INetCop Security Technologies ¨Ï
A source code vulnerability automatic analyzer.
A Source Code - Vulnerability Automatic Analyzer Manual.pdf (Korean document manual)
This module is a convenient tool that analyze complexity automatically.
As well as, the accuracy excels too.
He searched for vulnerability at several programs already.
* Reference Advisory:
INCSA.2002-0x82-002-lightwebug - SC-VA2¢â lhttpd Log
INCSA.2002-0x82-003-libhttpdbug - SC-VA2¢â libhttpd Log
INCSA.2002-0x82-004-zeroohttpsubug - SC-VA2¢â zeroosub Log
INCSA.2002-0x82-006-a.wsmp3bug - SC-VA2¢â wsmp3 Log
INCSA.2002-0x82-009-apt-www-proxybug - SC-VA2¢â awpd Log
SC-VA2¢â finds source code's vulnerability via following process.
* Function Parameter Checking.
* Comment, String Filtering.
* Weak Function Checking.
[Screen Shot] Weak src --->> SC-VA2¢â Engine --->> Safe src, structure.
Next, confirm result.
[example] AT-BBS-1.5.5, ./src/Main/bbsrf.c result screen shot.
It's vulnerability catalog that investigation is available.
: boundary condition error.
A boundary condition error occurs when:
1. A process attempts to read or write beyond a valid address boundary.
2. A system resource is exhausted.
3. An error results from an overflow of a static-sized data structure.
This is a classic buffer overflow condition.
: input validation error
An input validation error occurs when:
1. An error occurs because a program failed to recognize syntactically incorrect input.
2. An error results when a module accepted extraneous input fields.
3. An error results when a module failed handle missing input fields.
4. An error results because of a field-value correlation error.
: race condition errors
1. An error is exploited during a timing window between two operations.
: environment errors
1. An error results from an interaction in a specific environment between functionally correct modules.
2. An error occurs only when a program is executed on a specific machine, under a particular configuration.
3. An error occurs because the operational environment is different from what the software was designed for.
Reference: Securityfocus Help
Author:
__
By "dong-houn yoU" (Xpl017Elz), in INetCop(c).
MSN & E-mail: szoahc(at)hotmail(dot)com
Home: http://x82.inetcop.org
GnuPG Public Key
