Splint - Secure Programming Lint
|Download - Documentation - Manual - Links||Reporting Bugs - Mailing Lists Sponsors - Credits|
Annotation-Assisted Lightweight Static Checking
Inexpensive Program Analysis Group
University of Virginia, Department of Computer Science
Secure Programming Lint
First Aid for Programmers
Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.
Splint Version 3.1.2
Source code - [tgz distribution]
SourceForge Project Page
Current Development Code
Browse Code CVS
Mailing Lists [splint-discuss archives]
Papers: Improving Security Using Extensible Lightweight Static Analysis, IEEE Software Jan/Feb 2002; Statically Detecting Likely Buffer Overflow Vulnerabilities, USENIX Security 2001; Static Detection of Dynamic Memory Errors, PLDI 1996; More...
Talks: USENIX Security 2001 [PPT] [PDF]; UW/MSR [PPT] [PDF]; More...
FAQ (updated 3 May 2004)
Press - external articles
Release - latest release notes
Since human beings themselves are not fully debugged yet, there will be bugs in your code no matter what you do. — Chris Mason, Zero-defects memo (quoted in Microsoft Secrets, Cusumano and Selby)
5 August 2010 Mao Yu has create a Windows installer for splint-3.1.2: http://github.com/maoserr/splint_win32/downloads. 5 December 2008 Christoph Thielecke has developed a Splint GUI, availble for download here: http://crissi.linux-administrator.com/linux/splintgui/index_en.html 12 July 2007 Splint 3.1.2 is now available (this updates the source distribution to the latest CVS code) 17 Feb 2004 Security holes force firms to rethink coding processes, NetworkWorldFusion, 19 April 2004. 17 Feb 2004 David Evans will be speaking 20 February 2004 at the Open Source International Conference 2004 in Malaga, Spain. 17 Feb 2004 Splint is described in the German Computer Magazine c't issues 4/2004 article, Fehlersuche in Java (full article not available on line, just links). (Thanks to Steffen Maier for noticing.) 3 Dec 2003 Herbert Martin Dietze has provided a new OS/2 binary: http://www.fh-wedel.de/pub/fh-wedel/staff/herbert/splint 1 Nov 2003 Scott Frazer has contributed a Borland C++Builder (a free compiler) build. The patches are incorporated into the latest CVS development code and will be in the next release. For directions, see bcc32.html. 31 July 2003 Checking Code and Models in Production Environments, MATLAB Digest, July 2003. Previous News
Splint development was sponsored by the
National Science Foundation