is a comprehensive list of
    source code analysis tools here http://sardonix.org/Auditing_Resources.html

    Crispin 

    -- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQE9uyp95ZkfjX2CNDARAfWUAKCWo/tTwtRX8mUiDVHLCZRVg5oj/ACglpcp m93q6oLuIHpvD8vzrWUSqaQ= =pyWB -----END PGP SIGNATURE-----