Loading ...
Sorry, an error occurred while loading the content.
 

RE: [hackers-il] Static C code analyzers or considering dumping splint for something else

Expand Messages
  • Tzahi Fadida
    I think it depends on the program. If it s a highly important component (like breaks in a train), not more the a few hundred lines then maybe you should check
    Message 1 of 4 , Nov 2, 2004
      I think it depends on the program.
      If it's a highly important component (like breaks in a train),
      not more the a few hundred lines then maybe you should check out cbmc.
      below is an early post of mine to the list about it:

      "Did anyone try this ANSI-C debugging tool?
      http://www-2.cs.cmu.edu/~modelcheck/cbmc/

      I watched a seminar today with daniel kroening
      and this debugging tool is very very impressive.
      It find bugs you could never have found with regular
      debuggers. it utilizes SAT solvers and pretty cutting edge science to find
      the bugs. the highlight is employing
      a method of unwinding loops to a degree in order to find
      bugs. it is supposed, if I understand correctly, to virtually run the
      program (not really run but as though it was running) and find the
      problematic inputs. Of course the overall problem is Hard of course, but 90%
      of the
      usual problems can be found and sadly, as I understand its only for programs
      for embedded systems or short codes. For example, the breaks system in
      trains. I also watched it give you the more or less exact spot where the bug
      originated from. in order to do it, it takes the
      tree of bugs and finds the root where the least of steps
      caused the bug, or something of kind.

      cbmc - http://www-2.cs.cmu.edu/~modelcheck/cbmc/

      p.s. its supposed to be free to use, at least from
      the creator mouth daniel."

      Regards,
      tzahi.

      > -----Original Message-----
      > From: Tal Rotbart [mailto:redbeard@...]
      > Sent: Tuesday, November 02, 2004 7:04 AM
      > To: hackers-il@yahoogroups.com
      > Subject: Re: [hackers-il] Static C code analyzers or
      > considering dumping splint for something else
      >
      >
      >
      > Hey Omer,
      >
      > Buffer overflows is one area where static C code-analysis has
      > the least to offer. A run-time analysis tool like
      > boundschecker is almost required in such cases, although it
      > is a pain to use. IMHO.
      >
      > JM2C,
      > -Tal
      >
      > On Mon, 1 Nov 2004 13:30:28 -0800 (PST), omer mussaev
      > <eomer_mussaev@...> wrote:
      > >
      > > Hello hackers,
      > >
      > > Which tool for static C code analysis (commonly known
      > > as "lint") do you recommend?
      > >
      > > I work with splint (www.splint.org), but I consider
      > > changing it to something more oriented to potential buffer/stack
      > > overflow vulnerabilities.
      > >
      > > The dream tool must be runnable under Windows (cygwin
      > counts), must
      > > be runnable from command line (from Tornado,
      > > actually) and must be as cynical/paranoid as possible.
      > >
      > > Any recommendations?
      > >
      > > =====
      > > --
      > > o.m.
      > >
      > > __________________________________________________
      > > Do You Yahoo!?
      > > Tired of spam? Yahoo! Mail has the best spam protection around
      > > http://mail.yahoo.com
      > >
      > >
      > >
      > > Yahoo! Groups Links
      > >
      > >
      > >
      > >
      > >
      >
      >
      > --
      > /************************************************
      >
      > Tal 'redbeard' Rotbart
      > Software Wizard
      >
      > eMail: redbeard of gmail dot com
      > Tel: +972-2-671-6178
      > Mobile: +972-52-896-5025
      >
      > Snail mail:
      > Klozner 7/2
      > Jerusalem 93388
      > ISRAEL
      >
      > ************************************************/
      >
      >
      > ------------------------ Yahoo! Groups Sponsor
      > --------------------~-->
      > Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
      > Now with Pop-Up Blocker. Get it for free!
      > http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/saFolB/TM
      > --------------------------------------------------------------
      > ------~->
      >
      >
      > Yahoo! Groups Links
      >
      >
      >
      >
      >
      >
      >
      >
    Your message has been successfully submitted and would be delivered to recipients shortly.