[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scan debian packages for security vulnerabilitys big time

Quoting Andreas Schuldei (andreas@schuldei.org):
> started to look for bugs on the source level. But OpenBSD achives their
> security at the price of up-to-date packages. E.g. they still use bind 4
> and an old sendmail, because it is well audited and virtually bug free. We
> want both, of cause: security and new features.
The OpenBSD team audits their base source, not the ports tree, where a _lot_
of the 'add-on' software comes from.
To compare with debian; if we do it the OpenBSD way, we'd have to audit
'base', and try to create security awareness with the people who maintain
non-'base' packages.

>1) try to raise the security awareness of the debian developers and get 
> them to audit the code of their packages and perhaps even help their 
> upstream authors and 
This is a good thing, although i don't think this is something you can
expect from everyone. Apart from the knowledge not being there, auditing
even a single package is A Lot Of Work.
It might be a better idea to set up a small group of people, who start
auditing packages (starting with 'base'), and who monitor patches for
'security critical' packages (like the daemons, suids,etc).
I know this is far from complete/what you want, but asking every maintainer
to audit their upstream source is maybe a bit too big a thing.

> For now, I packaged his non-free software (called 'Its The Software,
> stupid', short: its4.) and would like to try to integrate it into the
> debian development process. 
Bad Thing. Automated security scanners give a false sense of security, and
only hint about possible bugs/mistakes.
its4 is in fact a glorified grep, that scans for 'known dangerous
constructs'. In practice, you'll find every strcpy, strcat, etc in the
warning log, with a big 'watch out' next to it. 
Everyone audits their code in a different way - some use grep, some use
its4, and some put their c source trough the preprocessor and read it.
I don't think that integrating its4 (or any other source code analyser) into
the debian build process will be of much help, except for generating lots of
extra work (and warnings).

> Now I need help and advice: At which point would it make sense to plug in
> the scanner? Who would like to sponsor the its4 package? Is this
> practicable at all? Will people ignore the warnings? What else did I
> forget?
Probably you forget that it's lots of people's hobby to run its4 against
large amounts of source code, and hope they'll find a vulnerability (and
sometimes do!). 
Only a (mass?) auditing project would help keeping our code clean.

|      rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl        |  
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |
      Zet mij maar in een hoek, met me kop naar de muur :) -- marijnv

Reply to: