On Fri, Mar 11, 2005 at 11:51:41PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> > I think that there are a couple of areas that could be approached
> > in a directed fashion:
> >
> > * Command line overflows, via fuzz testing.
> > * Rebuilding the archive with the perl scanning modules distributed
> > here.
>
> What do you mean by this last one? Do you mean setting up a buildd daemon
> and running Rats/Flawfinder over the packages code?
Essentially yes - but not all at once, which will leave you swamped
with hundreds of bogus warnings.
Instead I'm thinking of picking a catagory of applications which is
suitabley small and doing all of them one by one, before picking
another group.
> > * Looking at CGI parameter passing.
> > * SQL injection attacks, PHP especially.
> > * Insecure execution via popen/system.
> >
> > I'm thinking that right now the first one should be almost painless
> > to test against given enough time and enough disk space. There exist
> > several tools to automatically invoke applications with "random"
> > arguments and look for crashes.
>
> I can provide disk space and my system is not doing anything CPU intensive,
> I also hold a local Debian mirror at home.
Useful to know, thanks.
> > The other ones could be tested for fairly easily too, albeit doing
> > all the programs would be a considerable effort.
>
> Well, I actually did do the work for running Rats/Flawfinder against the
> whole archive, and still have the result (~1G of data) the problem is, the
> results are not really that useful, too many false positives. It could be
> useful if setup in a way similar to lintian.debian.org as a service to the
> community. I.e. making all the reports public so developers can review
> them.
Yes that would be useful. I've been following the documentation you
helped put together to setup my own buildd and I'm getting lost. Grr!
I think it will be interesting to see how useful the output could be
made as there are certainly lots of false results. Overriding them
is just as difficult as fixing the code.
> > Does anybody want to volunteer to work with me in a specific area,
> > or have any suggestions for new things to look at?
>
> Sure, I can volunteer. I've had some experience with setting up my own
> buildd at home and can offer my local system for the crunching of stuff,
> data could then moved over to some other place for review.
I'm still not 100% sure how it would be best to proceed, but I'm
thinking!
Steve
--
|
