Coverity Reports Open Source Security Making Great Strides

← Back to Stories (view on slashdot.org)

Coverity Reports Open Source Security Making Great Strides

Posted by ScuttleMonkey on Friday January 11, 2008 @09:46AM from the patting-yourself-on-the-back dept.

Coverity is claiming they have found and helped to fix more than 7,500 security flaws in open source software since the inception of the governmentally backed project designed to harden open source software. The company has also identified eleven projects that have been especially responsive in correcting security problems. "Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL."

48 comments

Min score:

Reason:

Sort:

Overdose by PetiePooo · 2008-01-11 09:53 · Score: 1

What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...
1. Re:Overdose by PetiePooo · 2008-01-11 09:56 · Score: 4, Funny
  
  What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...
  
  Ah, nevermind. Its a Yahoo! chat client. I should have searched Sourceforge instead...
2. Re:Overdose by UdoKeir · 2008-01-11 10:18 · Score: 1
  
  Hmmm... posting that link ought to spike their project activity stats for a couple of days. ;-)
Dupe? by hax0r_this · 2008-01-11 09:55 · Score: 2, Informative

Is this story different than this one?
1. Re:Dupe? by ashridah · 2008-01-11 10:00 · Score: 4, Interesting
  
  Yes. It has a positive bias in the title (pro open source) instead of a negative one. We want slashdot to be fair and impartial right....?
  
  ash
2. Re:Dupe? by EvanED · 2008-01-11 10:01 · Score: 1
  
  The other one isn't as blatant an advertisement for Coverity? ;-)
Anyone else by Bloke+down+the+pub · 2008-01-11 09:55 · Score: 4, Funny

Anyone else read that as "Coventry"? Bloody shit-hole, I went there once and nobody spoke to me.

--
It's true I tell you, feller at work's next door neighbour read it in the paper.
1. Re:Anyone else by rickb928 · 2008-01-11 10:15 · Score: 1
  
  No matter where you're from, somewhere else is a bloody shithole.
  
  Except for my hometown. It's the elbow of the Earth. You can see the armpit from there.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
2. Re:Anyone else by networkBoy · 2008-01-11 11:09 · Score: 1
  
  You live in the sac metro area then?
  -nB
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
3. Re:Anyone else by rickb928 · 2008-01-11 16:12 · Score: 1
  
  Actually, a place in Maine... Looks a little like Vermont.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
Dupe by sethawoolley · 2008-01-11 10:00 · Score: 1, Informative

Come on guys, didn't you notice this one a couple days ago?

http://it.slashdot.org/article.pl?sid=08/01/09/0027229
173 Projects NOT being actively scanned by gQuigs · 2008-01-11 10:00 · Score: 3, Informative

If you are involved in said projects, please contact coverity through the website and get involved. I don't see any reason why a project would not want to have this scan done.

Rung 0: http://scan.coverity.com/rung0.html
1. Re:173 Projects NOT being actively scanned by X0563511 · 2008-01-11 11:20 · Score: 1
  
  At the bottom of the page:
  
  If you have any questions or would like to suggest additional
  projects to be added, please email [SNIP]
  
  To get the snipped email, ROT-13 this: fpna-nqzva@pbirevgl.pbz
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
2. Re:173 Projects NOT being actively scanned by Anonymous Coward · 2008-01-11 12:15 · Score: 1, Interesting
  
  My project is one of the 173.
  
  Coverity contacted me several months ago. I fixed every issue that they raised and informed them of such. They said thanks and I heard nothing more.
  
  Now they say that my project is in "Rung 0" and they haven't responded to my efforts to contact them. So I really have no idea what is going on; whether they found something new (and unknown to me), or that I'm supposed to be doing something that I haven't done, or what.
3. Re:173 Projects NOT being actively scanned by Anonymous Coward · 2008-01-14 04:01 · Score: 0
  
  What is the name of your project? There are only a few people that have to deal with a large volume of email and questions. The guys are really nice. Please try and contact him again. I'm sure that he'll respond if he sees your note.
great news by Anonymous Coward · 2008-01-11 10:05 · Score: 0

no one will call php loser now!
Experience with Nmap by katterjohn · 2008-01-11 10:06 · Score: 4, Informative

I've been working with Nmap for nearly 2 years now; I went over a Coverity scan of the Nmap source code and fixed many possible bugs (mostly NULL dereferences). Coverity has a great interface and documented the bugs well.
FOSSie bailout by Big Daddy Gubment by Anonymous Coward · 2008-01-11 10:08 · Score: 0

Looks like FOSS's strategy of CONvincing the gub'ment to use FOSS is paying off. Already the Gubment found thousands and thousands of bugs everywhere they looked... but call that "progress". If it were anywhere important (or intelligent)... all those bugs would be a deterent from using it.

FOSS finally found their perfect "customer"... someone who doesn't know any better, and if the application messes up, nobody gets in trouble!

Woohoo!! Let's race to the bottom!
1. Re:FOSSie bailout by Big Daddy Gubment by Anonymous Coward · 2008-01-11 11:16 · Score: 0
  
  This is probably why all those anonymous posters don't want Negroes around.
2. Re:FOSSie bailout by Big Daddy Gubment by jvlb · 2008-01-12 03:48 · Score: 1
  
  Actually, I'd say there's a pretty good possibility the Gov't would ante up just as much, or more, to help fix MS vulns, if MS were as open and cooperative.
What happened to secure by design? by Anonymous Coward · 2008-01-11 10:18 · Score: 0

Oh right, that was just bs from a bunch of zealots.
1. Re:What happened to secure by design? by kclittle · 2008-01-11 11:40 · Score: 1
  
  > Oh right, that was just bs from a bunch of zealots.
  
  No, that was wise advise from a bunch of humans. But, wise as they might be, if they handed me code they themselves had written, following their own principles, I'd *still* run Coverity over it.
  
  --
  Generally, bash is superior to python in those environments where python is not installed.
2. Re:What happened to secure by design? by hax0r_this · 2008-01-11 11:54 · Score: 1
  
  This is exactly why its more secure by design. Its hard to go through the source if you don't have it.
Re:What security flaws? by Teppic_52 · 2008-01-11 10:20 · Score: 1

You should have used sarcasm tags, you may not have got modded down then.
Any real effect? by hey · 2008-01-11 10:45 · Score: 1

I wonder if this fixes will make any difference in the real world.
I use most of those program and they are already 100% reliable for me.
1. Re:Any real effect? by Secrity · 2008-01-11 11:06 · Score: 1
  
  These bugs are not normally noticeable by the user, but some of the bugs may be exploitable.
2. Re:Any real effect? by chromatic · 2008-01-11 11:16 · Score: 1
  
  Some of the bugs I've fixed could have been crashers in certain circumstances. They were unlikely cases, but they had potential unpleasantness.
  
  --
  how to invest, a novice's guide
3. Re:Any real effect? by iabervon · 2008-01-11 13:34 · Score: 2, Informative
  
  Most of the flaws that Coverity finds are not bugs in the sense of cases where the code does the wrong thing. They are more often areas where the code works as written, but is misleading in some way, such that people working on the code are likely to introduce crashes.
  
  A lot of other flaws they find are cases in which the program crashes cleanly (by dereferencing NULL) in some error case instead of reporting the error. Depending on what sort of program it is and what sort of data error is required to reach that point, it may not matter (e.g., if there's some weird thing the user can do that crashes their mail client, it's not a big deal, because anyone who could do that could also just tell it to quit). But, again, reasonable changes to the code could expose this as a real problem, and having these flaws means that the description of the state of the program that the programmer has to keep in mind in order to only make correct changes is more complicated, and the intended behavior of the program is harder to pick out from the actual code.
  
  And then, of course, there are real issues that they're finding, and these are often difficult to distinguish automatically from things that are just badly written, and it's better to just fix everything that's wrong rather than trying to determine how wrong it is.
Re:SO DOES HILLARY CLINTOON by Penguinisto · 2008-01-11 11:25 · Score: 0, Offtopic

Dude - I did NOT want to know about Hillary's Tatas...
(the mental image... holy crap what a bad evil mental image.... it's like the Janet Reno brain-sear of 1998 all friggin' over again!)
/P

--
Quo usque tandem abutere, Nimbus, patientia nostra?
Update on the article is posted by ivoras · 2008-01-11 11:27 · Score: 4, Informative

There's an update on the article here: http://www.informationweek.com/blog/main/archives/2008/01/oops_look_at_th.html See also http://lists.freebsd.org/pipermail/freebsd-hackers/2008-January/022854.html for discussion on FreeBSD.

--
-- Sig down
Re:What security flaws? by desNotes · 2008-01-11 12:00 · Score: 1

Microsoft Troll...chek out his post history

--
"Saying that Linux is inferior to Windows because more people use Windows is like saying that all restaurants are inferi
Is the Coverity toolkit also open source? by phatvw · 2008-01-11 12:05 · Score: 1

Seems ironic that you'd test and certify open source software with closed source test code.
So where can you download the source code for the Prevent suite and all its plugins?
1. Re:Is the Coverity toolkit also open source? by INT_QRK · 2008-01-12 04:32 · Score: 1
  
  This is a huge point! Thank you! So, if DHS would perhaps consider funding, supporting, encouraging, sponsoring, etc., an Open Source project for a software assurance tool set, then such a product could be backed by rigorous peer review from the FLOSS community as well as academia to better ensure validity and continuous improvement. Perhaps Federally Funded Research and Development (FFRDC) Cennters such as Carnegie-Mellon's Software Engineering Institute (SEI) could even be funded for full time CM and repository hosting. Projects could use the FLOSS tool to recursively check code during development, and perhaps an "Underwriters Lab"-like organization could evolve to provide an independent rating based on standards which everyone, having access to the code, can fully assess for themselves. Hey, DHS! Something to think about!
Reliability vs security. by argent · 2008-01-11 12:16 · Score: 1

Reliability is an indication that certain kinds of security flaws are less likely, yes, but... oh, here, have an analogy on me... your car has never accidentally shifted into reverse, I would assume. Does that tell you anything about whether you can pop the trunk open by whacking the bumper in the right place?
Now if only Coverity would release some code.. by Deanalator · 2008-01-11 12:22 · Score: 3, Insightful

A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

If DHS spent its money on investing in high quality static analysis plugins for modern (free) development environments, then you would catch all of the old mistakes, and make sure that they did not happen in the future. I just get annoyed when I see how much money goes to these companies whose only concern is treating the symptoms, not the cause, of poor security standards in software development.
1. Re:Now if only Coverity would release some code.. by epine · 2008-01-11 18:55 · Score: 1
  
  Coverity is doing what all the firewall vendors do, self-inventing threats and then focusing all the dialog on count statistics. It's almost impossible to find coverage on Coverity in terms of what classes of bugs they detect, and the relative importance of the bugs they find. How many are of the "oh my god" variety? I would hazard a guess somewhere between 1 and 5 percent. This is not a number Coverity wishes to see tracked in public forums, as their effort to inflate total bug counts will inevitably drive this number downward, even if the rate of occurrence in open source projects remains relatively flat.
  
  http://www.firebirdnews.org/docs/coverity_report_6march.html
  BAD_COMPARE CTOR_DTOR_LEAK ; lameness DEADCODE DELETE_ARRAY FORWARD_NULL NEGATIVE_RETURNS , lameness NULL_RETURNS OVERRUN_STATIC RESOURCE_LEAK / lameness REVERSE_INULL UNINIT USE_AFTER_FREE
  Suggests a wide range of impact. Negative returns: probably harmless 99% of the time. Use after free: I'd be fixing those pronto.
  
  But you can only guess, because Coverity has managed to keep informative coverage thin on the ground.
  
  Here's a post which actually says something:
  
  https://www.securecoding.cert.org/confluence/display/seccode/cp-mapping
  
  Contains a mapping from Coverity checker labels to CERT coding guideline URLs.
2. Re:Now if only Coverity would release some code.. by nous · 2008-01-12 13:32 · Score: 1
  
  A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.
  
  i have been tracking dawson's work since the very beginning, and i agree with this assessment. apparently one good idea, an awful extension language and a lot of free grad help is a recipe for success, screw open source. what is even more amazing is that engler work remains unchallenged by oss equivalents...
  
  nous
open source vs. closed source security by solinym · 2008-01-11 13:19 · Score: 3, Informative

I've collected some arguments about the security of open-source vs. closed source in my online book called "security concepts":
http://www.subspacefield.org/security/security_concepts.html#tth_sEc24.5
If I've missed any - or if you have any other suggestions - please email me.
I feel like a bit of a whore for posting links to my own ebook, but whores actually get paid. My book is free, so I guess that just makes me a slut. ;-)
1. Re:open source vs. closed source security by Sanat · 2008-01-11 16:01 · Score: 1
  
  Thanks for sharing the information on Security concepts. It looks nice so far (haven't read it all yet) and it says some things in succinct ways that I have always had a difficult time putting into words.
  
  This document is note worthy and is worth a look.
  
  --
  And in the end, the love you take is equal to the love you make
ehm by towsonu2003 · 2008-01-11 13:56 · Score: 1

I'm a bit more interested in who were the least in fixing their bugs...
The freebsd projects scanner by reiisi · 2008-01-11 14:27 · Score: 1

TFriendlyA mentions that the freebsd project uses it's own scanner, and the author of the article seems to think it's a variant of Prevent.

Looking up Prevent on wikipedia indicates that Prevent SQS was derived from the Stanford Checker.

http://en.wikipedia.org/wiki/Coverity

--
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Use a software engineering language instead by Anonymous Coward · 2008-01-11 16:13 · Score: 0

A language designed for software engineers instead of a "coders" would preclude the need for Coverity. Now what language could that be? Why Ada, of course.

The problems which Coverity exposes, are less likely to occur, in many cases, impossible to occur in a language such as Ada, which was designed from its inception to avoid these problems.