Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: automated vulnerability testing

From: Todd Burroughs <todd () hostopia com>
Date: Sat, 29 Nov 2003 04:49:06 -0500 (EST)


  Most of these are situations similar to the halting problem on a Turing
machine so you are unlikely to get an error free checker. But if your
checker complains about all the possible security holes, it will complain
about nearly every construct used within C programs.


I'm auditing one of our daemons, written in C.  I've run it through
various source code checkers and that is useful, I found something that
could be exploitable using this.  In our environment, it is not a problem,
but we'll fix it and we all learn something.

These tools are useful to find obvious problems or problems that have
a pattern.  Now, aftter using these tools, I have to look over the code
and it cannot be code that I wrote.  I don't think there's a substitute
for serious code review.

If you want to make a better tool, please do, I'll use it and if it's
good, I might help...

Todd Burroughs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: