ITS4

Description: ITS4 is a static source code analyzer that looks for potential buffer overflow and time-of-check to time-of-use vulnerabilities. The authors wrote it to replace the use of grep in code auditing and development. It's analysis is fairly rudimentary; it doesn't build a parse tree of an input file, but rather scans it looking for calls know to be dangerous, such as strcpy and popen. When it finds such calls, it does some further analysis to decide how dangerous the call is, and whether or not it should be reported as a possible vulnerability. For example, the following code would be flagged as high risk:

strcpy(buf, dst);

Just from looking at the call, we don't know whether or not the string stored in dst is longer than the size of buf. It's possible that a more sophisticated analysis would reveal that this call can never result in an overflow, but ITS4's analysis is too simplistic to determine this. Now consider:

strcpy(buf, "hello\n");

This call would be flagged as very low risk by ITS4, and in it's default mode, would not be reported. Although it's possible that this call could overflow buf, it's most likely that a programmer would have allocated enough space for a constant string, and in any case, the string written into buf is clearly not dependent on user input.

ITS4 also attempts to find time-of-check-to-time-of-use (TOCTOU) race conditions. It has a database of "access" functions and "use" functions. Any time a variable name is used to both access and use a file, it is recorded and marked as a possible TOCTOU vulnerability. It doesn't seem to do any further analysis for TOCTOU.

Pros

Cons ITS4 is known to compile on Linux and various versions of Solaris, as well as Windows using VC++ or CygWin. It's available from: http://www.rstcorp.com/services/its4/download.html

Axes