Cigital's ITS4 tool is designed to automatically scan C and C++ source code, and will attempt to flag potentially dangerous function calls. It is based on a relatively simple parsing system, and scans against a database of known dangerous functions, such as strcpy and sprintf. The documentation for ITS4 states that some attempt is made to perform more detailed analysis of code. This is implemented through custom handlers defined for certain functions. For example, if sprintf() is called with a fixed format string, it may be assumed that it is not vulnerable to a standard format string attack. The design of ITS4 allows several forms of vulnerable code to pass undetected. Several examples of this have been published. Many are based upon the assumption that constant values are safe. For example, a call to strcpy() or sprintf() with a statically defined string is assumed to be safe, as is the length passed to a call to strncpy(). Additional cases not covered by ITS4 are clearly...
Cigital's ITS4 tool is designed to automatically scan C and C++ source code, and will attempt to flag potentially dangerous function calls. It is based on a relatively simple parsing system, and scans against a database of known dangerous functions, such as strcpy and sprintf. The documentation for ITS4 states that some attempt is made to perform more detailed analysis of code. This is implemented through custom handlers defined for certain functions. For example, if sprintf() is called with a fixed format string, it may be assumed that it is not vulnerable to a standard format string attack. The design of ITS4 allows several forms of vulnerable code to pass undetected. Several examples of this have been published. Many are based upon the assumption that constant values are safe. For example, a call to strcpy() or sprintf() with a statically defined string is assumed to be safe, as is the length passed to a call to strncpy(). Additional cases not covered by ITS4 are clearly documented in the whitepaper describing the product, including function and file pointer aliases. It has also been reported that the database supplied with ITS4 does not cover many problematic Windows specific function calls, possibly allowing platform dependant vulnerabilities to go undetected. This is not a vulnerability in itself. This is a weakness in the design of ITS4, which may lead to a false sense of security. The perception of security at the compiler level may lead to some programmers using insecure programming techniques. It should be noted that the weaknesses of similar systems are well documented.
