Secure Coding mailing list archives
Re: auditing
From: "Paco Hope" <bhope () cigital com>
Date: Mon, 03 May 2004 23:10:05 +0100
On 5/3/04 11:48 AM, "ljknews" <[EMAIL PROTECTED]> wrote:
At 10:04 AM -0500 5/3/04, jnf wrote:Someone just suggested ctags, I've never heard of ctags or cscope- I will look at them. I don't really know what I was looking for, I often find it quite furstrating trying to keep track of whats going on across XX global variables inside of XX internal functions, and so onWhat you are looking for is a tool, and a debugger really is not it (for a thorough job), since a debugger just deals with the current active call, not all situations in which a subprogram might be called.
One commercial tool that I have had some reasonable success with is called SourceInsight (http://www.sourceinsight.com/). It builds a database of all the function calls, variable definitions, macros, etc. You can right click on any variable, data structure, file, etc and click on things like "where is this defined?" or "where is this called?" If you're editing under a Borland or Microsoft MFC environment, it also can import the system files to help navigate dependencies on system calls. They intend it to be a full-fledged code editor for development, but I've never used it that way. It's never going to replace emacs for me, and it doesn't run native under MacOS X, either. So if you're auditing Windows code using a Windows box, it's highly relevant. If you're auditing UNIX-oriented code, it's a little less relevant. You can copy the UNIX code to a Windows box and run it, and you get many of the benefits. You can run it under VirtualPC on MacOS X, but it's a bit slow. When I do source code audits of very large projects and I have to grok large sets of intertwining code, this is a decent navigation tool. Paco -- Paco Hope, CISSP Senior Software Security Consultant Cigital, Inc. http://www.cigital.com/ [EMAIL PROTECTED] -- +1.703.404.5769 ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- auditing jnf (May 03)
- Re: auditing James Walden (May 03)
- Re: auditing jnf (May 03)
- Re: auditing ljknews (May 03)
- Re: auditing Jose Nazario (May 03)
- Re: auditing jnf (May 05)
- Re: auditing Paco Hope (May 03)
- Re: auditing jnf (May 03)
- Re: auditing Crispin Cowan (May 03)
- Re: auditing James Walden (May 03)