Code Reviews and Inspections
LWN.net weekly edition
Two new security related tools were announced this week, both relating to code
scanning: RATS and
tools perform tests on source code in an attempt to find common coding
problems that can lead to security vulnerabilities. Such problems are limited
to function calls for both RATS and flawfinder. Any functions specified in a
flawfinder database are known as hits and will cause any references to them in
the source to be examined to be flagged. Flawfinder and RATS join another
application its4, which was
noted by LWN.net
late last year.
According to David Wheeler, author of the
Secure Programming for Linux and Unix HOWTO, flawfinder is Python based
and was developed in response to issues surrounding
Cigital's use of the term open source with its its4 product. Additionally,
both flawfinder and RATS developers have agreed to work together.
The developers [of flawfinder
and RATS] didn't know about each other's efforts until just before their
releases, but they have agreed to coordinate in some way to create a "best
of breed" source code scanner.
These scanners are very useful for finding
function calls that are often the cause of security problems. Unfortunately,
RATS wouldn't compile even though the required Expat library was installed
under /usr/lib. Flawfinder worked out of the box, as did its4. Each produced
on the same piece of code.
While such tools are helpful, they shouldn't be
considered cures for security illnesses in any software. They should be used
in conjunction with memory checkers to catch potential buffer overflows. And,
of course, nothing beats following some
simple programming guidelines.
Automatic Code Analysis and Fault Detection
Static Analysis Tools for
The Leading Commercial Tools
Leading edge tool based on
methodology for source code analysis of large code bases. An
extended version of the tool supports user-defined properties in
the Metal language. Fast, thorough, few false positives, but can
be very expensive.
Support for static error detection, with added project
management and project visualization capabilities. Fast, almost
as thorough as Coverity, and less expensive. A capability for
user-defined checks is pending.
Marketed by a French company co-founded by students of
(pioneer in the area of abstract interpretation). Polyspace
claims it can intercept 100% of the runtime errors in C
cverifier.htm.) Customers are in the airline industry and
the European space program. Can be thorough, but also very slow,
and does not scale beyond a few thousand lines of code. Does not
support full ANSI-C language (e.g., it places restrictions on
the use of gotos).
This tool is focused primarily on the detection of memory leaks,
and not on general source code analysis. It is used fairly
- The Lint family, e.g.
Lint Plus (Cleanscape)
Generic source code analysis, value tracking, some types of
array indexing errors. Suffers from high, sometimes very high,
false positive rates, but the output can be customized with
flags and code annotations.
PREfix and PREfast (Microsoft)
Effective, but Microsoft proprietary, tools. PREfix was
Pincus; MicroSoft acquired the tool when it bought Pincus'
company. PREfast is a lighter weight tool, developed within
Microsoft as a faster alternative to PREfix (though it is not
based on PREfix itself). Both these tools are reported to be
very effective in intercepting defects early, and come with
filtering methods for the output to reduce the false positive
ratio. PREfast allows for new defect patterns to be defined via
plugins. Less than 10% of the code of PREfix is said to concern
with analysis per se, most applies to the filtering and
presentation of output, to reduce the number of false positives.
A new member of the CodeSurfer family (see below). Not evaluated
- Safer C
Based on L. Halton's 1995 book on Safer C, now out of print,
covering code analysis and enforcement of coding guidelines.
Academic and Research tools
Extended static checker for Java and for Modula3. developed by
Nelson and colleagues, which is based on a mix of theorem
proving and static analysis. It's thorough and effective, but
also slow, and needs considerable knowledge to run. This tool
does not target C, and therefore does not properly belong in
this listing, but we include it as one of the landmark research
tools in this domain.
The descendent of the early research Unix version of lint, which
was written by Steve Johnson in 1979. This tool needs lots of
annotations to work well, and often produces overwhelming
amounts of output.
An experimental system, in development at MicroSoft by
Manuel Fahndrich. It is based on formal annotations placed
in the code.
- Astree (CNRS,
Astree is a static program analyzer for structured C programs,
but without support for dynamic memory allocation and recursion
(as used, for instance for embedded systems and in safety
critical systems). The tool name is an acronym for Analyseur
statique de logiciels temps-reel embarques (static analyzer for
real-time embedded software). Among those working on this tool
are Patrick and Radhia Cousot.
- CGS (C
Global Surveyor, NASA ARC)
A tool in development at NASA Ames Research Center by
Guillaume Brat and
based on abstract interpretation techniques, inspired by Patrick
Cousot. The tool is designed to be a specialized tool for flight
C-Kit (Bell Labs).
A research toolkit developed at Bell Labs, with algorithms for
pointer alias analysis, program slicing, etc. for ANSI C.
Written in SML. Can produce parsetree and symbol table
information, but, as yet, not call flow graphs or function call
graphs. The principal researchers involved in this work (Nevin
Heintze, Jon Riecke,
are no longer at Bell Labs and development has stopped.
Lightweight tool for static analysis. The tool is targeted at a
small set of common programming defects (Uninitialized data,
Nil-pointer dereferencing, and Out-of-bound array indexing, with
the three initial letters giving the tool its name). It also
handles a range of simple, user-defined properties.
Work in progress on an extension of Uno for C++, based on gcc.
Other tools (Code Browsers; Development
- Programming Style or Guidelines Checkers
Supports data dependence analysis, program slicing for C,
interprocedural flow analysis. The company was co-founded by
Tom Reps. Very well
done GUI. Mostly research applications.
Offers front-ends for many different languages, Supports some
flow analysis. Geared towards code transformations or
re-engineering. Targets large code bases.
The Last but not Least Technology is dominated by
two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt.
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org
was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP)
in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively
for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong
to respective owners. Quotes are made for educational purposes only
in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
March 12, 2019