Software Security Tools

Modified 27 March 2007

A great reference is David Wheeler's Secure Programming for Linux and Unix HOWTO. Much of it applies to programming in general. Many other things at his web site are very helpful, see: http://www.dwheeler.com/

The underlying technology of most modern exploits is some sort sort of buffer overflow. Here is a great resource on their cause and prevention: http://min.ecn.purdue.edu/~cyprian/BoF_Page.html

C/C++ Security

From David Wheeler's paper, free software except as noted:

• Flawfinder scans C/C++ code for common problems: http://www.dwheeler.com/flawfinder/
• RATS (Rough Auditing Tool for Security) scans C/C++ code for common problems: http://www.securesw.com/rats/
• LCLint scans C/C++ somewhat as lint does: http://lclint.cs.virginia.edu/
• cqual looks for C bugs, applies stricter typing: http://www.cs.berkeley.edu/Research/Aiken/cqual/
• Valgrind "supervises" the execution of a program, monitoring all memory management and access.
  • http://freshmeat.net/projects/valgrind/
  • http://developer.kde.org/~sewardj/
• ITS4 scans C/C++ code, not strictly open-source: http://www.rstcorp.com/its4/
• Also see the Linux section of the OS-specific page for some modifications to the standard C library to mitigate problems caused by bad code.

PHP Security

See the web security page for this list.

Python Security

PyChecker checks for common Python bugs: http://pychecker.sourceforge.net/

Java Security

• Java Security
  • Sun's Java security docs: http://java.sun.com/security/
  • Several Java security papers by L. Gong: http://java.sun.com/people/gong/papers/pubs97.html
  • For a good technical paper "Blocking Java Applets at the Firewall," see http://www.rstcorp.com/javasecurity/.
  • Details on Java exploits, language issues, and how to write better Java: http://www.rstcorp.com/javasecurity/links.html
• Java Insecurity
  • If you're certain you have all Java turned off on your system, check the following examples of Java attacks. They are effective on earlier Java Virtual Machines, and may be unavailable due to complaints:
    • http://www.math.gatech.edu/~mladue/SourceCode.html.
    • http://www.math.gatech.edu/~mladue/HostileApplets.html.
    • http://www.cyber.com/mirror/mladue/HostileApplets.html
  • Here is a Java attack that will take down NT: http://www.eyeone.no/KillerApp/KillerApp.htm

ActiveX Attacks

• Not to be outdone, Microsoft put together something far more dangerous than Java. Here are tests for whether dangerous ActiveX controls are installed on your system, how to disable ActiveX,:
  • Are they there? http://www.tiac.net/users/smiths/acctroj/axcheck.htm
  • How to disable — http://www.tiac.net/users/smiths/acctroj/howto.htm
  • More details — http://www.tiac.net/users/smiths/acctroj/index.htm

Windows Source Code

Some interesting comments about the leaked Windows source code: http://www.kuro5hin.org/story/2004/2/15/71552/7795

Writing Your Own Exploit Code

The Metasploit Project is an open-source code library for developing and running exploits: http://www.metasploit.com/index.html

Security Page

© Bob Cromwell Jul 2008. Created with /bin/vi, hosted on OpenBSD with Apache.    Root password available here