Ask HN: Logical Vulnerability Discovery?

[alcover]

I understand fuzzing is bombarding with malformed or corner-case inputs. But are there tools that, given target source and language model, will systematically pinpoint (at least some) logical vulnerabilities ?

    User list[10];
    int id = read(input);
    print(list[id]); // WARN unbounded user-controlled index !

[trinovantes]

Symbolic execution will be able to detect these kinds of errors. I'm not aware of any widely used commercial application as it's still mostly a research topic

https://en.wikipedia.org/wiki/Symbolic_execution

[thesuperbigfrog]

Perl has "taint mode":

http://man.he.net/man1/perlsec

It is not exactly what you are looking for, but I am not aware of anything else that matches what you want.

[alcover]

Interesting. This deals with chaining from input/env to outward actions like shell or files. It's indeed a bit specific but since Perl is a scripting lang it should have less inner dangers compared to say C.

[tossaway9000]

CodeQL will do this for some languages, the kind of bugs I've seen it identify have been pretty impressive, I'm sure there are some other static analyzers that can do this as well.

[alcover]

Thank you. This tool is on the heavy side, with its seemingly own query language.

I was rather thinking of a specialized scanner (say only for C sources) that just looks for definite classes of vulns, not necessarily scriptable.

[tossaway9000]

CodeQL comes with a bunch of pre-configured queries for the language you're using (at least when running on Github enterprise)