Asked
Viewed
3.1k times

I am trying to find the best source code analyzer for C++ code. I am trying to analyze the security issues such as:

  • Buffer Overflows
  • Improper Access Control
  • Memory Information Leak
  • Dead pointers
  • Division by zero
  • Out of bounds
  • Uncaught Exceptions
  • SQL Injections
  • Pathname Exploits
  • Broken Authentication
  • Security Misconfigurations
  • Insecure Direct Object References

and anything else that could affect the security of an application. I downloaded some source code analyzer testing tools, but I don't know which one is the best. Before I start to analyze my project, I want to test the ability to find the security issues on a random open-source C++ project, especially programs with some network communication.

I would like to ask you if you know some webpage, where I can download some open-source C++ projects with an attached list of some known security bugs. I would import this open source project into my Eclipse or Microsoft Visual Studio (so it's also important that the code is compatible with one of the IDEs) and test the code with several code analyzers.

Afterward, I would try to understand all the warnings and errors found by the source code analyzers and compare them with those known by the author, in order to be able to find the best source code analyzing tool.

  • 0
    I think it will be way better to educate yourself on what those issues are so you can avoid them, rather than rely on some other software since stuff like potential buffer overflows can be impossible to detect. Also, maintain some kind of "test harness" with the project that intentionally tries to exploit and abuse inputs, etc. — mk27
  • 0
    It all depends on your code size. If it is huge code, it is not easy and time-consuming to check errors manually. If it is a small code, say about 10000 lines in total, then you may try to study the logic. Automated code Analyzers are not 100% accurate. However, those are good and useful when it comes to large projects to get an indication of the quality of the code, potential errors, etc. Writing code from scratch is the easiest bit. However, we might need to get support from such tools in case it is someone else's code. — neocambell
add a comment
0

2 Answers

  • Votes
  • Oldest
  • Latest
Answered

Fuzzgoat

This C program has been deliberately backdoored with several memory corruption bugs to test the efficacy of fuzzers and other analysis tools. Each vulnerability is clearly commented in fuzzgoat.c.

https://github.com/fuzzstati0n/fuzzgoat

Vulnerability Dataset

C/C++ test cases formatted for input to an LSTM for natural language processing. All test cases originally come from the SARD database.

https://github.com/JHahn42/vulnerabilitydataset

C/C++ SAST via Flawfinder

Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks, race conditions, potential shell metacharacter dangers, and poor random number acquisition.

https://github.com/IvanKuchin/SAST

VulDeePecker

Code Gadget Database that focuses on two types of vulnerabilities in C/C++ programs, buffer error vulnerability and resource management error vulnerability. It contains 61,638 code gadgets, including 17,725 code gadgets that are vulnerable and 49,913 code gadgets that are not vulnerable.

https://github.com/CGCL-codes/VulDeePecker

NIST Test Suites

Test cases in Software Assurance Reference Dataset SARD can be combined and form multiple test suites and include stand-alone suites in different languages including C/C++, C#, and Java. The purpose is to provide users, researchers, and developers with a known set of security flaws.

https://samate.nist.gov/SRD/testsuite.php

You can also download over 177184 test cases:

https://samate.nist.gov/SRD/view.php

Awesome Vulnerable

This is a curated list of vulnerable applications and systems which aims to help starters as well as pros. This one is a little more geared towards web applications, but I thought the resource was worth including for those that are building web applications.

https://github.com/kaiiyer/awesome-vulnerable

add a comment
0
Answered
Updated

I would not try to use someone else's code but focus on your own issues as they are likely to be very different. So even if you were to test these tools on an open-source project with known security flaws and issues, I wouldn't use this as a basis for how well it works with your own codebase.

A number of the comments posted are very good, especially about educating yourself about the issues (security). It has been my experience that no single code analysis tool does it all, and therefore you should use a combination of them.

If you are using VS Team System like we do here, the static analysis is built in to Visual Studio and will detect things like your buffer overruns, etc. and it works with unmanaged C++ as well. It does a pretty good job, but I also use an open source tool called cppcheck (sourceforge) and with some trickery, it will integrate into Visual Studio seamlessly and send its output to the IDE output window. Microsoft also has a free tool for detecting SqlInjection issues "Microsoft source code analyzer for SQL injection..."

add a comment
0