[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: RFC: Performing code security audits before releases...
From: Dawit Alemayehu <adawit () kde ! org>
Date: 2002-02-25 7:10:03
[Download RAW message or body]
Hello,
I want to begin a discussion on performing proactive security audits of the our codebase before
each release. I am by no means a security expert, but some of the common security problems like
buffer overruns/overflows can be checked and tested for with minimal effort using tools like RATS.
This way our code is at least checked for some of these common flaws in software design. No
matter the tool or the effort put forth we cannot obviously catch all such problem, but that does not
mean we should not attempt to find the ones we can.
For starters I generated and attached below a report for the entire kdelibs directory using RATS
(http://www.securesw.com/rats/). Perhaps using the lessons we learn from using tools like this we can
write a HOWTO article or create methods to avoid the pitfalls. I encourage everyone who is responsible
for some piece of code in kdelibs to go through the report and see if there is anything they need to fix
based on it. I personally plan to go through the entire report and verify things. If I come accross something
questionable, I will send email to author(s) listed in the source code. Please note that the report is not
necessarily correct all the time. It will have false positives where the code is being reported as being a
potential problem when in actuality it might not be.
Hopefully this will start good discussion about code security in general and along with the memory profiling
tool (valgrind) make KDE even much better than it current is. In the future I would love to see a period
(perhaps few days) built into the release schedule for performing such audits in the future.
Regards,
Dawit A.
["kdelibs-audit.gz" (application/x-gzip)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic