Next: Taint Analysis.
Up: 6 Related Work
Previous: 6 Related Work
pscan [15] is a simple tool for automatically scanning
source code for format string vulnerabilities. pscan searches the
input source code for lexical occurrences of function calls
syntactically similar to, e.g., sprintf(buffer, variable).
Because pscan operates
only on the lexical level, it cannot reason about the flow of values
through the program and fails in the presence of wrappers around
C libraries (see, e.g., Figure 1).
pscan also cannot distinguish between safe
calls when the format string is a variable and unsafe calls--it flags
any call where a format string is non-constant.
Others have exploited lexical source code analysis to find
security bugs [7,38].
The main advantages of lexical analysis
are that it is extremely fast, it can find bugs in
non-preprocessed source files, and it is virtually language
independent. However, because lexical tools have
no knowledge of language semantics,
many errors--such as those involving
aliasing or non-local control paths--cannot be detected.
Umesh Shankar
2001-05-16