[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0311290435200.21953@suse.bluegenesis.com>
From: todd at hostopia.com (Todd Burroughs)
Subject: automated vulnerability testing
> Most of these are situations similar to the halting problem on a Turing
> machine so you are unlikely to get an error free checker. But if your
> checker complains about all the possible security holes, it will complain
> about nearly every construct used within C programs.
I'm auditing one of our daemons, written in C. I've run it through
various source code checkers and that is useful, I found something that
could be exploitable using this. In our environment, it is not a problem,
but we'll fix it and we all learn something.
These tools are useful to find obvious problems or problems that have
a pattern. Now, aftter using these tools, I have to look over the code
and it cannot be code that I wrote. I don't think there's a substitute
for serious code review.
If you want to make a better tool, please do, I'll use it and if it's
good, I might help...
Todd Burroughs
Powered by blists - more mailing lists