[Lists] [Configure] [<<] [<] [by Thread] [by Date] [>] [>>] [Months] [Search] [eSubscribe] News Feed

discuss: Thread: New HOTWO Proposal - Source Code Auditing HOWTO

[<<] [<] Page 1 of 1 [>] [>>]
Subject: New HOTWO Proposal - Source Code Auditing HOWTO
From: Steve Kemp ####@####.####
Date: 10 May 2004 14:16:14 -0000
Message-Id: <20040510141613.GA22541@steve.org.uk> 
  I've been interested in computer security for a while, and have been 
 performing a lot of source code audits in my spare time.

  As part of a website I'm trying to put together a document explaining
 how these are constructed, and it seems logical to me that this could
 be written in docbook format and submitted to the TLDP.

  I've had a look over the current HOWTOs and I don't see anything 
 immediately comparable.

  My intention is that the source code auditing HOWTO will fit the
 gap between those documents describing secure programming practises
 and those which describe how to exploit buggy software.

  The piece is work in progress and is devided up as follows:

   1.  General
   2.  Intro
   3.  Choosing a target program.
   4.  Automated auditing with tools.
   5.  Manual inspection.
   6.  Reporting problems.
   7.  Further information.

  Any comments would be greatfully received.  I guess my biggest 
 concern right now is that the subject scope might be very narrow
 and too specific to be interesting to other readers?

Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/
Subject: Re: New HOTWO Proposal - Source Code Auditing HOWTO
From: Charles Curley ####@####.####
Date: 10 May 2004 18:21:44 -0000
Message-Id: <20040510182139.GO17520@charlescurley.com> 
On Mon, May 10, 2004 at 03:16:13PM +0100, Steve Kemp wrote:
> 
>   I've been interested in computer security for a while, and have been 
>  performing a lot of source code audits in my spare time.
> 
>   As part of a website I'm trying to put together a document explaining
>  how these are constructed, and it seems logical to me that this could
>  be written in docbook format and submitted to the TLDP.

I think this is an excellent idea, even if it isn't Linux
specific. Software engineers should be conscious of security issues
from the very inception of a project all the way through to end of
life.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
--> -->
 
 
<type 'exceptions.IOError'>		Python 2.5.2: /usr/bin/python
Sat Jul 6 03:54:30 2024

A problem occurred in a Python script. Here is the sequence of function calls leading up to the error, in the order they occurred.

 /opt/ezmlm-browse-0.20/<string> in ()
 /opt/ezmlm-browse-0.20/main.py in main()
  424 
  425         if path is not None:
  426                 main_path(path)
  427         else:
  428                 main_form()
global main_form = <function main_form at 0x9819c6c>
 /opt/ezmlm-browse-0.20/main.py in main_form()
  378         except ImportError:
  379                 die(ctxt, "Invalid command")
  380         module.do(ctxt)
  381 
  382 def main():
module = <module 'commands.showthread' from '/opt/ezmlm-browse-0.20/commands/showthread.pyc'>, module.do = <function do at 0x9823684>, global ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}
 /opt/ezmlm-browse-0.20/commands/showthread.py in do(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'})
    9         ctxt.update(ezmlm.thread(ctxt[THREADID]))
   10         header(ctxt, 'Thread: ' + ctxt[SUBJECT], 'showthread')
   11         do_list(ctxt, 'msgs', ctxt[MSGSPERPAGE], ctxt[MESSAGES],
   12                         lambda:sub_showmsg(ctxt, ctxt[MSGNUM]))
   13         footer(ctxt)
global sub_showmsg = <function sub_showmsg at 0x98191ec>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, global MSGNUM = 'msgnum'
 /opt/ezmlm-browse-0.20/globalfns.py in do_list(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, name='msgs', perpage=10, values=[{'author': u'Steve Kemp', 'authorid': 'naaehjjkoonhninojook', 'date': '10 May 2004 14:16:14 -0000', 'month': 200405, 'msgnum': 7252, 'subject': u'New HOTWO Proposal - Source Code Auditing HOWTO', 'threadid': 'ecpjlcneojlbednmdldj', 'timestamp': 1084198574.0}, {'author': u'Charles Curley', 'authorid': 'fbacfjfdkmpbdhgmbbhp', 'date': '10 May 2004 18:21:44 -0000', 'month': 200405, 'msgnum': 7255, 'subject': u'Re: New HOTWO Proposal - Source Code Auditing HOWTO', 'threadid': 'ecpjlcneojlbednmdldj', 'timestamp': 1084213304.0}], peritem=<function <lambda> at 0x982380c>)
  128                 write(template % ctxt)
  129                 if peritem:
  130                         peritem()
  131                 ctxt[ROW] += 1
  132 
peritem = <function <lambda> at 0x982380c>
 /opt/ezmlm-browse-0.20/commands/showthread.py in ()
    9         ctxt.update(ezmlm.thread(ctxt[THREADID]))
   10         header(ctxt, 'Thread: ' + ctxt[SUBJECT], 'showthread')
   11         do_list(ctxt, 'msgs', ctxt[MSGSPERPAGE], ctxt[MESSAGES],
   12                         lambda:sub_showmsg(ctxt, ctxt[MSGNUM]))
   13         footer(ctxt)
global sub_showmsg = <function sub_showmsg at 0x98191ec>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, global MSGNUM = 'msgnum'
 /opt/ezmlm-browse-0.20/globalfns.py in sub_showmsg(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, msgnum=7255)
  229         format_timestamp(ctxt, ctxt)
  230         write(html('msg-header') % ctxt)
  231         rec_showpart(ctxt, msg, 0)
  232         write(html('msg-footer') % ctxt)
  233         ctxt.pop()
global rec_showpart = <function rec_showpart at 0x98191b4>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, msg = <email.message.Message instance at 0x9877f4c>
 /opt/ezmlm-browse-0.20/globalfns.py in rec_showpart(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, part=<email.message.Message instance at 0x9877f4c>, partnum=1)
  205                 else:
  206                         for p in part.get_payload():
  207                                 partnum = rec_showpart(ctxt, p, partnum+1)
  208         else:
  209                 write(html('msg-sep') % ctxt)
partnum = 1, global rec_showpart = <function rec_showpart at 0x98191b4>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, p = <email.message.Message instance at 0x987e14c>
 /opt/ezmlm-browse-0.20/globalfns.py in rec_showpart(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, part=<email.message.Message instance at 0x987e14c>, partnum=2)
  208         else:
  209                 write(html('msg-sep') % ctxt)
  210                 sub_showpart(ctxt, part)
  211         return partnum
  212 
global sub_showpart = <function sub_showpart at 0x9819144>, ctxt = {'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, part = <email.message.Message instance at 0x987e14c>
 /opt/ezmlm-browse-0.20/globalfns.py in sub_showpart(ctxt={'HTTP_X_FORWARDED_SERVER': 'glitch', 'HTTP_REFE...HTTP_ACCEPT_ENCODING': 'gzip, br, zstd, deflate'}, part=<email.message.Message instance at 0x987e14c>)
  164         type = ctxt[TYPE] = part.get_content_type()
  165         ctxt[FILENAME] = part.get_filename()
  166         template = html('msg-' + type.replace('/', '-'))
  167         if not template:
  168                 template = html('msg-' + type[:type.find('/')])
global template = <function template at 0x9811e9c>, global html = <function html at 0x9811ed4>, type = 'application/pgp-signature', type.replace = <built-in method replace of str object at 0x987bd78>
 /opt/ezmlm-browse-0.20/globalfns.py in html(name='msg-application-pgp-signature')
   40 
   41 def html(name):
   42         return template(name + '.html')
   43 
   44 def xml(name):
global template = <function template at 0x9811e9c>, name = 'msg-application-pgp-signature'
 /opt/ezmlm-browse-0.20/globalfns.py in template(filename='msg-application-pgp-signature.html')
   31         except IOError:
   32                 if not _template_zipfile:
   33                         _template_zipfile = zipfile.ZipFile(sys.argv[0])
   34                 try:
   35                         f = _template_zipfile.open(n).read()
global _template_zipfile = None, global zipfile = <module 'zipfile' from '/usr/lib/python2.5/zipfile.pyc'>, zipfile.ZipFile = <class zipfile.ZipFile at 0x97aaa7c>, global sys = <module 'sys' (built-in)>, sys.argv = ['-c', '/opt/ezmlm-browse-0.20']
 /usr/lib/python2.5/zipfile.py in __init__(self=<zipfile.ZipFile instance at 0x9877e8c>, file='-c', mode='r', compression=0, allowZip64=False)
  337             self.filename = file
  338             modeDict = {'r' : 'rb', 'w': 'wb', 'a' : 'r+b'}
  339             self.fp = open(file, modeDict[mode])
  340         else:
  341             self._filePassed = 1
self = <zipfile.ZipFile instance at 0x9877e8c>, self.fp = None, builtin open = <built-in function open>, file = '-c', modeDict = {'a': 'r+b', 'r': 'rb', 'w': 'wb'}, mode = 'r'

<type 'exceptions.IOError'>: [Errno 2] No such file or directory: '-c'
      args = (2, 'No such file or directory')
      errno = 2
      filename = '-c'
      message = ''
      strerror = 'No such file or directory'