Lexical Techniques.

pscan [15] is a simple tool for automatically scanning source code for format string vulnerabilities. pscan searches the input source code for lexical occurrences of function calls syntactically similar to, e.g., sprintf(buffer, variable). Because pscan operates only on the lexical level, it cannot reason about the flow of values through the program and fails in the presence of wrappers around C libraries (see, e.g., Figure 1). pscan also cannot distinguish between safe calls when the format string is a variable and unsafe calls--it flags any call where a format string is non-constant.

Others have exploited lexical source code analysis to find security bugs [7,38]. The main advantages of lexical analysis are that it is extremely fast, it can find bugs in non-preprocessed source files, and it is virtually language independent. However, because lexical tools have no knowledge of language semantics, many errors--such as those involving aliasing or non-local control paths--cannot be detected.