Programmers can use Splint comments to convey information
to Splint concerning things such as pre- and postconditions for function calls.
While these comments are not required for Splint to perform an analysis, their presence
can improve the accuracy of Splint??™s checks. Splint recognizes a large number of command-
line options that can turn off the output of various classes of errors. If you are
interested in strictly security-related issues, you may need to use several options to cut
down on the size of Splint??™s output.
Microsoft??™s PREfast tool has the advantage of very tight integration within the Visual
Studio suite. Enabling the use of PREfast for all software builds is a simple matter of
enabling code analysis within your Visual Studio properties. With code analysis enabled,
source code is analyzed automatically each time you attempt to build it, andwarnings and
recommendations are reported inline with any other build-related messages. Typical messages
report the existence of a problem, and in some cases make recommendations for fixing
each problem. Like Splint, PREfast supports an annotation capability that allows
Chapter 12: Passive Analysis
281
PART IV
Gray Hat Hacking: The Ethical Hacker??™s Handbook
282
programmers to request more detailed checks from PREfast through the specification of
pre- and postconditions for functions.
Pages:
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509