> Some of the bugs I've come across could have
> been found easily with an automated vulnerability scanner. Especially
> stuff like passing user-controllable format strings to syslog() just
> shouldn't happen any more..
That's an interesting idea! I don't think we're quite ready to let the machines
do all auditing by themselves (do Flawfinder or RATS obey Asimov's laws of
robotics?). For one thing, I have found lots of code with potential format
string bugs (syslog(LOG_MAIL, blah); or fprintf(stderr, blah); or whatever),
which turned out to be sloppy programming and no security hole, because the
user never got to control the value of blah. Automatic auditing is helpful,
both for people who can't and people who can do manual auditing, but it's far
from replacing it.
(Just sitting back and reading the more Debian related discussion, since I've
upgraded to Debian from Red Hat quite recently, so I don't know everything
about Debian's packages yet.)
--
Ulf Harnhammar
http://www.advogato.org/person/metaur/
|
