discuss: Thread: New HOTWO Proposal - Source Code Auditing HOWTO
Subject:
New HOTWO Proposal - Source Code Auditing HOWTO
From:
Steve Kemp ####@####.####
Date:
10 May 2004 14:16:14 -0000
Message-Id: <20040510141613.GA22541@steve.org.uk>
I've been interested in computer security for a while, and have been
performing a lot of source code audits in my spare time.
As part of a website I'm trying to put together a document explaining
how these are constructed, and it seems logical to me that this could
be written in docbook format and submitted to the TLDP.
I've had a look over the current HOWTOs and I don't see anything
immediately comparable.
My intention is that the source code auditing HOWTO will fit the
gap between those documents describing secure programming practises
and those which describe how to exploit buggy software.
The piece is work in progress and is devided up as follows:
1. General
2. Intro
3. Choosing a target program.
4. Automated auditing with tools.
5. Manual inspection.
6. Reporting problems.
7. Further information.
Any comments would be greatfully received. I guess my biggest
concern right now is that the subject scope might be very narrow
and too specific to be interesting to other readers?
Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/
|
Subject:
Re: New HOTWO Proposal - Source Code Auditing HOWTO
From:
Charles Curley ####@####.####
Date:
10 May 2004 18:21:44 -0000
Message-Id: <20040510182139.GO17520@charlescurley.com>
On Mon, May 10, 2004 at 03:16:13PM +0100, Steve Kemp wrote:
>
> I've been interested in computer security for a while, and have been
> performing a lot of source code audits in my spare time.
>
> As part of a website I'm trying to put together a document explaining
> how these are constructed, and it seems logical to me that this could
> be written in docbook format and submitted to the TLDP.
I think this is an excellent idea, even if it isn't Linux
specific. Software engineers should be conscious of security issues
from the very inception of a project all the way through to end of
life.
--
Charles Curley /"\ ASCII Ribbon Campaign
Looking for fine software \ / Respect for open standards
and/or writing? X No HTML/RTF in email
http://www.charlescurley.com / \ No M$ Word docs in email
Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
--> -->
|
<type 'exceptions.IOError'> | Python 2.5.2: /usr/bin/python Sat Jul 6 03:54:30 2024 |
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
/opt/ezmlm-browse-0.20/main.py in main() |
424
|
425 if path is not None:
|
426 main_path(path)
|
427 else:
|
428 main_form()
|
global main_form = <function main_form at 0x9819c6c> |
/opt/ezmlm-browse-0.20/main.py in main_form() |
378 except ImportError:
|
379 die(ctxt, "Invalid command")
|
380 module.do(ctxt)
|
381
|
382 def main():
|
module = <module 'commands.showthread' from '/opt/ezmlm-browse-0.20/commands/showthread.pyc'>, module.do = <function do at 0x9823684>, global ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'} |
/opt/ezmlm-browse-0.20/commands/showthread.py in do(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}) |
9 ctxt.update(ezmlm.thread(ctxt[THREADID]))
|
10 header(ctxt, 'Thread: ' + ctxt[SUBJECT], 'showthread')
|
11 do_list(ctxt, 'msgs', ctxt[MSGSPERPAGE], ctxt[MESSAGES],
|
12 lambda:sub_showmsg(ctxt, ctxt[MSGNUM]))
|
13 footer(ctxt)
|
global sub_showmsg = <function sub_showmsg at 0x98191ec>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, global MSGNUM = 'msgnum' |
/opt/ezmlm-browse-0.20/globalfns.py in do_list(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, name='msgs', perpage=10, values=[{'author': u'Steve Kemp', 'authorid': 'naaehjjkoonhninojook', 'date': '10 May 2004 14:16:14 -0000', 'month': 200405, 'msgnum': 7252, 'subject': u'New HOTWO Proposal - Source Code Auditing HOWTO', 'threadid': 'ecpjlcneojlbednmdldj', 'timestamp': 1084198574.0}, {'author': u'Charles Curley', 'authorid': 'fbacfjfdkmpbdhgmbbhp', 'date': '10 May 2004 18:21:44 -0000', 'month': 200405, 'msgnum': 7255, 'subject': u'Re: New HOTWO Proposal - Source Code Auditing HOWTO', 'threadid': 'ecpjlcneojlbednmdldj', 'timestamp': 1084213304.0}], peritem=<function <lambda> at 0x982380c>) |
128 write(template % ctxt)
|
129 if peritem:
|
130 peritem()
|
131 ctxt[ROW] += 1
|
132
|
peritem = <function <lambda> at 0x982380c> |
/opt/ezmlm-browse-0.20/commands/showthread.py in () |
9 ctxt.update(ezmlm.thread(ctxt[THREADID]))
|
10 header(ctxt, 'Thread: ' + ctxt[SUBJECT], 'showthread')
|
11 do_list(ctxt, 'msgs', ctxt[MSGSPERPAGE], ctxt[MESSAGES],
|
12 lambda:sub_showmsg(ctxt, ctxt[MSGNUM]))
|
13 footer(ctxt)
|
global sub_showmsg = <function sub_showmsg at 0x98191ec>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, global MSGNUM = 'msgnum' |
/opt/ezmlm-browse-0.20/globalfns.py in sub_showmsg(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, msgnum=7255) |
229 format_timestamp(ctxt, ctxt)
|
230 write(html('msg-header') % ctxt)
|
231 rec_showpart(ctxt, msg, 0)
|
232 write(html('msg-footer') % ctxt)
|
233 ctxt.pop()
|
global rec_showpart = <function rec_showpart at 0x98191b4>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, msg = <email.message.Message instance at 0x9877f4c> |
/opt/ezmlm-browse-0.20/globalfns.py in rec_showpart(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, part=<email.message.Message instance at 0x9877f4c>, partnum=1) |
205 else:
|
206 for p in part.get_payload():
|
207 partnum = rec_showpart(ctxt, p, partnum+1)
|
208 else:
|
209 write(html('msg-sep') % ctxt)
|
partnum = 1, global rec_showpart = <function rec_showpart at 0x98191b4>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, p = <email.message.Message instance at 0x987e14c> |
/opt/ezmlm-browse-0.20/globalfns.py in rec_showpart(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, part=<email.message.Message instance at 0x987e14c>, partnum=2) |
208 else:
|
209 write(html('msg-sep') % ctxt)
|
210 sub_showpart(ctxt, part)
|
211 return partnum
|
212
|
global sub_showpart = <function sub_showpart at 0x9819144>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, part = <email.message.Message instance at 0x987e14c> |
/opt/ezmlm-browse-0.20/globalfns.py in sub_showpart(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, part=<email.message.Message instance at 0x987e14c>) |
164 type = ctxt[TYPE] = part.get_content_type()
|
165 ctxt[FILENAME] = part.get_filename()
|
166 template = html('msg-' + type.replace('/', '-'))
|
167 if not template:
|
168 template = html('msg-' + type[:type.find('/')])
|
global template = <function template at 0x9811e9c>, global html = <function html at 0x9811ed4>, type = 'application/pgp-signature', type.replace = <built-in method replace of str object at 0x987bd78> |
/opt/ezmlm-browse-0.20/globalfns.py in html(name='msg-application-pgp-signature') |
40
|
41 def html(name):
|
42 return template(name + '.html')
|
43
|
44 def xml(name):
|
global template = <function template at 0x9811e9c>, name = 'msg-application-pgp-signature' |
/opt/ezmlm-browse-0.20/globalfns.py in template(filename='msg-application-pgp-signature.html') |
31 except IOError:
|
32 if not _template_zipfile:
|
33 _template_zipfile = zipfile.ZipFile(sys.argv[0])
|
34 try:
|
35 f = _template_zipfile.open(n).read()
|
global _template_zipfile = None, global zipfile = <module 'zipfile' from '/usr/lib/python2.5/zipfile.pyc'>, zipfile.ZipFile = <class zipfile.ZipFile at 0x97aaa7c>, global sys = <module 'sys' (built-in)>, sys.argv = ['-c', '/opt/ezmlm-browse-0.20'] |
/usr/lib/python2.5/zipfile.py in __init__(self=<zipfile.ZipFile instance at 0x9877e8c>, file='-c', mode='r', compression=0, allowZip64=False) |
337 self.filename = file
|
338 modeDict = {'r' : 'rb', 'w': 'wb', 'a' : 'r+b'}
|
339 self.fp = open(file, modeDict[mode])
|
340 else:
|
341 self._filePassed = 1
|
self = <zipfile.ZipFile instance at 0x9877e8c>, self.fp = None, builtin open = <built-in function open>, file = '-c', modeDict = {'a': 'r+b', 'r': 'rb', 'w': 'wb'}, mode = 'r' |
<type 'exceptions.IOError'>: [Errno 2] No such file or directory: '-c'
args =
(2, 'No such file or directory')
errno =
2
filename =
'-c'
message =
''
strerror =
'No such file or directory'