CISAT - Combination and Integration of Static Analysis
CISAT is a framework which enables the integration of security-related static analysis into
CISAT consists of the following components:
- CISAT XML format - a unified XML-shema for providing a uniform, machine-readable output format to list the security findings of static analysis tools.
- A unified call convention to provide all tools with the same call-interface.
- SATEC - a high level programming library for combining tools and parsing the XML format.
- A set of wrappers for most free static analysis tools.
Daniel Schreckling, Martin Johns, SVS Sectoolers: CISAT: Integration von sicherheitszentrierter
statischer Analyse in den Enwicklungsprozess, 14. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, Germany, February 2007 (paper)
Installing and using CISAT
The software is packaged for Ubuntu Linux 6.06
(LTS) , source packages are provided;
Additionally we provide an Eclipse plug-in
for performaning scans and displaying the results.
We provide two ways for installing the software:
Install with APT via HTTP:
For installing our software directly over the internet, please create a file
/etc/apt/sources.list.d/cisat.list with the following
deb http://web.sec.uni-passau.de/research/softwaresecurity/cisat/software/ ./
deb-src http://web.sec.uni-passau.de/research/softwaresecurity/cisat/software/ ./
Install with APT from a local repository:
our software on computers without HTTP access to the internet,
you can download the
repository as a tarball. Unpack it, e.g. to your
user@machine:/home/user$ tar xfz cisat-packages.tar.gz
Then create a file /etc/apt/sources.list.d/cisat.list
with similar content like:
deb file:///home/user/cisat-packages/ ./
deb-src file:///home/user/cisat-packages/ ./
You must now run sudo aptitude update to update the
package manager's cache.
Now you can install our software by
running sudo aptitude install PACKAGENAME
Source packages are installed by running
sudo aptitude source PACKAGENAME
The sources are also included in the tarball.
The available packages are:
- Static Analysis Tools, modified for outputting the CISAT
- Framework for Combination:
- Static Analysis Tool Evaluation and
- Component of CISAT for combining results in CISAT
XML format obtained from different Static Analysis
- Additional packages:
- ocaml-config-file, ocaml-csv
- Additional libraries needed by cisat-satec, will be
Our Eclipse plug-in is based on Eclipse 3.2 and CDT 3.1. It is
distributed as a JAR file.
For installation, just copy it to the plugins/ folder
of your Eclipse installation.
The sources are included in the JAR file.
Some hints for using the software:
- Static Analysis Tools:
- Each tool installs a wrapper into /usr/lib/cisat/wrapper/
- You can call the tools by running e.g. /usr/lib/cisat/wrapper/rats.run source1.c [source2.c ...]
- Combination Framework:
- Edit the file /etc/cisat/satec/config.cfg:
Remove the comments ((* and *)) to enable installed
- Now you can start the combination tool with toolcomb source1.c [source2.c ...]
- Eclipse plug-in:
- There is a preference page accesible via Window -> Preferences... -> SecTool
- Enter the path to one tool wrapper for scanning with a single tool,
or enter /usr/bin/toolcomb for combined scanning with all enabled tools.
- Some tools don't provide probability or severity values. You can enter a default value.
Even though the main CISAT-project has ended, you can try to contact us using the Sectoolers-Mailing-List which still should be active.
The concepts that are the basis of CISAT were developed as part of the secologic-project.
The software and documentation was written by (in alphabetical order):
Christian Beyerlein*, Björn Engelmann, Nils Hoier, Moritz Jodeit, Martin Johns*, Benjamin Leipold and Daniel Schreckling.
*Martin Johns' and Christian Beyerlein's work was funded by secologic.