RE: code analysis

From: Aleksander P. Czarnowski (alekc@avet.com.pl)
Date: Mon Jun 20 2005 - 16:28:28 EDT


Hi,

Every programmer can produce insecure code in any programming language. This is starting to be addressed by vendors who supply programmers with safe version of popular libraries and compiler generated safeguards (like stack protection for example in Immunix, ProPolice and MS VC.NET). Secondly if the user can somehow supply input data to application than this is the area of code that can be vulnerable and needs to be analyzed. Things like insecure handling of files or use of high privileges, storing passwords in clear text in memory can be implemented in basically any language so Delphi and Modula-2 are no exception here. While I never touch Modula, Delphi/Pascal can be vulnerable to buffer overflows if you are interested in this particular class of vulnerabilities; besically just look at memory management for variables to know if particular language is vulnerable to buffer overflows or not.

I am not aware of any static scanning tool like RATS or ITS4 that provides support for Delphi or Modula-2 however it should be quite easy in case of RATS and flawfinder to add such support - thanks to Python you can do it in one night probably. However you need to know programming language to design scanning rules for it.

If you don't know those languages that your next best bet might be dynamic analysis of binary form. Both Delphi and Modula-2 are compilers so simply look at native code generated by those tools and try to do assessment at this level. At the end both languages need to use system API at some point so you can use it as your starting point. Keep in mind however that - as far as I remember - Borland compilers are not always using typical Win32 API for certain windows related operations. I think Delphi MessageBox is one of such examples.

Best Regards,
Aleksander Czarnowski
AVET INS

> -----Original Message-----
> From: huber_geo@hotmail.com [mailto:huber_geo@hotmail.com]
> Sent: Monday, June 20, 2005 4:58 PM
> To: pen-test@securityfocus.com
> Subject: code analysis
>
>
> Hello,
>
> In addition to doing security audits for my clients,
> I occasionally am asked to to code reviews for
> products my clients are thinging of using. Normally
> the code is in C, asm or C++ which I have no
> problem with. However, the most recent code base
> I have been tasked to review has substantial parts
> written in Bordand Delphi and Modula-2 which I have
> no experience with. So I am looking for leads for
> the following questions:
>
> 1) are are the security vulnerabilites associated
> with each of the above languages. For example,
> do these languages have the potentail for
> buffer overflows?
>
> 2) are there any auditing tools (ala RATS or
> flawfinder) for these languages.
>
> Thanks for your help. Additionally, if this is
> not an appropriate forum for these questions,
> could you direct me to a better one?
>
> thanks,
> George Huber



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:26 EDT