Re: [Plib-devel] Buffer Overflow Study at Auburn University - PLIB developers I would really apprec
Brought to you by:
sjbaker
Menu
▾
▴
Re: [Plib-devel] Buffer Overflow Study at Auburn University - PLIB developers I would really appreciate your help!
|
From: Steve B. <st...@sj...> - 2012-11-08 20:40:44
|
> Questions: (There are ten questions.) > > 1. How long have you been a software developer? 40 years. > 2. How long have you been affiliated with PLIB? Were you part of > the original development team for this software? I was the original author. I wrote it 16 years ago. > 3. What is the size of the current code base? 40,000 lines of code. > 4. Did you follow a coding standard when developing this > software? Is it a standard determined by your group? No. > 5. What did you use to manage bug reports in your software? Does > it satisfy your requirements? Are there other software options that > you would consider switching to? We used email to the development team and nothing else. These days, I'd use bugzilla. > 6. Did you use any compiler options to detect integer overflow > vulnerabilities? Do you think that they are useful? No. Graphics software needs as much raw speed as it can get - I turn off everything like that. > 7. Did you use any automated (static or dynamic analysis) tools > to detect buffer overflows, integer overflows, or any other bugs? > Which tools did you use? Why these tools? No. We did not use any tools like that. > 8. Did you use fuzzing? Which tools did you use and why? If you > wrote your own fuzzer, why did you write it yourself? Was it written > from scratch or by extending some other fuzzing tools? No. > 9. Did you have specific phases during development where you > concentrated on fixing security issues? Did you have a test suite, > unit tests, or regression tests? No. > 10. Buffer overflows often result from the use of unsafe functions, > such as strcpy. Does your software use those? If you use a different > string library, why is it used? Is it an in-house library or an > off-the-shelf library? Did you migrate your code to use the string > library? Probably - it's a graphics package so there is almost zero string manipulation. -- Steve |
