RE: [Full-Disclosure] automated vulnerability testing
From: Bill Royds (full-disclosure_at_royds.net)
Date: 11/29/03
- Previous message: S G Masood: "Re: [Full-Disclosure] India gov IT hacked"
- In reply to: fulldisclosure_at_freedomnames.co.uk: "[Full-Disclosure] automated vulnerability testing"
- Next in thread: Todd Burroughs: "RE: [Full-Disclosure] automated vulnerability testing"
- Reply: Todd Burroughs: "RE: [Full-Disclosure] automated vulnerability testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <fulldisclosure@freedomnames.co.uk>, <full-disclosure@lists.netsys.com> Date: Fri, 28 Nov 2003 21:09:17 -0500
If you are truly interested in security, you won't use C as the programming
language. It is security unfriendly by design (so it can get closer to the
actual box for efficiency's sake. So what you want to build is a checker
that ensures that the code does not use
Pointers or pointer arithmetic, C strings, C arrays or C I/O. Only C or
languages that use C libraries have a problem with buffer overflow, format
errors, unallocated (or already freed) pointers and routines returning
incorrect types.
Most other languages prevent these as part of their semantics or syntax.
Your checker would need to check that all functions and the calls to them
match arguments as to type, bounds (including string sizes and malloc
space), that pointers are never used before they are allocated or after they
are freed.
Most of these are situations similar to the halting problem on a Turing
machine so you are unlikely to get an error free checker. But if your
checker complains about all the possible security holes, it will complain
about nearly every construct used within C programs.
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
fulldisclosure@freedomnames.co.uk
Sent: November 28, 2003 2:56 PM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] automated vulnerability testing
Hey guys,
please excuse me for bringing this topic up again, but i was kinda
disappointed
with the feedback from before...
i'd like some input from the programming community regarding thoughts on
static
vulnerability analysis, not specifically on the products that are already
out
there (kinda limited imho) but rather from a design perspective.
im interested in the kinds of functionality that is required, interface
design,
configuration issues (saved configs etc..) and most importantly the types of
vulnerabilities people would be interested in scanning for.
If i could get some positive feedback it'd be much appreciated.
-DC
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: S G Masood: "Re: [Full-Disclosure] India gov IT hacked"
- In reply to: fulldisclosure_at_freedomnames.co.uk: "[Full-Disclosure] automated vulnerability testing"
- Next in thread: Todd Burroughs: "RE: [Full-Disclosure] automated vulnerability testing"
- Reply: Todd Burroughs: "RE: [Full-Disclosure] automated vulnerability testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
