From owner-freebsd-security Sat Feb 8 16:22:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA10094 for security-outgoing; Sat, 8 Feb 1997 16:22:25 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10005 for ; Sat, 8 Feb 1997 16:22:14 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.7.3) with UUCP id RAA00919; Sat, 8 Feb 1997 17:22:02 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id RAA05080; Sat, 8 Feb 1997 17:22:22 -0700 (MST) Date: Sat, 8 Feb 1997 17:22:21 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Craig Shaver cc: security@freebsd.org Subject: Re: Don't fulminate, be productive In-Reply-To: <32FD0078.3F54BC7E@progroup.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 8 Feb 1997, Craig Shaver wrote: > Did Marc Slemko use perl scripts? Do you have an email addr for Marc? > Do you think he would let others have access to the tools he used? I did not use any automated tools to assist me when I went through the Apache source. The Apache source base is small enough that it just didn't make sense. Essentially what I did is go through the entire source line by line, looking for anything that stood out as being suspicious. Those things include: gets strcpy strcat sprintf scanf system popen exec mktemp any file creation memcpy Not all uses of the above are problems, but many are. After I fixed the things I noticed, I did a grep on the file to be sure I hadn't missed any of the above. Some of the fixes can be annoying, eg. if you have a function that is passed a pointer to a string without any length info, but the basic problems are generally trivial to fix. In some ways, FreeBSD fixes are easier than the Apache ones because for Apache we needed to create a snprintf() first; with FreeBSD you already have that. It is difficult to describe all the things which can be possible security problems in any way which can be scanned for automatically. You can get most of them, sure, but if I'm going through something I may as well go all the way. For example, simply scanning for buffer overflows won't find you the cases where a program insecurely creates a temp file. The more you look the easier it is to find things. IMHO, an automated tool isn't overly worth it. I had started going through the FreeBSD source tree a couple of months ago, and got a few fixes in but I got interrupted before I got that far. Hopefully I will get some time to help with some more FreeBSD fixes. > > Brian Tao wrote: > > > > On Sat, 8 Feb 1997, Jordan K. Hubbard wrote: > > > > > > Actually, that's a good 50% of it. The other 50% is replacing > > > strcpy()'s with strncpy()'s. :-) > > > > I'm sure a perl hacker could come up with a script that can at > > least flag some sort of warning where it suspects a line of code may > > be susceptible. A grep through the sources only finds about 6000 > > occurrences of sprintf or strcpy. ;-) BTW, has anyone been able to > > get a FreeBSD version of Insure++ or Purify (or whichever product it > > was) and run the source tree through it? > > > > > Seriously, looking for bufffer overflows is not rocket science, > > > though if you spot more serious bugs along then way then you are > > > more than free to fix them. :-) > > > > I'm definitely no code hacker, so I think I'd be limited to > > standalone user space utilities and leave library routines and kernel > > stuff to the experts. Still, it would be an instructional exercise, > > even if no potential holes are found. I think Marc Slemko went over > > the Apache sources in similar fashion and submitted a bunch of > > security-related patches. > del ... > > Brian Tao (BT300, taob@risc.org) > > "Though this be madness, yet there is method in't" > > -- > Craig Shaver (craig@progroup.com) (415)390-0654 > Productivity Group POB 60458 Sunnyvale, CA 94088 >