OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: StackGuard with ... Re: [Paper] Format bugs.
From: Theo de Raadt (deraadtCVS.OPENBSD.ORG)
Date: Fri Jul 21 2000 - 16:52:24 CDT

> There is no substitute, however, for a careful line-by-line audit of
> code.

In my mind, there never was.

When this came up, we (Todd Miller, Todd Fries, and I) did an audit on
our source tree for the following cases

        *printf()
        err*()
        warn*()
        syslog()
        setproctitle()
        hand-made log()-style functions which end up calling v*() functions

I estimate it took three developers about 50 hours.

Automated tools do not help because you still have to check for the
last category by hand, so you might as well read everything.

50 hours isn't that bad. The problem, as I see it, is that we must
keep redoing it. We might have missed something (but so do automated
tools), and new stuff gets written all the time.

We even found some in our kernel, though nothing all that exciting.

As an aside, while doing the this "sub-audit", we noticed that we
already had some fixed, which other projects hadn't fixed yet in their
source trees. So we have looked for this before, without realizing
that they were a big problem. That makes for a rather weird feeling..