Security with Dehydra
February 16th, 2009
When I wrote the initial prototype of Dehydra I pondered how long it would take before it’s adopted by security guys. Unfortunately, until now take-up has been non-existent. Grep and Perl still seem to rule in that community even though the plain text approach restricts the range of possible security scans.
Normally I would be tempted to rant on how grep is convenient yet limiting. However Ben Kurtz discovered Dehydra for security scans and did a great job explaining the issues involved. Thanks to Georgi for linking me to Ben’s post.
February 16th, 2009 at 7:37 pm
Neat. I played around with his examples and discovered that they no longer seem to work. lhs.unsigned seems to have been replaced by lhs.isUnsigned so I fear that there is a java programmer hidden in one of the Dehydra contributors.
But anyways, it peaked my curiosity for me to go through the trouble of installing dehydra. I have a friend who works for a security consulting group, and I have no idea what they use for static analysis tools. I think we would both be sadden to hear if it involved grep.
March 12th, 2009 at 10:17 am
Can Dehydra be used to analyze source code which might not compile?
I have some code that _does_ compile, with a gcc cross-compiler. Given that I have the C++ code for program P and libraries L, J, and K that P uses….
How straightforward would Dehydra be to find all of the variables that don’t get used within any of the libraries or the program’s non-library code?
March 12th, 2009 at 10:28 am
To clarify my prior question, I wan to verify that the definition of ‘used’ for a variable includes the varlue being read by something other than ‘a = a’.