Re: secprog Digest 8 Feb 2003 03:21:18 -0000 Issue 140

> Does anyone on the list know of any research in detecting "malicious

A tool for detecting ordinary mistakes is Flawfinder,   http://www.dwheeler.com/flawfinder (RATS). That webpage also links to RATS, a competing detector. Both are open source software / Free Software licensed under the GPL.

Last I looked, ITS4 is not open source software / free software, but it does provide source code and permits certain free uses.

All of them use patterns to detect common mistakes.

They won't detect code that is malicious but doesn't match one of those patterns. Thus, it's fairly easy to write "mistakes" that the detectors won't detect, once you understand how they work. However, the detectors _might_ detect such malicious code if (1) the attacker intentionally inserts a common mistake, and (2) the attacker doesn't know about these detection tools (or presumes they won't be used).

If you're seriously worried about malicious code being inserted,

you're better off depending on peer review, in particular examining "diffs" to see what's changed.

• David A. Wheeler dwheeler@ida.org

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek