Other Interesting Security Programming and Testing Tools

Finally, Table 16.3 lists some interesting tools that can help you test your work.

Table 16.3. Interesting Programming and Testing Tools

Variable	Purpose
lclint	A lint-like checker for ANSI C that checks risky data sharing, ignored return values, null values, memory management errors, and much, much more. For a description of lclint, go to http://www.doc.ic.ac.uk/lab/cplus/lclint/guide.html. To get lclint, go to ftp://ftp.sds.lcs.mit.edu/pub/lclint/guide.tar.gz.
mem_test	A library for finding memory leaks in C programs. Get it at http://members.iquest.net/~jbuchana/mem_test.html.
C Inside	A source code viewer that lets you selectively examine the results of preprocessing to determine what macros really expand to. Get it at http://www.thinkage.on.ca/shareware/.
GNU Nana	A free library providing improved support for assertion checking and logging in C and C++. Learn more at http://www.cs.ntu.edu.au/homepages/pjm/nana-home/.
Plumber	A tool for identifying memory leaks in C programs. Learn more at http://home.earthlink.net/~owenomalley/plumber.html.
ObjectManual	Generates HTML documentation for your C++ programs on-the-fly, (especially useful if you're doing professional development). http://www.obsoft.com/Product/ObjMan.html.
DOC++	A tool for generating HTML documentation for your C/C++/Java programs on-the-fly (especially useful if you're doing professional development or when you're accountable for the docs).
cgihtml	A library for writing HTML out from C programs (useful when you don't want to bother coding HTML parsing routines yourself). To get it, go to http://www.eekim.com/software/cgihtml/.
MIME++	A C++ class library for parsing, creating, and editing messages in MIME format. Also, it can streamline your work in many instances. Get it at http://www.hunnysoft.com/mimepp/.
Latro	Scans remote Windows hosts for insecure Perl installations (useful for when you establish a heterogeneous intranet). Get Latro at http://language.perl.com/news/latro-announce.html.
SCAT	A tool and Application Programming Interface (API) to maintain client state. It is possible to integrate DES (and perhaps PGP or even RSAREF) into SCAT routines. Check out SCAT at http://www.btg.com/scat/scat.html.
msystem (by Matt Bishop)	Offers secure versions of system(3), popen(3), and pclose(3). Check out msystem at ftp://coast.cs.purdue.edu/pub/tools/unix/msystem.tar.Z.
crashme	A tool for testing your operating environment software's robustness. In certain cases, it can reveal weaknesses in your programs. Check out crashme at ftp://coast.cs.purdue.edu/pub/tools/unix/crashme/.
showid	A shell script that records and reports the UID and GID of program while it is executing. Check out showid at ftp://coast.cs.purdue.edu/pub/tools/unix/show_effective_uid.
worm-src	The source code to the Internet Worm, an excellent example of how buffer overruns (and other attacks) operate. Get it at ftp://coast.cs.purdue.edu/pub/tools/unix/worm-src.tar.gz.
PAM	Pluggable Authentication Modules allow you to alter how Linux applications perform authentication without actually rewriting and compiling them. Learn more at http://www.interweft.com.au/other/pam/pam.html.
CGIWrap	A gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts run with the permissions of the user who owns the script. Check out CGIWrap at ftp://concert.cert.dfn.de/pub/tools/net/cgiwrap/.