Hello:
Is Red Hat worried about Coverity or other such bug/security hole searching private ventures? There are probably 1000s of critical security holes in any given Linux distro and the only problem is that there doesn't exist sophisticated enough tools yet to discover them. Companies like Coverity are attempting to develop them, and for what seems like the greater good of Linux distros. Nevertheless, with Red Hat having invested so much into SELinux is there also considerable thought put into developing a Coverity-like project to get to those lingering security threats first?
Benjy
Nevertheless, with Red Hat having invested so much into SELinux is there also considerable thought put into developing a Coverity-like project to get to those lingering security threats first?
I periodically go through open source code with FlexeLint. It finds the same bugs that Coverity does, but also provides many false positives. So, going from the report to fixing bugs is a fair amount of work.
I have also experimented with smatch. It seemed to be on the right track, but is a patch to a now ancient compiler. I think if open source wanted a Coverity-like tool, this project should be revived.
At the moment, I think the tack taken is to improve gcc's reporting of bugs. Very few programs do: -Wall -W -Wformat-string -Wfloating-point. When looking for bugs, I try to increase the output from gcc since it does a decent job of finding some of the same bugs Coverity does. They just hide as signed-unsigned comparisons.
Also note that gcc has be improved by adding a propolice-like extension that many programs are compiled with; relro has been added to most network facing or setuid programs (as well as PIE flags); and Fortify Source has been improved by extending it to many other functions.
In my opinion, these enhancements help the overall security of Fedora/RHEL beyond just what SE Linux does. I don't think we should be complacent either, but its not as dire as it was 2 years ago when I was doing many code audits and finding real problems. (I also plan to start a new round of audits in a month or two when some of the LSPP tasks are finally whipped.)
Have you tried out smatch? The project seems dead, but probably the best starting point.
-Steve
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
</signal> <noise> Benjy Grogan wrote:
Hello:
Is Red Hat worried about Coverity or other such bug/security hole searching private ventures?
I doubt it, that which doesn't kill you makes you stronger.
There are probably 1000s of critical security holes in any given Linux distro and the only problem is that there doesn't exist sophisticated enough tools yet to discover them.
An infinite number of monkeys typing on a typewriter, eventually reproduce the works of Shakespeare... and the Internet provides online distro's with an infinite number of monkeys.
But instead of Shakespeare, they find the vulnerabilities. Hence the term "case" hardened. ;-)
Companies like Coverity are attempting to develop them, and for what seems like the greater good of Linux distros.
Oh, the "greater good", I *hate* that expression, it always seems to herald someone taking away something from me, money, guns, civil rights, etc..
Who is John Galt, eh ? :-P
Nevertheless, with Red Hat having invested so much into SELinux is there also considerable thought put into developing a Coverity-like project to get to those lingering security threats first?
Actually, the nature of SELinux is to isolate, or "contain" just such unforeseen, but inevitable, vulnerabilities, in the first place.
Thus the "raison d'etre" of a "container"/"flask" model.
But, I am not speaking for RH... just guessing what their attitude might be. Of course, Carnac the magnificent, I am not. </noise><signal>
Benjy
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org
-
Benjy Grogan -
Richard Irving -
Steve G