Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: StackGuard with ... Re: [Paper] Format bugs.

From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Fri, 21 Jul 2000 15:52:24 -0600


  There is no substitute, however, for a careful line-by-line audit of
code.


In my mind, there never was.

When this came up, we (Todd Miller, Todd Fries, and I) did an audit on
our source tree for the following cases

        *printf()
        err*()
        warn*()
        syslog()
        setproctitle()
        hand-made log()-style functions which end up calling v*() functions

I estimate it took three developers about 50 hours.

Automated tools do not help because you still have to check for the
last category by hand, so you might as well read everything.

50 hours isn't that bad.  The problem, as I see it, is that we must
keep redoing it.  We might have missed something (but so do automated
tools), and new stuff gets written all the time.

We even found some in our kernel, though nothing all that exciting.

As an aside, while doing the this "sub-audit", we noticed that we
already had some fixed, which other projects hadn't fixed yet in their
source trees.  So we have looked for this before, without realizing
that they were a big problem.  That makes for a rather weird feeling..
Previous By Date Next
Previous By Thread Next

Current thread: