Full Disclosure: C Code Analyzer

[Jonathan Heusser <jonny () drugphish ch>]

Hello,

I would like to introduce my C Code Analyzer (CCA): It's a static
analysis tool for detecting potential security problems
in C source code.

This analyzer was built with the following principles in mind:
- Unlike other analyzers with emphasis on security, the CCA tries to
spot only the errors that can actually cause
problems. Not every strcpy is a security problem.

- No code annotations or tweaking is required -- it's fully automatic.

- Seamless integration with existing development platforms. The Eclipse
platform has been chosen as completion to the command line tool.


Current features are:
- fully automatic user input tracer
- potential bufferoverflow detection
- memory leak detection
- multiple/dangling free detection
- array out of bound accesses
- eclipse frontend plugin

If you are interested, visit http://www.drugphish.ch/~jonny/cca.html
More information, example sessions detecting bufferoverflows in real 
applications and screenshots of the plugin are available on the page.
It should run on all Unix systems, a Windows port should be fairly easy.
The license of CCA is unclear at the moment. The source code was not
released yet.


Thanks,
jh
--
Key fingerprint = 2A55 EB7C B7EA 6336 7767  4A47 910A 307B 1333 BD6C



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html