static analysis tool

最近研究源代码静态分析工具：

静态代码分析工具汇总

http://blog.csdn.net/jinhill/article/details/6673734

安全测试工具收集

http://blog.csdn.net/testing_is_believing/article/details/6064201

flawfinder主页：http://www.dwheeler.com/flawfinder/

发现Flawfinder的主页讲了很多源代码分析工具。部分内容如下：

OSS tools

Other OSS/FS tools/projects that statically analyze programs for security issues (besides flawfinder) include:

1.     OWASP LAPSE+, a static security analyzer for Java web applications that is a successor to the LAPSE project (GPL).

2.     FindSecurityBugs (LGPL) is a plug-in for FindBugs for finding security-related defects.

3.     SPLINT (GPL license). This works somewhat like lint, searching for probable errors; to really use it, developers need to add additional annotations to help the tool identify problems. This is a very mature program, widely used, and one you can start using right away on ‘real programs”.

4.     Cqual (GPL license). “Cqual is a type-based analysis tool that provides a lightweight, practical mechanism for specifying and checking properties of C programs. Cqual extends the type system of C with extra user-defined type qualifiers. The programmer adds type qualifier annotations to their program in a few key places, and Cqual performs qualifier inference to check whether the annotations are correct. The analysis results are presented with a user interface that lets the programmer browse the inferred qualifiers and their flow paths.”

5.     MOPS (old BSD license) “MOPS is designed to check for violations of rules that can be expressed as temporal safety properties. A temporal safety property dictates the order of a sequence of operations. For example, in Unix systems, we might verify that the C program obeys the following rule: a setuid-root process should not execute an untrusted program without first dropping its root privilege.” It uses a model checking approach.

6.     Clang Static Analyzer (BSD-like license) can find bugs in C and Objective-C programs. Here are a few comments about Clang Static Analyzer from a user.

7.     RIPS does static code analysis on PHP code. It’s currently in PHP, but RIPS is being rewritten.

8.     CIL is a framework for analyzing C programs.

9.     BLAST (Berkeley Lazy Abstraction Software Verification Tool). “BLAST is a software model checker for C programs. The goal of BLAST is to be able to check that software satisfies behavioral properties of the interfaces it uses. BLAST uses counterexample-driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties. The abstraction is constructed on-the-fly, and only to the required precision.” Note: The first version of BLAST was developed at UC Berkeley, but follow-on work is going on at EPFL.

10.BOON (BSD-like license). BOON stands for “Buffer Overrun detectiON”. “BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code. Buffer overruns are one of the most common types of security holes, and we hope that BOON will enable software developers and code auditors to improve the quality of security-critical programs.”

11.ggcc is an extension of the gcc compiler suite that will do static checking of various kinds. As of May 2008 it was in early development.

12.Stanse (GPLv2) is a static analysis framework to find bugs in C code. It’s written in Java, plus some perl.

13.The Spike PHP Security Audit Tool is for analyzing PHP programs.

14.Pixy scans PHP programs for XSS and SQLI vulnerabilities; it is written in Java.

15.Orizon is a general-purpose code analysis system (though their primary interest is security scanning). Milk is a Java source code security scanner built on top of Orizon. They are connected to OWASP.

16.PScan (GPL license) is a source code scanner like flawfinder and RATS, but has only a limited capability. It’s really only intended to find format string problems. In contrast, both flawfinder and RATS can find format string problems and many other problems as well.

17.The Open Source Quality Project at Berkeley is investigating tools and techniques for assuring software quality (not just security) of OSS/FS programs.

18.Project pedantic’s Czech by Jose Nazario might become interesting, but as of April 2004 it looks like that project has halted, with only a buggy not-ready prototype so far (which is too bad!).

19.smatch. is a general-purpose tool for statically analyzing programs, and could be used to build vulnerability scanners. Indeed, there are lots of tools for statically analyzing programs in a general way, this is only one example.

20.Sparse is a specialized static analysis tool that does additional type-checking, including checks related to security. It was originally designed to check the Linux kernel source code. Sparse finally has its own web page. More information on sparse is available from the CE Linux forum, the Quick sparse HOWTO by Randy Dunlap, and the sparse mailing list. You can download older snapshots of sparse’s code from codemonkey.

21.Oink (including Cqual++) (BSD-like license). (a Collaboration of C++ Static Analysis Tools).

22.Yasca (BSD license) is a “simple static analysis tool designed to analyze source code and for a variety of errors. It is both a framework and an implementation, and leverages other open source code scanners where applicable.” You can also see the Yasca Github site.

23.Frama-C (LGPL) is a framework for the development of collaborating static analyzers for the C language. Many analyzers are provided in the distribution, including a value analysis plug-in that provides variation domains for the variables of the program, and Jessie, a plug-in for computing Hoare style weakest preconditions. It provides a formal behavioral specification language for C programs named ACSL.

24.RTL-check “RTL-check is an extensible and powerful abstract interpretation framework for static analysis of programs from a safety and security perspective. It performs analysis on RTL, which is the low-level intermediate representation generated by GCC. See the documentation section for more information.” The code is on SourceForge; a good first start to learning about it is to read Patrice Lacroix master’s thesis.

25.PMD looks for potential problems in Java code. Not specific to security. (BSD-style license) There are other Java program analyzers too.

26.Findbugs also looks for potential problems in Java code. Not specific to security (LGPL license).

27.cppcheck does a breadth-first search for bugs (not just one for the host platform). There’s little documentation, unfortunately, but you can invoke it like this (use the force option “-f” else it will give up on some files, and use -a (“all warnings”) to get all details):

28.   cppcheck -a -f ./ 2> cpperr.txt &

29.PerlCritic analyzes perl programs. It’s really a style checker, not so much a vulnerability scanner.

30.Agnitio is a tool to manage checklists when doing manual reviews. It’s a different kind of tool, but I thought it’d be worth noting. Warning: it needs .NET and doesn’t run on Mono as of 2011-09-15 (though they are working on that).

31.Treehydra is a GCC plugin that provides a low level JavaScript binding to GCC’s GIMPLE AST representation. Treehydra is intended for precise static analyses. Most of Treehydra is generated by Dehydra. A Dehydra script walks the GCC tree node structure using the GTY attributes present in GCC. Treehydra is included in Dehydra source, and is built when a plugin-enabled CXX is detected.

32.Coccinelle aka spatch Coccinelle, also known as spatch, is a source-to-source translator available under GPLv2. Valerie Henson (now Valerie Aurora) has written an article about Coccinelle, and here’s another article about it.

33.bddbddb / bddshell. bddbddb (aka b5b) is a general-purpose tool for analyzing big programs. It lets you read in a program and then enter queries in a Prolog-like language, and its internals use the BDD datastructure to make all of this work for large programs. bddshell lets you use it interactively. These are more “tools for building analysis tools”, rather than analysis tools themselves.

34.LLVM. LLVM is really a compiler infrastructure project, but among other things it can be used to create analysis tools. But it’s not a security analysis tool by itself.

35.shellcheck (GNU Affero General Public License version 3) is a static analysis tool that reports on common mistakes in (Bourne) shell scripts. It is not specific to security, but several of its reports are security-related.

36.Elsa. Elsa (BSD license) is a C/C++ parser based on Elkhound. GCC also has a parser.

There is a similar program, ITS4 (from Cigital), but it isn’t open source software or Free Software (OSS/FS) as defined above, and as far as I know it isn’t maintained.

Of course, you could go the other way: Instead of looking for specific common weaknesses, you could prove that the program actually meets (or does not meet) certain requirements. If you’re interested in open source software tools related to proving programs correct, seej High Assurance (for Security or Safety) and Free-Libre / Open Source Software (FLOSS)... with Lots on Formal Methods / Software Verification and the Open Proofs website.

Quasi-open tools

1.     CERT ROSE checkers checks C and C++ against a subset of the rules in the CERT Secure Coding Standards for C and C++. The ROSE checkers are themselves open source, and build on the open source ROSE, but ROSE itself is fundamentally dependent on a a proprietary component (Edison Design Group’s C/C++ compiler), so the whole stack is in fact proprietary.

2.     ROSE/Compass (BSD license) is a source-to-source translator that can be used to build analysis programs. It includes Compass, which reports violations of a number of rules that relate to security.

3.     VisualCodeGrepper - this is a code security review tool for C/C++, C#, VB, PHP, Java, and PL/SQL. The EULA says it's under the GPL.. but I can't find any actual source code. As far as I can tell it's a lexically-based tool, which means it appears to work the same way as flawfinder, RATS, and ITS4.

Proprietary tools

There are various suppliers that sell proprietary programs that do this kind of static analysis. These include:

1.     HP/Fortify Software. Their Fortify Source Code Analysis tool is briefly described in the PCWorld article Software Searches for Security Flaws. Fortify Software is now owned by HP (as of 2010).

2.     Coverity’s SWAT tool searches for defects in general, including some security issues. It’s based on previous work on the Stanford checker, which was implemented by xgcc and the Metal language (the Stanford site has lots of interesting papers, but no code as far as I can tell -- please let me know if things are otherwise).

3.     GrammaTech develops and sells “static-analysis and program-transformation tools for C/C++ and Ada”. This include CodeSurfer/CodeSonar (R) for static analysis, and CodeSurfer/x86 for analyzing and rewriting binary executables.

4.     Veracode has tools to analyze software for security vulnerabilities (including binary analysis).

5.     Sofcheck Inspector performs static analysis on Java and Ada programs to find defects.

6.     Red Lizard Software is an Australian firm that sells Goanna, a tool that analyzes C/C++ code for software quality bugs (including some security vulnerabilities).

7.     Kestrel Institute works to “make formal methods work in practice”; they have various proprietary tools.

8.     Ounce Labs’s product Prexis. Ounce labs was recently bought by IBM.

9.     Klocwork sells various products that do static analysis.

10.@stake, now owned by Symantec Corporation, sells a tool called the SmartRisk (TM) Analyzer; unlike many tools, this one analyzes binary code.

11.Parasoft sells some static analysis tools.

12.Microsoft bought the company Intrinsa, and their product (known as PREfix) is used now to do static analysis of many of their own products.

13.PVS-Studio is “a static analyzer that detects errors in source code of C/C++/C++0x applications.” (It’s not specifically focused on security issues). Here's an article about PVS-Studio being used to find mistakes in the Linux kernel.

14.Parfait is a Sun research project, which has found some vulnerabilities. An interview discusses Parfait further. At the time of this writing, this is unreleased.

15.KDM Analytics has developed some prototypes using a standards-based approach. Code is first transformed into KDM (an OMG standard), and rules are defined using SBVR (another OMG standard). Then you can search for matches/violations of rules. One neat thing is that this can analyze (in principle) either binary or source code in arbitrary languages. I know some people are modifying gcc to generate KDM. SBVR (the rule-defining language) is a restricted-English logic language, so the rules are unusually readable. To my knowledge, these are not available on the market yet.

There are of course many companies that sell the service of performing security reviews of source code for a fee; who generally use a combination of tools and expertise. These include Secure Software developer of RATS, and Aspect Security, backers of the Open Web Application Security Project (OWASP).

Arian Evans has announced that he’s working on a list of such tools, and intends to post that list at OWASP; by the time you read this, it may already be available. NIST’s Software Assurance Metrics and Tool Evaluation (SAMATE) project posts a list of static analysis tools, along with a list of related papers and projects. Common Weakness Enumeration (CWE) is developing a standard set of definitions of common weaknesses and their interrelationships.

Other places list security tools, but not really static analysis tools; these include the Talisker Security Wizardry Portal and insecure.org’s survey of the top 75 tools.

Java2s has a list of Java-related tools for source analysis which may be of interest. They make the common mistake of saying “commercial” when they mean “proprietary” (OSS is commercial software too).

There are a vast number of static analysis tools that check for style or for possible errors, which might happen to catch security problems. They’re usually not focused on security issues, though, and there are too many to list anyway, so I don’t try to list them all here.