[Secure-testing-team] A full audit of SPARC arch by our static
binary analysis tool
Jake Appelbaum
jacob at appelbaum.net
Thu Aug 4 00:46:37 UTC 2005
On Wed, 2005-08-03 at 20:25 -0400, Anthony DeRobertis wrote:
> Jake Appelbaum wrote:
>
> > I'm sure people are a bit skeptical of a project like this and what kind
> > of things it can do. We're not just doing this because we use Debian but
> > because we want to support Free Software in general.
>
> Sounds like a good idea. Not only will it possibly reveal unpatched bugs
> in free software, but it will also give your software quite a stress test.
>
> You don't need Debian's approval to do this; just go ahead and start it
> running. I suggest that if you do start finding a lot of security holes,
> you talk to MITRE to get CAN numbers for the holes you find. And then go
> ahead and report the security bugs in the normal manner.
While I would love to do this, personally it's just not feasible for me
to personally scan all of SPARC. Our team is on a pretty tight schedule
of release and we don't have the spare people power to dedicate them to
scanning all of Debian.
The real issue at hand isn't just unpacking, uploading to our server or
even verifying the vulnerabilities. To get useful debug output (such as
function names, line numbers, file names, etc) one also needs to compile
the software with '-g' (using gcc). While I suppose you could run the
entire SPARC binary tree through Logiscan without this, it would not be
nearly as useful. A very important part of scanning Debian would be
someone rebuilding everything with debugging information.
--
Jake Appelbaum <jacob at appelbaum.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050803/0e864ca5/attachment.pgp
More information about the Secure-testing-team
mailing list