CISAT - Combination and Integration of Static Analysis Tools

About

CISAT is a framework which enables the integration of security-related static analysis into automatic processes. CISAT consists of the following components:

• CISAT XML format - a unified XML-shema for providing a uniform, machine-readable output format to list the security findings of static analysis tools.
  • Documentation
  • RELAX NG Grammar
  • Example document
• A unified call convention to provide all tools with the same call-interface.
• SATEC - a high level programming library for combining tools and parsing the XML format.
• A set of wrappers for most free static analysis tools.

Publications

Installing and using CISAT

The software is packaged for Ubuntu Linux 6.06 (LTS) , source packages are provided; Additionally we provide an Eclipse plug-in for performaning scans and displaying the results.

We provide two ways for installing the software:

Install with APT via HTTP:

For installing our software directly over the internet, please create a file /etc/apt/sources.list.d/cisat.list with the following content:

deb http://www.informatik.uni-hamburg.de/SVS/research/projects/softwaresecurity/cisat/software/ ./
deb-src http://www.informatik.uni-hamburg.de/SVS/research/projects/softwaresecurity/cisat/software/ ./

Install with APT from a local repository:

For installing our software on computers without HTTP access to the internet, you can download the repository as a tarball. Unpack it, e.g. to your home-directory:

user@machine:/home/user$ tar xfz cisat-packages.tar.gz

Then create a file /etc/apt/sources.list.d/cisat.list with similar content like:

deb file:///home/user/cisat-packages/ ./
deb-src file:///home/user/cisat-packages/ ./

You must now run sudo aptitude update to update the package manager's cache.

Now you can install our software by running sudo aptitude install PACKAGENAME

Source packages are installed by running sudo aptitude source PACKAGENAME
The sources are also included in the tarball.

The available packages are:

• Static Analysis Tools, modified for outputting the CISAT XML format:
  • cisat-boon
    • An adapted version of BOON - Buffer Overrun detectiON
  • cisat-cqual
    • An adapted version of CQUAL - A tool for adding type qualifiers to C
  • cisat-flawfinder
    • An adapted version of Flawfinder - a program that examines source code and reports possible security weaknesses
  • cisat-its4
    • An adapted version of ITS4 - Software Security Tool
  • cisat-rats
    • An adapted version of RATS - Rough Auditing Tool for Security
  • cisat-splint
    • An adapted version of Splint - Annotation-Assisted Lightweight Static Checking
• Framework for Combination:
  • cisat-satec
    • SATEC - Static Analysis Tool Evaluation and Combination
    • Component of CISAT for combining results in CISAT XML format obtained from different Static Analysis Tools.
• Additional packages:
  • ocaml-config-file, ocaml-csv
    • Additional libraries needed by cisat-satec, will be installed automatically.

Eclipse plug-in

Our Eclipse plug-in is based on Eclipse 3.2 and CDT 3.1. It is distributed as a JAR file.

For installation, just copy it to the plugins/ folder of your Eclipse installation.

The sources are included in the JAR file.

• org.secologic.sectool.jar

Usage hints

Some hints for using the software:

• Static Analysis Tools:
  • Each tool installs a wrapper into /usr/lib/cisat/wrapper/
  • You can call the tools by running e.g. /usr/lib/cisat/wrapper/rats.run source1.c [source2.c ...]
• Combination Framework:
  • Edit the file /etc/cisat/satec/config.cfg:
    Remove the comments ((* and *)) to enable installed analysis tools
  • Now you can start the combination tool with toolcomb source1.c [source2.c ...]
• Eclipse plug-in:
  • There is a preference page accesible via Window -> Preferences... -> SecTool
  • Enter the path to one tool wrapper for scanning with a single tool, or enter /usr/bin/toolcomb for combined scanning with all enabled tools.
  • Some tools don't provide probability or severity values. You can enter a default value.

Contact

Credits

The concepts that are the basis of CISAT were developed as part of the secologic-project.

The software and documentation was written by (in alphabetical order): Christian Beyerlein^*, Björn Engelmann, Nils Hoier, Moritz Jodeit, Martin Johns^*, Benjamin Leipold and Daniel Schreckling.

^*Martin Johns' and Christian Beyerlein's work was funded by secologic.