OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
Dan Lukes
dan at obluda.cz
Thu Apr 24 09:25:08 UTC 2014
On 04/24/14 08:33, Erik Cederstrand:
> we need some way of marking them as false positive or wontfix, so the effort isn't duplicated. Out of the 10.000 reports, a conservative guess is that at least 100 of them are real security issues
> A year ago, I did a raid on reports about not checking the return value of setuid() and friends, which did uncover real issues.
Well, about nine years ago I spent some time to analysis of warnings
raised by compiler during 'buildworld' (see bin/71632 for example). Most
of them has been false positives of course, but it has been possible to
modify the code to avoid them in the future. Just few true issues has
been discovered, of course.
I created PR and proposed patch for most of them - both bugs and
warnings that can be avoided.
So many of those PR has left untouched for years.
I considered that proactive approach is not welcomed so much. I'm not
complaining in any way, it's about my feeling that I wasted my time with
activity not considered useful. I fully understand that reviewing of
tenths of patches take time and no fun nor honor is related to such kind
of work.
That is it. Yes, we need "wontfix" mark, or so. But before it, the
cleanup of code needs to be recognized as something valuable and
important. Heartbleed raised the dust, so we are speaking those issues
now. But dust will settle again within few weeks. Reviewing of "just
code cleanup" reports will become "not fun/not honor/time costly" task
again. A kind of task with no priority.
Please note that my skills in English are very limited. I'm not trying
to attack the comitters nor anyone else in any way. People tends to have
human characteristics (I'm not exception) and not funny tasks that can
be delayed will be delayed.
I'm just trying to explain why I feel that "we have no code analysis
done yet" or "we need wontfix flag" is not most important question.
I'm not trying to push anyone. Just asking. If we (volunteers with no
commit right) will spend time (and money, may be) to do the analysis,
will someone with commit rights take the job, despite it will be time
costly task with little of honor, despite the Heartbleed dust will
become settled ?
Dan
More information about the freebsd-security
mailing list