Splint - Secure Programming Lint
|Download - Documentation - Manual - Links||Reporting Bugs - Mailing Lists Sponsors - Credits|
Annotation-Assisted Lightweight Static Checking
Inexpensive Program Analysis Group
University of Virginia, Department of Computer Science
Secure Programming Lint
First Aid for Programmers
Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.
Splint Version 3.1.2
Source code - [tgz distribution]
SourceForge Project Page
Current Development Code
Browse Code CVS
Mailing Lists [splint-discuss archives]
Papers: Improving Security Using Extensible Lightweight Static Analysis, IEEE Software Jan/Feb 2002; Statically Detecting Likely Buffer Overflow Vulnerabilities, USENIX Security 2001; Static Detection of Dynamic Memory Errors, PLDI 1996; More...
Talks: USENIX Security 2001 [PPT] [PDF]; UW/MSR [PPT] [PDF]; More...
FAQ (updated 3 May 2004)
Press - external articles
Release - latest release notes
If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet he's going to choose dancing pigs over computer security any day. If the computer prompts him with a warning screen like: "The applet DANCING PIGS could contain malicious code that might do permanent damage to your computer, steal your life's savings, and impair your ability to have children," he'll click "OK" without even reading it. Thirty seconds later he won't even remember that the warning screen even existed. — Bruce Schneier, Secrets and Lies
5 August 2010 Mao Yu has create a Windows installer for splint-3.1.2: http://github.com/maoserr/splint_win32/downloads. 5 December 2008 Christoph Thielecke has developed a Splint GUI, availble for download here: http://crissi.linux-administrator.com/linux/splintgui/index_en.html 12 July 2007 Splint 3.1.2 is now available (this updates the source distribution to the latest CVS code) 17 Feb 2004 Security holes force firms to rethink coding processes, NetworkWorldFusion, 19 April 2004. 17 Feb 2004 David Evans will be speaking 20 February 2004 at the Open Source International Conference 2004 in Malaga, Spain. 17 Feb 2004 Splint is described in the German Computer Magazine c't issues 4/2004 article, Fehlersuche in Java (full article not available on line, just links). (Thanks to Steffen Maier for noticing.) 3 Dec 2003 Herbert Martin Dietze has provided a new OS/2 binary: http://www.fh-wedel.de/pub/fh-wedel/staff/herbert/splint 1 Nov 2003 Scott Frazer has contributed a Borland C++Builder (a free compiler) build. The patches are incorporated into the latest CVS development code and will be in the next release. For directions, see bcc32.html. 31 July 2003 Checking Code and Models in Production Environments, MATLAB Digest, July 2003. Previous News
Splint development was sponsored by the
National Science Foundation