[erlang-questions] Security scanning tools for Erlang?

Richard A. O'Keefe <>
Fri Oct 28 02:04:13 CEST 2016


It may be worth mentioning that some static analysers are "deep"
while other static analysers are "shallow".  For example, there
was a product I evaluated for C that just did crude pattern matching,
no data flow at all.  There's another one I actually use from time
to time called "ITS4" (It's the Software, Stupid! (Security Scanner))".
Basically, it just looks for calls to dangerous functions.
Here's the kind of report you get:

y.tab.c:157:(Risky) fopen
Can lead to process/file interaction race conditions (TOCTOU category B)
Manipulate file descriptors, not symbolic names, when possible.
----------------
pop2lex.c:203:(Some risk) getc
Be careful not to introduce a buffer overflow when using in a loop.
Make sure to check your buffer boundries.
----------------
unv7.c:20:(Some risk) getchar
Be careful not to introduce a buffer overflow when using in a loop.
Make sure to check your buffer boundries.
----------------

fopen:  There is no alternative to using it here.
The program needs to take a list of file names on the command line.

getc: The mere *mention* of getc() triggered the warning.
As it happens, the warning is justified: many of the characters
are stored into a buffer without checks.

getchar: Again, the mere mention of the function triggers a warning.
In this case, no characters are stored anywhere, so the warning looks
a bit stupid.


What I'm getting at is that the requirement for a static checker
could be *usefully* met by a checker that (a) walks over ASTs and
(b) isn't very smart.

Oh yeah, there's a project that looked rather interesting where
they were building static checkers that don't even *parse* the
source code thoroughly, so that you can quickly build static
checkers for unusual languages or to cope with widely varying
dialects (C++?).  I've corresponded with them, and they said they
were interested in making their sources available, but that was a
couple of months ago.  Their argument was that building full-scale
"deep" analysers is *hard* and that such programs *themselves* tend
to be buggy, so that "partial" checkers may be just as useful, and
I think their results support their claim.


More information about the erlang-questions mailing list