Slashdot Mirror

← Back to Stories (view on slashdot.org)

Coverity Reports Open Source Security Making Great Strides

Posted by ScuttleMonkey on from the patting-yourself-on-the-back dept.

Coverity is claiming they have found and helped to fix more than 7,500 security flaws in open source software since the inception of the governmentally backed project designed to harden open source software. The company has also identified eleven projects that have been especially responsive in correcting security problems. "Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL."

35 of 48 comments (clear)

  1. Overdose by PetiePooo · · Score: 1

    What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...

    1. Re:Overdose by PetiePooo · · Score: 4, Funny

      What is Overdose? I've searched Google, but all I get is links to Heroin recovery groups...

      Ah, nevermind. Its a Yahoo! chat client. I should have searched Sourceforge instead...

    2. Re:Overdose by UdoKeir · · Score: 1

      Hmmm... posting that link ought to spike their project activity stats for a couple of days. ;-)

  2. Dupe? by hax0r_this · · Score: 2, Informative

    Is this story different than this one?

    1. Re:Dupe? by ashridah · · Score: 4, Interesting

      Yes. It has a positive bias in the title (pro open source) instead of a negative one. We want slashdot to be fair and impartial right....?

      ash

    2. Re:Dupe? by EvanED · · Score: 1

      The other one isn't as blatant an advertisement for Coverity? ;-)

  3. Anyone else by Bloke+down+the+pub · · Score: 4, Funny

    Anyone else read that as "Coventry"? Bloody shit-hole, I went there once and nobody spoke to me.

    --
    It's true I tell you, feller at work's next door neighbour read it in the paper.
    1. Re:Anyone else by rickb928 · · Score: 1

      No matter where you're from, somewhere else is a bloody shithole.

      Except for my hometown. It's the elbow of the Earth. You can see the armpit from there.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    2. Re:Anyone else by networkBoy · · Score: 1

      You live in the sac metro area then?
      -nB

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    3. Re:Anyone else by rickb928 · · Score: 1

      Actually, a place in Maine... Looks a little like Vermont.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
  4. Dupe by sethawoolley · · Score: 1, Informative

    Come on guys, didn't you notice this one a couple days ago?

    http://it.slashdot.org/article.pl?sid=08/01/09/0027229

  5. 173 Projects NOT being actively scanned by gQuigs · · Score: 3, Informative

    If you are involved in said projects, please contact coverity through the website and get involved. I don't see any reason why a project would not want to have this scan done.

    Rung 0: http://scan.coverity.com/rung0.html

    1. Re:173 Projects NOT being actively scanned by X0563511 · · Score: 1

      At the bottom of the page:

      If you have any questions or would like to suggest additional
      projects to be added, please email [SNIP]

      To get the snipped email, ROT-13 this: fpna-nqzva@pbirevgl.pbz

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    2. Re:173 Projects NOT being actively scanned by Anonymous Coward · · Score: 1, Interesting

      My project is one of the 173.

      Coverity contacted me several months ago. I fixed every issue that they raised and informed them of such. They said thanks and I heard nothing more.

      Now they say that my project is in "Rung 0" and they haven't responded to my efforts to contact them. So I really have no idea what is going on; whether they found something new (and unknown to me), or that I'm supposed to be doing something that I haven't done, or what.

  6. Experience with Nmap by katterjohn · · Score: 4, Informative

    I've been working with Nmap for nearly 2 years now; I went over a Coverity scan of the Nmap source code and fixed many possible bugs (mostly NULL dereferences). Coverity has a great interface and documented the bugs well.

  7. Re:What security flaws? by Teppic_52 · · Score: 1

    You should have used sarcasm tags, you may not have got modded down then.

  8. Any real effect? by hey · · Score: 1

    I wonder if this fixes will make any difference in the real world.
    I use most of those program and they are already 100% reliable for me.

    1. Re:Any real effect? by Secrity · · Score: 1

      These bugs are not normally noticeable by the user, but some of the bugs may be exploitable.

    2. Re:Any real effect? by chromatic · · Score: 1

      Some of the bugs I've fixed could have been crashers in certain circumstances. They were unlikely cases, but they had potential unpleasantness.

      --
      how to invest, a novice's guide
    3. Re:Any real effect? by iabervon · · Score: 2, Informative

      Most of the flaws that Coverity finds are not bugs in the sense of cases where the code does the wrong thing. They are more often areas where the code works as written, but is misleading in some way, such that people working on the code are likely to introduce crashes.

      A lot of other flaws they find are cases in which the program crashes cleanly (by dereferencing NULL) in some error case instead of reporting the error. Depending on what sort of program it is and what sort of data error is required to reach that point, it may not matter (e.g., if there's some weird thing the user can do that crashes their mail client, it's not a big deal, because anyone who could do that could also just tell it to quit). But, again, reasonable changes to the code could expose this as a real problem, and having these flaws means that the description of the state of the program that the programmer has to keep in mind in order to only make correct changes is more complicated, and the intended behavior of the program is harder to pick out from the actual code.

      And then, of course, there are real issues that they're finding, and these are often difficult to distinguish automatically from things that are just badly written, and it's better to just fix everything that's wrong rather than trying to determine how wrong it is.

  9. Update on the article is posted by ivoras · · Score: 4, Informative

    There's an update on the article here: http://www.informationweek.com/blog/main/archives/2008/01/oops_look_at_th.html See also http://lists.freebsd.org/pipermail/freebsd-hackers/2008-January/022854.html for discussion on FreeBSD.

    --
    -- Sig down
  10. Re:What happened to secure by design? by kclittle · · Score: 1

    > Oh right, that was just bs from a bunch of zealots.

    No, that was wise advise from a bunch of humans. But, wise as they might be, if they handed me code they themselves had written, following their own principles, I'd *still* run Coverity over it.

    --
    Generally, bash is superior to python in those environments where python is not installed.
  11. Re:What happened to secure by design? by hax0r_this · · Score: 1

    This is exactly why its more secure by design. Its hard to go through the source if you don't have it.

  12. Re:What security flaws? by desNotes · · Score: 1

    Microsoft Troll...chek out his post history

    --
    "Saying that Linux is inferior to Windows because more people use Windows is like saying that all restaurants are inferi
  13. Is the Coverity toolkit also open source? by phatvw · · Score: 1

    Seems ironic that you'd test and certify open source software with closed source test code.
    So where can you download the source code for the Prevent suite and all its plugins?

    1. Re:Is the Coverity toolkit also open source? by INT_QRK · · Score: 1

      This is a huge point! Thank you! So, if DHS would perhaps consider funding, supporting, encouraging, sponsoring, etc., an Open Source project for a software assurance tool set, then such a product could be backed by rigorous peer review from the FLOSS community as well as academia to better ensure validity and continuous improvement. Perhaps Federally Funded Research and Development (FFRDC) Cennters such as Carnegie-Mellon's Software Engineering Institute (SEI) could even be funded for full time CM and repository hosting. Projects could use the FLOSS tool to recursively check code during development, and perhaps an "Underwriters Lab"-like organization could evolve to provide an independent rating based on standards which everyone, having access to the code, can fully assess for themselves. Hey, DHS! Something to think about!

  14. Reliability vs security. by argent · · Score: 1

    Reliability is an indication that certain kinds of security flaws are less likely, yes, but... oh, here, have an analogy on me... your car has never accidentally shifted into reverse, I would assume. Does that tell you anything about whether you can pop the trunk open by whacking the bumper in the right place?

  15. Now if only Coverity would release some code.. by Deanalator · · Score: 3, Insightful

    A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

    If DHS spent its money on investing in high quality static analysis plugins for modern (free) development environments, then you would catch all of the old mistakes, and make sure that they did not happen in the future. I just get annoyed when I see how much money goes to these companies whose only concern is treating the symptoms, not the cause, of poor security standards in software development.

    1. Re:Now if only Coverity would release some code.. by epine · · Score: 1
      Coverity is doing what all the firewall vendors do, self-inventing threats and then focusing all the dialog on count statistics. It's almost impossible to find coverage on Coverity in terms of what classes of bugs they detect, and the relative importance of the bugs they find. How many are of the "oh my god" variety? I would hazard a guess somewhere between 1 and 5 percent. This is not a number Coverity wishes to see tracked in public forums, as their effort to inflate total bug counts will inevitably drive this number downward, even if the rate of occurrence in open source projects remains relatively flat.

      http://www.firebirdnews.org/docs/coverity_report_6march.html

      BAD_COMPARE
      CTOR_DTOR_LEAK ; lameness
      DEADCODE
      DELETE_ARRAY
      FORWARD_NULL
      NEGATIVE_RETURNS , lameness
      NULL_RETURNS
      OVERRUN_STATIC
      RESOURCE_LEAK / lameness
      REVERSE_INULL
      UNINIT
      USE_AFTER_FREE
      Suggests a wide range of impact. Negative returns: probably harmless 99% of the time. Use after free: I'd be fixing those pronto.

      But you can only guess, because Coverity has managed to keep informative coverage thin on the ground.

      Here's a post which actually says something:

      https://www.securecoding.cert.org/confluence/display/seccode/cp-mapping

      Contains a mapping from Coverity checker labels to CERT coding guideline URLs.
    2. Re:Now if only Coverity would release some code.. by nous · · Score: 1

      A huge pet peeve of mine is when university professors use academic journals to advertise for their company. I have read many papers from Dawson Engler's group, and they all seem to have the same outline. Vague outlines of the new analysis algorithms they use, heavy with statistics on how badly they broke various open source projects, and always a Coverity plug. The lack of repeatable results should be enough to reject them from any self respecting computer science journal, but they keep publishing.

      i have been tracking dawson's work since the very beginning, and i agree with this assessment. apparently one good idea, an awful extension language and a lot of free grad help is a recipe for success, screw open source. what is even more amazing is that engler work remains unchallenged by oss equivalents...

      nous

  16. open source vs. closed source security by solinym · · Score: 3, Informative
    I've collected some arguments about the security of open-source vs. closed source in my online book called "security concepts":

    http://www.subspacefield.org/security/security_concepts.html#tth_sEc24.5

    If I've missed any - or if you have any other suggestions - please email me.

    I feel like a bit of a whore for posting links to my own ebook, but whores actually get paid. My book is free, so I guess that just makes me a slut. ;-)

    1. Re:open source vs. closed source security by Sanat · · Score: 1

      Thanks for sharing the information on Security concepts. It looks nice so far (haven't read it all yet) and it says some things in succinct ways that I have always had a difficult time putting into words.

      This document is note worthy and is worth a look.

      --
      And in the end, the love you take is equal to the love you make
  17. ehm by towsonu2003 · · Score: 1

    I'm a bit more interested in who were the least in fixing their bugs...

  18. The freebsd projects scanner by reiisi · · Score: 1

    TFriendlyA mentions that the freebsd project uses it's own scanner, and the author of the article seems to think it's a variant of Prevent.

    Looking up Prevent on wikipedia indicates that Prevent SQS was derived from the Stanford Checker.

    http://en.wikipedia.org/wiki/Coverity

    --
    Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
  19. Re:FOSSie bailout by Big Daddy Gubment by jvlb · · Score: 1

    Actually, I'd say there's a pretty good possibility the Gov't would ante up just as much, or more, to help fix MS vulns, if MS were as open and cooperative.