ITS4 is a static source code analyzer that looks for potential buffer
overflow and time-of-check to time-of-use vulnerabilities. The
authors wrote it to replace the use of grep in code auditing and
development. It's analysis is fairly rudimentary; it doesn't build a
parse tree of an input file, but rather scans it looking for calls
know to be dangerous, such as strcpy and popen. When it finds such
calls, it does some further analysis to decide how dangerous the call
is, and whether or not it should be reported as a possible
vulnerability. For example, the following code would be flagged as
Just from looking at the call, we don't know whether or not the string
stored in dst is longer than the size of buf. It's possible that a
more sophisticated analysis would reveal that this call can never
result in an overflow, but ITS4's analysis is too simplistic to
determine this. Now consider:
This call would be flagged as very low risk by ITS4, and in it's
default mode, would not be reported. Although it's possible that this
call could overflow buf, it's most likely that a programmer would have
allocated enough space for a constant string, and in any case, the
string written into buf is clearly not dependent on user input.
ITS4 also attempts to find time-of-check-to-time-of-use (TOCTOU) race
conditions. It has a database of "access" functions and "use"
functions. Any time a variable name is used to both access and use a
file, it is recorded and marked as a possible TOCTOU vulnerability.
It doesn't seem to do any further analysis for TOCTOU.
- Using ITS4 is better than using grep to find all instances of
- It's simplistic analysis is fast; the authors report that an
analysis of sendmail-8.9.3, which has about 57,000 lines of code, took
about 6 seconds on a Pentium 90.
ITS4 is known to compile on Linux and various versions of Solaris, as
well as Windows using VC++ or CygWin. It's available from:
- ITS4 generates many false positives, due to it's simplistic
- Since it relies on a database of known dangerous calls, the
presence of a vulnerability caused by a call not in the database
results in a false negative.
- Static vs Dynamic: ITS4 statically analyzes source code.
- Library vs Instrumenting: ITS4 falls under Library, since it doesn't
do anything to the code, but only reports on it.
- Testing vs Production: ITS4 falls under testing, since it's intended
to be used in a testing or development environment.
- Opaque vs Clear vs Cloudy: ITS4 falls under Clear, since its input
is source code.
- List vs Heuristic: ITS4 is mostly List, since it works from a list
of known-to-be-unsafe function calls. To a small degree, it could be
considered to have some Heuristic properties in how it tries to detect
- Conservative vs Liberal: ITS4 tends more towards the conservative
end of the spectrum. Even though it tries to omit the trivial cases
where dangerous function calls are used safely, it still reports many
- Concurrent vs Single: ITS4 falls under Single, since it operates
on one source file at a time.
- Alert vs Advice: ITS4 falls under Advice, because when it finds a
problem, it gives a short description and how it should be fixed.