Vulnerability Development mailing list archives
Re: How to Write Secure Code
From: edebill () MAIL PCORDER COM (Erik Debill)
Date: Fri, 10 Mar 2000 13:52:39 -0600
On Fri, Mar 10, 2000 at 10:45:59AM -0800, Adam.Levine () BANKOFAMERICA COM wrote:
In addition to standards for writing secure code, I would be very interested in hearing about any tools that can be used to audit compliance with these standards. If you were going to audit an application where these standards did not exist, what would you use to sift through millions of lines of code to identify exposures?
Thank god I never got faced with millions of lines of code... thousands was enough. I started with grep. Looking for instances of "risky" calls, like strcpy, system, exec. I found lots and worked backwards from them to make sure they weren't being called with unchecked data (they were - I got to have a little "discussion" with the author). After that it was tracing the dataflow of the program (bunch 'o' CGI scripts in lousy C++, so at least the dataflow wasn't too complicated) to make sure every place data came in it was treated right. That still left the problem that data could come in, be cleaned and made a safe length but later on be stuffed into a variable that was too small. I'm afraid doing anything truly thorough would really come down to grovelling over the entire source of the application - a full code audit. Too bad nobody seems to have time for that (aside from the incredible efforts going on over at OpenBSD and the Linux Security Audit Project). Erik
Current thread:
- Re: How to Write Secure Code Adam.Levine () BANKOFAMERICA COM (Mar 10)
- Re: How to Write Secure Code Erik Debill (Mar 10)
- Re: How to Write Secure Code Lucio A.Molina F. (Mar 10)
- Re: How to Write Secure Code Josh Jaffe (Mar 10)
- Re: How to Write Secure Code Lucio A.Molina F. (Mar 10)
- Re: How to Write Secure Code Andrei Boyanov (Mar 11)
- <Possible follow-ups>
- Re: How to Write Secure Code Ben Grubin (Mar 11)
- Re: How to Write Secure Code Crispin Cowan (Mar 12)
- Re: How to Write Secure Code Erik Debill (Mar 10)