(M)  s i s t e m a   o p e r a c i o n a l   m a g n u x   l i n u x ~/ · documentação · suporte · sobre


10.6. Tools

Some tools may help you detect security problems before you field the result. If you're building a common kind of product where many standard potential flaws exist (like an ftp server or firewall), you might find standard security scanning tools useful. One good one is Nessus; there are many others. Of course, running a ``secure'' program on an insecure platform configuration makes little sense; you may want to examine hardening systems such as Bastille available at http://www.bastille-linux.org.

You may find some tools helpful for finding potential security flaws. Here are a few:

  • ITS4 from Cigital (formerly Reliable Software Technologies, RST) statically checks C/C++ code. ITS4 works by performing pattern-matching on source code, looking for patterns known to be possibly dangerous (e.g., certain function calls). It is available free for non-commercial use, including its source code and with certain modification and redistribution rights. One warning; the tool's licensing claims can be initially misleading. Cigital claims that ITS4 is ``open source'' but, in fact, its license does not meet the Open Source Definition (OSD). In particular, ITS4's license fails point 6, which forbids ``non-commercial use only'' clauses in open source licenses. It's unfortunate that Cigital insists on using the term ``open source'' to describe their license. ITS4 is a fine tool, released under a fairly generous license for commercial software, yet using the term this way can give the appearance of a company trying to gain the cachet of ``open source'' without actually being open source. Cigital says that they simply don't accept the OSD definition and that they wish to use a different definition instead. Nothing legally prevents this, but the OSD definition is used by over 5000 software projects (at least all those hosted by SourceForge at http://www.sourceforge.net), Linux distributors, Netscape (now AOL), the W3C, journalists (such as those of the Economist), and many other organizations. Most programmers don't want to wade through license agreements, so using this other definition can be confusing. I do not believe Cigital has any intention to mislead; they're a reputable company with very reputable and honest people. It's unfortunate that this particular position of theirs leads (in my opinion) to unnecessary confusion. In any case, ITS4 is available at http://www.rstcorp.com/its4.

  • LCLint is a tool for statically checking C programs. With minimal effort, LCLint can be used as a better lint. If additional effort is invested adding annotations to programs, LCLint can perform stronger checking than can be done by any standard lint. The software is licensed under the GPL and is available from http://lclint.cs.virginia.edu.

  • BFBTester, the Brute Force Binary Tester, is licensed under the GPL. This program does quick security checks of binary programs. BFBTester performs checks of single and multiple argument command line overflows and environment variable overflows. Version 2.0 and higher can also watch for tempfile creation activity (to check for using unsafe tempfile names). At the time of this writing, BFBTesting doesn't run on Linux due to a technical issue in Linux's POSIX threads implementation, but this may have changed by the time you read this. More information is available at http://my.ispchannel.com/~mheffner/bfbtester.

  • The fuzz program is a tool for testing other software. It tests programs by bombarding the program being evaluated with random data. This tool isn't really specific to security.