It looks like the problem in terms of detection is to find values that should be annotated as __user. Poking around a bit, it seems like this tool is doing just that:
http://www.cs.umd.edu/~jfoster/cqual/ It dates from 2004, but perhaps the developer could be motivated to pick it up again. I don't think Coccinelle would be good for doing this (ie implementing taint analysis) because the dataflow is too complicated. julia
