From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/2100 Path: news.gmane.org!not-for-mail From: Auburn Study Newsgroups: gmane.linux.lib.musl.general Subject: Buffer Overflow Study at Auburn University - musl libc developers I would really appreciate your help! Date: Sun, 14 Oct 2012 02:35:19 -0500 Message-ID: Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=bcaec5171af386c9ef04cbfff69c X-Trace: ger.gmane.org 1350200145 23323 80.91.229.3 (14 Oct 2012 07:35:45 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 14 Oct 2012 07:35:45 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-2101-gllmg-musl=m.gmane.org@lists.openwall.com Sun Oct 14 09:35:53 2012 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1TNIjm-00015f-TA for gllmg-musl@plane.gmane.org; Sun, 14 Oct 2012 09:35:51 +0200 Original-Received: (qmail 27765 invoked by uid 550); 14 Oct 2012 07:35:38 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 27731 invoked from network); 14 Oct 2012 07:35:31 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=YPLyfnLxWISp5XpgFWxvnF9KIYk5r2aE6lqhMVqVkjg=; b=rPkYRhTMbG/x+EqZo9eavqRqq5fD938qEq3FE3ILQtnyV7mMrr1+6xt23+Es7nAQSR gSv+vnV8THkL6bf6Dnz4xvuDF7EwXvYI7DP/3OjDkKDP6dv8Eqp8JjUHFBQgUovGNZ8u sQkAUxueK7zSu7+cErafag9/JD5gU0GJuy47fmrbvNLYx6UVVAlRr7uwbg0h2QmotbX0 9yZp/taPfa8F+U2O/9pB2FkaCYJBYvFbE+6CxnenTpGe9I60x0PbJc+6kwkll+ymgIqg 1Cv9jjpAC6rHap/41D/pONxnDIce0T/YiDxotaUN5MvMoWuONRJhWMOLMgHxe3uArIMo eGpg== Xref: news.gmane.org gmane.linux.lib.musl.general:2100 Archived-At: --bcaec5171af386c9ef04cbfff69c Content-Type: text/plain; charset=ISO-8859-1 Hi All, I am a graduate student at Auburn University, working with Dr. Munawar Hafiz on an empirical study project to understand the software engineering practices used in companies that produce secure software. In particular, we are concentrating on how developers write code to prevent buffer overflow and integer overflow vulnerabilities. We are interested in the software development process: how you develop software, how you test and analyze programs to detect vulnerabilities, and what processes you follow to remove bugs. We are looking into automated tools that software developers use, and are expecting that there is a common insight in the security engineering process that can be reusable. We request your assistance by participating in this research study. We would greatly appreciate it if you would share your experience with us by answering the questions at the end of this email. We may send some follow up questions based on your response in future. Your response(s) will be kept confidential, and will only be aggregated with those of other reporters. Please let us know if you have any questions or concerns regarding the study. Thanks in advance for your support. Yasmeen Rawajfih Software Analysis, Transformations and Security Group Auburn University Working under the supervision of: Dr. Munawar Hafiz Assistant Professor Dept. of Computer Science and Software Engineering Auburn University Auburn, AL http://munawarhafiz.com/ Questions: (There are ten questions.) 1. How long have you been a software developer? 2. How long have you been affiliated with musl libc? Were you part of the original development team for this software? 3. What is the size of the current code base? 4. Did you follow a coding standard when developing this software? Is it a standard determined by your group? 5. What did you use to manage bug reports in your software? Does it satisfy your requirements? Are there other software options that you would consider switching to? 6. Did you use any compiler options to detect integer overflow vulnerabilities? Do you think that they are useful? 7. Did you use any automated (static or dynamic analysis) tools to detect buffer overflows, integer overflows, or any other bugs? Which tools did you use? Why these tools? 8. Did you use fuzzing? Which tools did you use and why? If you wrote your own fuzzer, why did you write it yourself? Was it written from scratch or by extending some other fuzzing tools? 9. Did you have specific phases during development where you concentrated on fixing security issues? Did you have a test suite, unit tests, or regression tests? 10. Buffer overflows often result from the use of unsafe functions, such as strcpy. Does your software use those? If you use a different string library, why is it used? Is it an in-house library or an off-the-shelf library? Did you migrate your code to use the string library? --bcaec5171af386c9ef04cbfff69c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi All,

I am a graduate student at Auburn University, working w= ith Dr. Munawar Hafiz on an empirical study project to understand the softw= are engineering practices used in companies that produce secure software. I= n particular, we are concentrating on how developers write code to prevent = buffer overflow and integer overflow vulnerabilities. We are interested in = the software development process: how you develop software, how you test an= d analyze programs to detect vulnerabilities, and what processes you follow= to remove bugs. We are looking into automated tools that software develope= rs use, and are expecting that there is a common insight in the security en= gineering process that can be reusable.

We request your assistance by participating in this research study. =A0= We would greatly appreciate it if you would share your experience with us b= y answering the questions at the end of this email. We may send some follow= up questions based on your response in future. Your response(s) will be ke= pt confidential, and will only be aggregated with those of other reporters.= Please let us know if you have any questions or concerns regarding the stu= dy. Thanks in advance for your support.

=A0

Yasmeen Rawajfih
Software Analysis, Transformations and S= ecurity Group
Auburn University

Working under the supervision of:=
Dr. Munawar Hafiz
Assistant Professor
Dept. of Computer Science a= nd Software Engineering
Auburn University
Auburn, AL
htt= p://munawarhafiz.com/

=A0

Questions: (There are ten quest= ions.)

1. =A0 =A0 =A0 How long have you been a software developer?
=A0
2. =A0 =A0 =A0 How long have you been affiliated with musl libc? Wer= e you part of the original development team for this software?
=A0
3. =A0 =A0 =A0 What is the size of the current code base?


4. = =A0 =A0 =A0 Did you follow a coding standard when developing this software?= Is it a standard determined by your group?
=A0

5. =A0 =A0 =A0 What did you use to manage bug reports in your so= ftware? Does it satisfy your requirements? Are there other software options= that you would consider switching to?

=A0
6. =A0 =A0 =A0 Did you= use any compiler options to detect integer overflow vulnerabilities? Do yo= u think that they are useful?
=A0

7. =A0 =A0 =A0 Did you use any automated (static or dynamic anal= ysis) tools to detect buffer overflows, integer overflows, or any other bug= s? Which tools did you use? Why these tools?

=A0
8. =A0 =A0 =A0 D= id you use fuzzing? Which tools did you use and why? If you wrote your own = fuzzer, why did you write it yourself? Was it written from scratch or by ex= tending some other fuzzing tools?
=A0

9. =A0 =A0 =A0 Did you have specific phases during development w= here you concentrated on fixing security issues? Did you have a test suite,= unit tests, or regression tests?


10. =A0 Buffer overflows often= result from the use of unsafe functions, such as strcpy. Does your softwar= e use those? If you use a different string library, why is it used? Is it a= n in-house library or an off-the-shelf library? Did you migrate your code t= o use the string library?
=A0
=A0
=A0
--bcaec5171af386c9ef04cbfff69c--