270 likes | 471 Views
Debugging Debian. Raul Gonzalez Jenna Kallaher Costas Akrivoulis. (Proposed) Toolbox. Static Analysis Clang CPPCheck Splint Coverity Dynamic Analysis Zzuf Sulley Peach. Tools for Fools. Sulley - Install/Config Problems "Linux, you can figure it out"
E N D
Debugging Debian Raul Gonzalez Jenna Kallaher Costas Akrivoulis
(Proposed) Toolbox Static Analysis • Clang • CPPCheck • Splint • Coverity Dynamic Analysis • Zzuf • Sulley • Peach
Tools for Fools Sulley - Install/Config Problems • "Linux, you can figure it out" Peach - Requires fair bit of setup • Needs XML describing how to fuzz / invoke programs Coverity - Learning Curve...
(Real) Toolbox Static Analysis • Clang • CPPCheck • Splint Dynamic Analysis • Zzuf
Zzuf Requires program with input • Files preferable • Can't test libraries independently • Hard to find targets in default Debian Mplayer, Openoffice, FFMpeg, Iceweasel, Totem
Static Process Source Code Raw Findings Filtered Findings Confirmed Bugs Vulnerable Bugs
CPPCheck Easiest to use - point and shoot Null Pointer Dereferences Array out of bounds accesses Uninitialized Variables
Clang Static Analyzer Requires project source code • project must be written in C/C++ Detailed issue report • file + line, conclusion, and argument Can check any appropriate Debian package
Findings • Thousands of findings from Clang, cppcheck, splint • Hundreds of confirmed false positives • Hundreds of instances of undefined or risky behavior • 31 Confirmed bugs [libavcodec/ffv1.c:781]: (error) Array index -1 is out of bounds [libavcodec/ffv1.c:781]: sample[i][-1] = sample[0][0]
Findings • Enough data generated by the tools • Remainder of our time focused on manual inspection of findings • Interesting errors remain • buffer overflow errors in linux-base • sprintf usage errors from libupnp
References • https://www.owasp.org/index.php/Fuzzing • Software Model Checking Extracting Verification Models from Source Code • The Concept of Dynamic Analysis (Thomas Ball) • http://blogs.msdn.com/b/michael_howard/archive/2006/01/26/517975.aspx • http://blogs.msdn.com/b/michael_howard/archive/2006/05/19/602077.aspx • Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software