ITS4

Description: ITS4 is a static source code analyzer that looks for potential buffer overflow and time-of-check to time-of-use vulnerabilities. The authors wrote it to replace the use of grep in code auditing and development. It's analysis is fairly rudimentary; it doesn't build a parse tree of an input file, but rather scans it looking for calls know to be dangerous, such as strcpy and popen. When it finds such calls, it does some further analysis to decide how dangerous the call is, and whether or not it should be reported as a possible vulnerability. For example, the following code would be flagged as high risk:

strcpy(buf, dst);

Just from looking at the call, we don't know whether or not the string stored in dst is longer than the size of buf. It's possible that a more sophisticated analysis would reveal that this call can never result in an overflow, but ITS4's analysis is too simplistic to determine this. Now consider:

strcpy(buf, "hello\n");

This call would be flagged as very low risk by ITS4, and in it's default mode, would not be reported. Although it's possible that this call could overflow buf, it's most likely that a programmer would have allocated enough space for a constant string, and in any case, the string written into buf is clearly not dependent on user input.

ITS4 also attempts to find time-of-check-to-time-of-use (TOCTOU) race conditions. It has a database of "access" functions and "use" functions. Any time a variable name is used to both access and use a file, it is recorded and marked as a possible TOCTOU vulnerability. It doesn't seem to do any further analysis for TOCTOU.

Pros

Using ITS4 is better than using grep to find all instances of known-to-be-dangerous calls.
It's simplistic analysis is fast; the authors report that an analysis of sendmail-8.9.3, which has about 57,000 lines of code, took about 6 seconds on a Pentium 90.

Cons

ITS4 generates many false positives, due to it's simplistic analysis.
Since it relies on a database of known dangerous calls, the presence of a vulnerability caused by a call not in the database results in a false negative.

ITS4 is known to compile on Linux and various versions of Solaris, as well as Windows using VC++ or CygWin. It's available from: http://www.rstcorp.com/services/its4/download.html

Axes

Static vs Dynamic: ITS4 statically analyzes source code.
Library vs Instrumenting: ITS4 falls under Library, since it doesn't do anything to the code, but only reports on it.
Testing vs Production: ITS4 falls under testing, since it's intended to be used in a testing or development environment.
Opaque vs Clear vs Cloudy: ITS4 falls under Clear, since its input is source code.
List vs Heuristic: ITS4 is mostly List, since it works from a list of known-to-be-unsafe function calls. To a small degree, it could be considered to have some Heuristic properties in how it tries to detect TOCTOU problems.
Conservative vs Liberal: ITS4 tends more towards the conservative end of the spectrum. Even though it tries to omit the trivial cases where dangerous function calls are used safely, it still reports many false positives.
Concurrent vs Single: ITS4 falls under Single, since it operates on one source file at a time.
Alert vs Advice: ITS4 falls under Advice, because when it finds a problem, it gives a short description and how it should be fixed.