Loading ...
Sorry, an error occurred while loading the content.

Static C code analyzers or considering dumping splint for something else

Expand Messages
  • omer mussaev
    Hello hackers, Which tool for static C code analysis (commonly known as lint ) do you recommend? I work with splint (www.splint.org), but I consider changing
    Message 1 of 4 , Nov 1, 2004
    • 0 Attachment
      Hello hackers,

      Which tool for static C code analysis (commonly known
      as "lint") do you recommend?

      I work with splint (www.splint.org), but I consider
      changing it to something more oriented to potential
      buffer/stack overflow vulnerabilities.

      The dream tool must be runnable under Windows (cygwin
      counts), must be runnable from command line (from
      Tornado,
      actually) and must be as cynical/paranoid as possible.

      Any recommendations?

      =====
      --
      o.m.

      __________________________________________________
      Do You Yahoo!?
      Tired of spam? Yahoo! Mail has the best spam protection around
      http://mail.yahoo.com
    • Oleg Goldshmidt
      ... To tell you the truth, I never found one I liked. From my bookmarks: http://spinroot.com/static/ lists some tools, commercial and free. Unfortunately, I
      Message 2 of 4 , Nov 1, 2004
      • 0 Attachment
        omer mussaev <eomer_mussaev@...> writes:

        > Hello hackers,
        >
        > Which tool for static C code analysis (commonly known
        > as "lint") do you recommend?
        >
        > I work with splint (www.splint.org), but I consider
        > changing it to something more oriented to potential
        > buffer/stack overflow vulnerabilities.
        >
        > The dream tool must be runnable under Windows (cygwin
        > counts), must be runnable from command line (from
        > Tornado,
        > actually) and must be as cynical/paranoid as possible.
        >
        > Any recommendations?
        >
        > =====

        To tell you the truth, I never found one I liked. From my bookmarks:
        http://spinroot.com/static/ lists some tools, commercial and free.
        Unfortunately, I don't think many of them will help you with
        "potential buffer/stack overflow vulnerabilities".

        In practice I got good results with

        #!/bin/sh

        # gcc lint emulation

        gcc -c \
        -W \
        -O2 \
        -pedantic \
        -ansi \
        -Wall \
        -Wtraditional \
        -Wshadow \
        -Wid-clash-32 \
        -Wpointer-arith \
        -Wcast-qual \
        -Wcast-align \
        -Wconversion \
        -Wstrict-prototypes \
        -Wmissing-prototypes \
        -Wmissing-declarations \
        -Wnested-externs \
        -Dlint \
        -D__NO_STRING_INLINES \
        "$@" -o /dev/null

        Note: I just pasted it while on a machine with a relatively old gcc. I
        seem to recall that newer versions of gcc deprecate one of these
        options (and maybe add some more useful ones), but I am too lazy to
        check the info pages now. I am sure you get the idea.

        It will be runnable under cygwin and Tornado (as in vxWorks, right?),
        I believe, and it will flag a rather surprising number of subtle
        problems. Add -Werror to be sure... ;-)

        At one time I remember trying LCLint and reverting to the
        above. LCLint was rather unwieldy. I have never used splint, I
        understand it is a successor to LCLint. One thing I hated was
        annotations - I don't want any in the code I have to deal with.

        I am not saying that gcc is all you'll ever need. My point is that
        many lint vendors say something like, "our patented lint finds many
        more subtle problems than compilers". I even recall a vendor who was
        touting both a compiler and a lint on the same page (why doesn't your
        *compiler* find all of that stuff?). Maybe compilers are
        "misunderestimated" (couldn't resist, it's Nov 2) at times...

        --
        Oleg Goldshmidt | pub@...
      • Tal Rotbart
        Hey Omer, Buffer overflows is one area where static C code-analysis has the least to offer. A run-time analysis tool like boundschecker is almost required in
        Message 3 of 4 , Nov 1, 2004
        • 0 Attachment
          Hey Omer,

          Buffer overflows is one area where static C code-analysis has the
          least to offer. A run-time analysis tool like boundschecker is almost
          required in such cases, although it is a pain to use. IMHO.

          JM2C,
          -Tal

          On Mon, 1 Nov 2004 13:30:28 -0800 (PST), omer mussaev
          <eomer_mussaev@...> wrote:
          >
          > Hello hackers,
          >
          > Which tool for static C code analysis (commonly known
          > as "lint") do you recommend?
          >
          > I work with splint (www.splint.org), but I consider
          > changing it to something more oriented to potential
          > buffer/stack overflow vulnerabilities.
          >
          > The dream tool must be runnable under Windows (cygwin
          > counts), must be runnable from command line (from
          > Tornado,
          > actually) and must be as cynical/paranoid as possible.
          >
          > Any recommendations?
          >
          > =====
          > --
          > o.m.
          >
          > __________________________________________________
          > Do You Yahoo!?
          > Tired of spam? Yahoo! Mail has the best spam protection around
          > http://mail.yahoo.com
          >
          >
          >
          > Yahoo! Groups Links
          >
          >
          >
          >
          >


          --
          /************************************************

          Tal 'redbeard' Rotbart
          Software Wizard

          eMail: redbeard of gmail dot com
          Tel: +972-2-671-6178
          Mobile: +972-52-896-5025

          Snail mail:
          Klozner 7/2
          Jerusalem 93388
          ISRAEL

          ************************************************/
        • Tzahi Fadida
          I think it depends on the program. If it s a highly important component (like breaks in a train), not more the a few hundred lines then maybe you should check
          Message 4 of 4 , Nov 2, 2004
          • 0 Attachment
            I think it depends on the program.
            If it's a highly important component (like breaks in a train),
            not more the a few hundred lines then maybe you should check out cbmc.
            below is an early post of mine to the list about it:

            "Did anyone try this ANSI-C debugging tool?
            http://www-2.cs.cmu.edu/~modelcheck/cbmc/

            I watched a seminar today with daniel kroening
            and this debugging tool is very very impressive.
            It find bugs you could never have found with regular
            debuggers. it utilizes SAT solvers and pretty cutting edge science to find
            the bugs. the highlight is employing
            a method of unwinding loops to a degree in order to find
            bugs. it is supposed, if I understand correctly, to virtually run the
            program (not really run but as though it was running) and find the
            problematic inputs. Of course the overall problem is Hard of course, but 90%
            of the
            usual problems can be found and sadly, as I understand its only for programs
            for embedded systems or short codes. For example, the breaks system in
            trains. I also watched it give you the more or less exact spot where the bug
            originated from. in order to do it, it takes the
            tree of bugs and finds the root where the least of steps
            caused the bug, or something of kind.

            cbmc - http://www-2.cs.cmu.edu/~modelcheck/cbmc/

            p.s. its supposed to be free to use, at least from
            the creator mouth daniel."

            Regards,
            tzahi.

            > -----Original Message-----
            > From: Tal Rotbart [mailto:redbeard@...]
            > Sent: Tuesday, November 02, 2004 7:04 AM
            > To: hackers-il@yahoogroups.com
            > Subject: Re: [hackers-il] Static C code analyzers or
            > considering dumping splint for something else
            >
            >
            >
            > Hey Omer,
            >
            > Buffer overflows is one area where static C code-analysis has
            > the least to offer. A run-time analysis tool like
            > boundschecker is almost required in such cases, although it
            > is a pain to use. IMHO.
            >
            > JM2C,
            > -Tal
            >
            > On Mon, 1 Nov 2004 13:30:28 -0800 (PST), omer mussaev
            > <eomer_mussaev@...> wrote:
            > >
            > > Hello hackers,
            > >
            > > Which tool for static C code analysis (commonly known
            > > as "lint") do you recommend?
            > >
            > > I work with splint (www.splint.org), but I consider
            > > changing it to something more oriented to potential buffer/stack
            > > overflow vulnerabilities.
            > >
            > > The dream tool must be runnable under Windows (cygwin
            > counts), must
            > > be runnable from command line (from Tornado,
            > > actually) and must be as cynical/paranoid as possible.
            > >
            > > Any recommendations?
            > >
            > > =====
            > > --
            > > o.m.
            > >
            > > __________________________________________________
            > > Do You Yahoo!?
            > > Tired of spam? Yahoo! Mail has the best spam protection around
            > > http://mail.yahoo.com
            > >
            > >
            > >
            > > Yahoo! Groups Links
            > >
            > >
            > >
            > >
            > >
            >
            >
            > --
            > /************************************************
            >
            > Tal 'redbeard' Rotbart
            > Software Wizard
            >
            > eMail: redbeard of gmail dot com
            > Tel: +972-2-671-6178
            > Mobile: +972-52-896-5025
            >
            > Snail mail:
            > Klozner 7/2
            > Jerusalem 93388
            > ISRAEL
            >
            > ************************************************/
            >
            >
            > ------------------------ Yahoo! Groups Sponsor
            > --------------------~-->
            > Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
            > Now with Pop-Up Blocker. Get it for free!
            > http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/saFolB/TM
            > --------------------------------------------------------------
            > ------~->
            >
            >
            > Yahoo! Groups Links
            >
            >
            >
            >
            >
            >
            >
            >
          Your message has been successfully submitted and would be delivered to recipients shortly.