Re: source code "forensic" practices

To: debian-devel@lists.debian.org
Subject: Re: source code "forensic" practices
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 30 Jan 2007 14:17:34 +0100
Message-id: <[🔎] 871wlcmz69.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20070129220508.GF9059@washoe.onerussian.com> (Yaroslav Halchenko's message of "Mon, 29 Jan 2007 17:05:10 -0500")
References: <[🔎] 20070129220508.GF9059@washoe.onerussian.com>

* Yaroslav Halchenko:

> The question is: are there any helper tools for doing source code
> validation subject to possibly available snippets of code which might be
> for illegal activity (ie sending out private information, or serve as
> backdoors, etc)?

There are several commercial bug finding tools and services.  I don't
know how good they are at detecting logic bombs and similar things.

> May be some language specific tools (JS, Java, python)
> which could catch snippets intended for data transmission/receival? 

Java is doable at least, but due to their dynamic nature, JavaScript
and Python are in a completely different league.  JavaScript is
extremely obnoxious because you can easily download scripts from the
Net, triggered from self-modifying code.  In fact, this is a common
practice in the online advertising world.

Reply to:

Follow-Ups:
- Re: source code "forensic" practices
  - From: Yaroslav Halchenko <debian@onerussian.com>

References:
- source code "forensic" practices
  - From: Yaroslav Halchenko <debian@onerussian.com>

Prev by Date: Re: buildd stuff
Next by Date: Re: buildd stuff
Previous by thread: source code "forensic" practices
Next by thread: Re: source code "forensic" practices
Index(es):
- Date
- Thread