> Does anyone on the list know of any research in detecting "malicious > code" > as opposed to simply inadvertent security screwups? Seems to me that > the > best attacks would be very difficult to distinguish from a ordinary > mistake. A tool for detecting ordinary mistakes is Flawfinder, http://www.dwheeler.com/flawfinder (RATS). That webpage also links to RATS, a competing detector. Both are open source software / Free Software licensed under the GPL. Last I looked, ITS4 is not open source software / free software, but it does provide source code and permits certain free uses. All of them use patterns to detect common mistakes. They won't detect code that is malicious but doesn't match one of those patterns. Thus, it's fairly easy to write "mistakes" that the detectors won't detect, once you understand how they work. However, the detectors _might_ detect such malicious code if (1) the attacker intentionally inserts a common mistake, and (2) the attacker doesn't know about these detection tools (or presumes they won't be used). If you're seriously worried about malicious code being inserted, you're better off depending on peer review, in particular examining "diffs" to see what's changed. --- David A. Wheeler dwheelerat_private
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 09:44:58 PST