SCARE metrics and tool release

From: Pete Herzog <>
Subject: SCARE metrics and tool release


Scare, the Source Code Analysis Risk Evaluation tool for measuring security 
complexity in C source code is now available.  The tool is written to 
support the OpenTC project ( as the SCARE methodology project 
available at:

We have done some test cases with the tool already do track trends in Xen 
and are now working on measuring trends in the Linux Kernel.

The SCARE analysis tool is run against source code.  Currently only C code 
is supported.  The ouput file will contain all operational interactions 
possible which need controls (the current version does not yet say if and 
what controls are already there).  At the bottom of the list are three 
numbers: Visibilities, Access, and Trusts.  These 3 numbers can be plugged 
into the RAV Calculation spreadsheet available at  The 
Delta value is then subtracted from 100 to give the SCARE percentage which 
indicates the complexity for securing this particular application.  The 
lower the value, the worse the SCARE.

Trends in Xen:

XEN ver.     Vis    Accesses    Trusts    SCARE    Delta
3.0.3_0       1       314        28577    58.26    -41.74
3.0.4_1       1       311        31060    57.79    -42.21
3.1.0         1       316        33139    57.43    -42.57

As you can see, the security complexity of Xen is getting worse due to the 
increased numbers of Trusts (reliance on external variables which a user 
can manipulate as an input). Trust attacks can be tested according to the 
4th point of the 4 Point test process in the OSSTMM 3: Intervention - 
changing resource interactions with the target or between targets.

At this stage, the tool cannot yet tell which interactions have controls 
already or if those controls are applicable however once that is available 
it will change the RAV but not the SCARE.  The SCARE will also not yet tell 
you where the bugs are in the code however if you are bug hunting, it will 
extract all the places where user inputs and trusts with user-accessible 
resources can be found in the code.

We need help!  We are looking for people to help us complete the SCARE 
methodology, add new programming languages to the tool, as well as even 
making a windows binary version for those who do not code in Linux. Contact 
me if you can do this.


Pete Herzog - Managing Director -
ISECOM - Institute for Security and Open Methodologies - -
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.

Copyright © 1995-2020 All rights reserved.