Slashdot Mirror
Ask Slashdot: Reviewing 3rd Party Libraries?
Carcass666 writes "It is usually good to use existing libraries, rather than reinventing the wheel, especially with open source. Unfortunately, sometimes we have to work with closed source implementations. Recently, we were diagnosing a .NET assembly and, after getting nowhere with the vendor, ran it through a decompiler. The code was a morass of SQL concatenation, sloppy type conversions, and various things that are generally thought of as insecure.
My question is: What are Slashdot readers' preferred tools for analyzing .NET and Java compiled libraries (not source code) for potential security vulnerabilities? Ideally, I would like to know if a library is a security liability before I code against it. For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework."
My question is: What are Slashdot readers' preferred tools for analyzing .NET and Java compiled libraries (not source code) for potential security vulnerabilities? Ideally, I would like to know if a library is a security liability before I code against it. For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework."
Easy: use open source libraries.
If yes:
Only use language defined standard libraries and build everything else you need yourself, and even then trust but verify. The third party libraries are always going to be cobbled together.
If no:
Fuck it.
I don't check libraries for security vulnerabilities. I check websites for information about that, and to see how often the provider is refreshing the library with patches and fixes.
If I don't get the feeling that they take their security seriously, I don't use the library. I'm not about to start testing every library of the OS that I build against, nor the Java stack itself. To do so is asinine unless you're in an extremely high security arena -- you have to start with a certain level of trust, and if you don't trust your vendor, don't use them.
Besides, not one of the binary analysis tools I've ever heard of did a really good job. Even source code analysis can miss bugs. If it were possible to fully automate testing in such a fashion, testers wouldn't have jobs.
I do not fail; I succeed at finding out what does not work.
Use Reflector for .NET. It used to be free but still very much worth the cost. Use it quite often to point out bugs that are causing us problems in vendor libraries.
IIRC FxCop is a source-code analyser.
There are others, Fortify 360 is one I used at a security-conscious company. But in all cases, they require the source code
Though, to be fair, if you're using a 3rd party closed-source library, then you're at the provider's mercy and should go for other avenues of protection - if you can't see security updates coming regularly, then after the fact protection works: you sue them if it fails. Generally, you don't need to know the source for a closed-source library, its a black box and should be treated as such.
Sonatype has been doing a lot of work in this area, but mostly on the Java side from what I can tell. I'm not sure if they are doing the kind of analysis you are referring to, but they are definitely focused on application security. They do, however, have qualitative and quantitative data that can be used as a (maybe) reasonable predictor for project quality -- e.g. How pervasive is the use of a particular open source project? There are some other vendors like Black Duck but they seem to be a lot more focused on licensing versus security, though they seem to be copying the language Sonatype has been using more recently. Not much experience with their stuff other than it's apparently not real developer friendly.
Try OWASP's DependencyCheck tool. https://www.owasp.org/index.php/OWASP_Dependency_Check .NET vulns as well. Good quality project and developers. The tool essentially tells you if there are publicly known vulns (CVE's).
It was originally built for Java, but they are starting to move towards
Apart from that, various static analysis tools work on binaries, both commercial and open source. For Java open source, try PMD or FindBugs. For .NET, FxCop was what I would have recommended.
The more I see of other people's code, the more I am inclined to write and test my own. That way I know it works and when it doesn't, I only have myself to blame. This isn't always possible because most tasks are way to big for a single person, so stick to well-used, well-understood, well-tested (in the real world) FOSS solutions. In general, closed-source vendor-proprietary code is dreadful.
Stick Men
Beta is worthless. I'm out of here, and it will be a long time until I even look here again.
Contribute to civilization: ari.aynrand.org/donate
Committing to a 3rd party library is a lot like adopting a child. It's a long term commitment that's not easily broken, and you can't ever have a thorough understanding of what the relationship will be like ahead of time. I started a long post about the 3 main reasons for going with a 3rd party library, but decided to delete my long-winded rant. I'll just say that for the most part it comes down to saving time (and thus possibly money). You're rolling the dice and hoping at the end of the day (whenever that is - 5 years from now, 10 years from now?) simply utilizing a 3rd party library will have saved you time and money.
I think I have a hard time with commitment (as in platforms, OSs, and 3rd party libraries), and that's probably to do with the number of platforms I've been involved with over the years, and the number that are now dead and gone. If you are the type to embrace and commit (like "I love Microsoft and I love C# and I'm going to jump in with both feet and that will be my universe") then sure, go ahead and use as many 3rd party libraries as you can. If you hope to have any kind of future portability of your code (as in compiling versions for Windows, iOS, OSX, Android, Linux) then you are entirely at the mercy of those 3rd parry libraries and what they will or won't support down the road. I mainly write code for myself (my own products I market), thus I consider the code I write as an investment. That is why I primarily use C++, because it is the only language I can create native applications in for all the platforms I just named (and more), and also why I look for public domain code or libraries with licensing and source code availability so I will know my future using that library is assured (I can build for other platforms, even if that means doing some work porting the code a bit).
I know that's not really answering you question ("How can I know if I can trust a 3rd party library"), and is more an answer to the question "Should I be using 3rd party libraries in the first place?"
Better known as 318230.
Two tools that I use regularly to check Java artifacts: FindBugs: http://findbugs.sourceforge.ne... OWASP Dependency Check: https://www.owasp.org/index.ph...
You don't use only one tool. Look at id software for example (when carmack worked there), they used three (3!) different static code analysis tools on their code, besides the compiler itself. That's quality, and that's something which attracts customers which is looking for quality.
Sorry for the radical answer, but if you don't have the source code you should assume it's unsafe and backdoored.
If the function is anything but trivial and not open source, have low level devs write it and get approved by a higher up. Then you know exactly what, how, and why. It gives you independence and you can fix problems on your schedule, and not have to work around 3rd party flaws found in the future. Especially important for db calls, etc. May seem like re-inventing the wheel but it will pay off in the long run. But if you only do quick and dirty programming I can see why you would think this a bad idea.
Wow, just wow. I know the left is always on the attack and completely braindead, but....this is reaching new levels.
For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework
FxCop is still under active development and ships with Visual Studio 2010, 2012, and 2013. They merely changed the name to "Code Analysis"
http://blogs.msdn.com/b/visual...
in my day job I work for Fortify. You can contact the developers of this library and request that they use static analysis product on their software, or request a security review from a 3rd party. We would for sure catch those SQL injections and more. But we would need the original source code. You can probe for things from the binary, but the results don't come back in a way that is very actionable for the developers. As for your predicament: I think you would be better off writing your own library, rather than putting the insecure one to work.
Easy: use open source libraries.
Yes, having the source code to a library is very important. However open source is not the only way to go. Source code can come with proprietary libraries. Some commercial vendors of proprietary libraries offer binary-only licenses and more expensive source code licenses. I've had more than one reluctant manager come to realize that the extra expense of the source license was absolutely worth it. We fixed some bugs that affected our project, gave the fixes back to the vendor and found our fixes incorporated into their source code.
Maybe he is a bot. That is actually a good topic to discuss but isn't what's being discussed here.
Don't expect .NET decompilers to faithfully reproduce statements as they were in the original code. What you get is functionally equivalent to the original source but it will have been munged by two tools along the way. It isn't necessarily indicative of bad coding practices. Higher level deficiencies like the SQL processing cited will still be obvious and the tools won't impact poor design decisions.
I am becoming gerund, destroyer of verbs.
In situations like this I usually recommend arson.
Reverse engineering is legal in the US. If you only gain knowledge of internal workings and don't reproduce copyrighted or patented code then there are no damages a vendor can pin on you even if it violates a restrictive license. The worse they can do is revoke the license and force your management to select a better vendor.
I am becoming gerund, destroyer of verbs.
And haven't found any that are terribly impressive in their abilities. They'll catch certain kinds of problems, but tend to lose their way pretty fast in more complicated code. Anyway, this list might help start you out in the right direction:
http://en.wikipedia.org/wiki/L...
Let's not stir that bag of worms...
Good security comes from a lot of people's testing and input. If you look investigate a product, you will only be able to categorize it into two categories: "utterly craptastic" and "probably utterly craptastic". The only way to be assured of good quality is to use libraries that a lot of people use and have had success with. Don't bother looking at the binary, look at the reputation.
"Slashdot ... tools for analyzing .NET and Java"
I am partial to "rm"; I have a couple of friends who prefer "unlink", and one friend who prefers "cp /dev/null ".
Seriously, why do you think *anyone* other than "security consultants" analyzes binary libraries? Why do you think FXCop hasn't been updated?
Why would you think "the left" is always on the attack and completely brain-dead when it's right-wing media that exists to keep idiots clueless, outraged, and hateful toward intelligent people?
"the left" you decry is just normal people from outside the ignorant right-wing bubble.
This is not a security analyzer, but ILSpy is the .NET decompiler that I currently use. Red Gate .NET Reflector went commercial only, so this is what's left.
everybody says they do it, but none of us really do.
TFA author knows how to decompile .NET and executing the subject of this message decompiles java so just do that if you really care about the quality of a library then you can use eyeballs or any number of analysis tools.
More important than perceived code quality in my view is ability to get problems fixed with whatever library you select. It really sucks to release product and field bugs you are in no position to do anything about.
One thing that the OP said that I found to be kind of disconcerting: FXcop was a pretty crappy tool. it could spot some odd code patterns in syntax, but it cannot detect 'good' code. I could implement a bubble sort function that FXcop would give a giant gold star to. Weird syntax might be worth looking at to see if there is underlying problems, but that is about it.
HA! I just wasted some of your bandwidth with a frivolous sig!
i'm an idiot...not a bot...just an idiot
gotta be an all-time "did not read past the headline" situation for me...TFA is about...um software libraries
gah...sorry
Thank you Dave Raggett
Here's the thing.
I think nothing of reverse engineering, decompiling, deobfucation, or deconstructing someone elses code, animation, pictures,music, etc. I don't care if it's legal or not, but I'm not going to redistribute what I learn from doing so. All is fair when learning (including piracy and license violations,) but when you decide to make money from it, you either write your own clean implementation, or you find someone who wrote something that works for you.
For example. zlib and gzip/pigz is open source, and easily used without reverse engineering. Many Javascript libraries are obsfucated, but I can still figure them out, and would never pay money for the sloppy things. So when it comes to libraries and frameworks that just wrap existing functionality, throw away the framework and write your own. I some cases there's a better performance tradeoff for doing so.
In respect to Java and C# .NET, please quit using these languages if you need to rely on wrappers and libraries outside of their core libraries. There is a substantial difference between "I think this library is insecure" and "I think this library just does things in a way I wouldn't do", in the former case, if it's not open source, then quit using it and write your own. In the latter, quit complaining and write your own.
The worst code I encounter is straight C code linked by another library, that does little more than return(x);
Doesn't matter. Whatever you do on your own computer to software on your own computer superceeds whatever the license says. Now if that software has to inter-operate with a server (as in the client-server relationship of a MMORPG) then you should think carefully about what you learn, it will come back to bite you very hard. It doesn't matter if the data you learn about is in the clear (eg text files, xml) the fact that you know about it and communicate to others about it violates the license.
On the other hand, Red Gate's Reflector decompiles the code into C#, VB.NET, F#, IL, or MC++. You can then look for malicious code. I mainly look for code accessing classes in the System.IO namespace, System.Web, System.Net, or similar namespaces, because these are the ones that are likely to either mess with existing files or connect to the Internet.
You can use the ILDASM (Intermediate Language Dis-assembler) program that comes with the .NET Framework, but it only decompiles into intermediate language (IL). This is enough to find the calls, but most people are not adept at reading IL.
Reflector is worth every penny. Besides looking for security problems, I use it all the time to figure out what the Framework is really doing, fix bugs in other people's libraries, sign code that wasn't signed originally, translate VB.NET code to C#, etc. (To translate code, compile it in one language and decompile it with Reflector into the other.)
I used FindBugs also, and then run it through HP Fortify, once everything looks clean.
http://www8.hp.com/ca/en/software-solutions/software.html?compURI=1338812
Don't waste your time, just delete them. The probability that they don't have security problems is nearly nil.
You are being MICROattacked, from various angles, in a SOFT manner.
FxCop is now built into Visual Studio. It's called Static Analysis and it can be invoked against a .NET assembly using the command line interface or directly against source code in Visual Studio. Another (extremely expensive) option is HP Fortify.
The point being that you paid extra to get the source and *then* not give you anything back for improving their product. I'm hoping they weren't that ungrateful.
We paid for a library that was useful and saved us time. We paid extra to not be dependent. We contributed back our fixes to help other users of the library and to simplify things when we got an update. In those updates, some bugs were fixed by the developer of the library, others were fixed by other customers.
Did you think that one user can only help another user in the FOSS world? One user can help another as long as they have access to source, and such access does not require FOSS.
.NET, closed source library.. (munching popcorn).. you poor thing. what did you expect was going to happen ?
Okay, but what were the unexpected things you found?
Table-ized A.I.
For .NET libraries I use .NET reflector., and can integrate into real time debugging with Visual Studio. FxCop is no longer needed as its built into Visual Studio, run Code Analysis option. For analyzing Java Libraries I like free tool jd2gui. For native libraries on windows I like IDA Pro/OllyDbg/WinDbg/AppVerifier and the Windows App Certification kit in Windows 8.1 SDK.
I'm with perpenso on this one. If you can have this kind of cordial relationship with a vendor and you can all work to benefit yourselves and others, why wouldn't you?
Just because it's "proprietaty" software (libraries or whatnot) doesn't mean there can't be a two-way contribution between those involved. In this case the vendor is "nice enough" to provide access to their source code, as not all vendors do, and they seem to have the procedures in place to accept modifications coming from the customers' side. If the customers's contributions (perpenso's in this case) are acknowledged or not will depend on whatever licensing scheme or agreement they had working beforehand. If it was me, I would have given a discount on future purchases or a (partial) refund on the price paid for access to the code as a thank-you for their help... maybe they did too.
FOSS has already built-in the mechanisms to do this sort of thing, it's encouraged far far more than in the "proprieraty" world, but that doesn't mean *everybody* does it. In fact, I remember seeing a talk given at Google by a linux kernel developer who's employed at Red Hat (IIRC) where he mentioned (around the 22 minute mark) that Canonical was one of the companies that gave the least back to the Community in terms of code and I'm willing to accept Canonical was still acting within the licenses for the code they were using.
http://www8.hp.com/in/en/softw... This product scans yours and third party libraries for security problems. It doesn't scan for standards or performance. For performance you can use red gate ants, but there isn't anything for standards.
You mention "Tools", did you mean "Software Tools". And, you have to use a decompiler.
I think, "Reviewing", in this case, means more like guidelines & I.T. (rules) policies.
Things, you may want to consider:
* Does a library provides source code ? (No Source Code, preferably, avoided) If you have to pay a extra, for the source code, then choose no library, or pay for the source code, but, dont buy propertary libraries without source code or support.
* Does a library is for a particular programming language or programming enviroment, or several ?
If it's for several programming languages, make sure can be compiled, loaded, or integrated to other languages.
* Does a library provides documentation, both, as files, and web ?
I have deal with several libraries whom lack one or another. Don't trust a library that doesn't have files independent of web. There are many great software libraries, where it only has web documentation. When a winter storm arrives,say "good bye" Internet, and say "good bye" to documentation. The same goes if a hacker or virus attack the documentation server, or a technical malfunction at the network or server.
Web documentation is good, because sometimes its updated regularly. But, don't count to have available all time. Some developers just take the comments of the source code & generate both, we pages, & local files. And, sometimes, this is helpful.
* Does a third party library provides support ?
The answer is similar to the previous answer. Open & Free Software can be great, but, sometimes, lacks this, because, many developers cannot provide full time support. (Unless paid by companies or groups like Apache or Google ).
* Does a third party library provides an A.P.I., or its structured. ?
A good software can be difficult to integrate with other software if its not structured, by classes, modules, or functions.
Just my [spartan] 2 silver cents [coins].
It just shows how retarded you and your company is.
Paying extra for source? Well, I guess but it is stupid. The source should come at the normal price, it is not like it costs them any more money.
You guys being able to fix the problem. Yay? Welcome to the Floss world.
Giving the fixes back to the company you paid? Absolutely retarded.
They are nice enough to charge extra for it.
If you are doing work that benefits a for-profit company and you aren't getting paid you are pants-on-head retarded.
Wrong corporate whore