Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 Feb 1997 17:22:21 -0700 (MST)
From:      Marc Slemko <marcs@znep.com>
To:        Craig Shaver <craig@progroup.com>
Cc:        security@freebsd.org
Subject:   Re: Don't fulminate, be productive 
Message-ID:  <Pine.BSF.3.95.970208171054.3343F-100000@alive.ampr.ab.ca>
In-Reply-To: <32FD0078.3F54BC7E@progroup.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Feb 1997, Craig Shaver wrote:

> Did Marc Slemko use perl scripts?  Do you have an email addr for Marc? 
> Do you think he would let others have access to the tools he used?

I did not use any automated tools to assist me when I went through the
Apache source.  The Apache source base is small enough that it just didn't
make sense.  

Essentially what I did is go through the entire source line by line,
looking for anything that stood out as being suspicious.  Those things
include:
	gets
	strcpy
	strcat
	sprintf
	scanf
	system
	popen
	exec
	mktemp
	any file creation
	memcpy

Not all uses of the above are problems, but many are.

After I fixed the things I noticed, I did a grep on the file to be sure
I hadn't missed any of the above.  

Some of the fixes can be annoying, eg. if you have a function that is 
passed a pointer to a string without any length info, but the basic
problems are generally trivial to fix.  In some ways, FreeBSD fixes
are easier than the Apache ones because for Apache we needed to create
a snprintf() first; with FreeBSD you already have that.

It is difficult to describe all the things which can be possible
security problems in any way which can be scanned for automatically.
You can get most of them, sure, but if I'm going through something
I may as well go all the way.  For example, simply scanning for buffer
overflows won't find you the cases where a program insecurely 
creates a temp file.  The more you look the easier it is to find things.
IMHO, an automated tool isn't overly worth it.

I had started going through the FreeBSD source tree a couple of 
months ago, and got a few fixes in but I got interrupted before
I got that far.  Hopefully I will get some time to help with some
more FreeBSD fixes.

> 
> Brian Tao wrote:
> > 
> > On Sat, 8 Feb 1997, Jordan K. Hubbard wrote:
> > >
> > > Actually, that's a good 50% of it.  The other 50% is replacing
> > > strcpy()'s with strncpy()'s. :-)
> > 
> >     I'm sure a perl hacker could come up with a script that can at
> > least flag some sort of warning where it suspects a line of code may
> > be susceptible.  A grep through the sources only finds about 6000
> > occurrences of sprintf or strcpy.  ;-)  BTW, has anyone been able to
> > get a FreeBSD version of Insure++ or Purify (or whichever product it
> > was) and run the source tree through it?
> > 
> > > Seriously, looking for bufffer overflows is not rocket science,
> > > though if you spot more serious bugs along then way then you are
> > > more than free to fix them. :-)
> > 
> >     I'm definitely no code hacker, so I think I'd be limited to
> > standalone user space utilities and leave library routines and kernel
> > stuff to the experts.  Still, it would be an instructional exercise,
> > even if no potential holes are found.  I think Marc Slemko went over
> > the Apache sources in similar fashion and submitted a bunch of
> > security-related patches.
> del ...
> > Brian Tao (BT300, taob@risc.org)
> > "Though this be madness, yet there is method in't"
> 
> -- 
> Craig Shaver  (craig@progroup.com) (415)390-0654 
> Productivity Group POB 60458 Sunnyvale, CA  94088
> 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970208171054.3343F-100000>