Joined: 23 Nov 2008
|Posted: Tue Mar 21, 2017 11:36 am Post subject: New hobby of PVS-Studio team: fixing potential vulnerabiliti
Quite unexpectedly our team started a new interesting direction: to find and fix those bugs in open source projects, that are related to CWE.Why do we do this? It's just something we enjoy.
The topic of vulnerabilities detected in various open source projects is extremely popular nowadays.The news about that can be found on different sites (example: Adobe fixes 8 Security Vulnerabilities in Adobe Flash Player & Shockwave Player). However, it is of no use to discuss these vulnerabilities (CVE) from a programmers' point of view. It is more important to prevent these vulnerabilities at the stage of writing the code, rather than worry that some leak was found again. Therefore, the Common Weakness Enumeration list (CWE) is of greater interest to the developers.
This list (CWE) presents systematized errors that may cause vulnerabilities. There are different factors that influence the fact, if an error turns into a vulnerability or not. In other words, a defect sometimes can be exploited, and sometimes not, depending on luck.
What is significant, is that by eliminating the errors, given in CWE, a programmer protects the code from a great number of potential vulnerabilities in advance. Static analyzers can be great assistants in this case.
PVS-Studio has always been able to detect a large number of various weaknesses (potential vulnerabilities) in the program code. However, historically, we positioned PVS-Studio as a tool to search for errors. As I've already said, there is a trend in the software development to look for vulnerabilities in the code, although it's just the same. We started rebranding of our tool. Common Weakness Enumeration (CWE) was the first thing we looked at and wrote an article where provided a draft of a table, presenting the comparison of PVS-Studio diagnostics and CWE. We also demonstrated a couple of potential vulnerabilities in Apache HTTP Server.
That was not the end. We got interested in fixing potential vulnerabilities in various projects. Of course, it is also useful from the marketing point of view for us. However, we wouldn't do this if it wasn't fun, because in terms of promotion, the efficiency of such actions is very low.
Moreover, we decided to compile these small actions on making the world a better place, into small weekly reports. The first one covered the defects in C# projects (CoreFX, MSBuild).
The second would be interesting for the community of C and C++ programmers. It is about errors in such projects as FreeBSD, GCC, Clang.
In some cases we send a patch to the developers, in other cases we create a new issue in bugtracker with the description of the bug found. The corresponding links are given to every incorrect code fragment.
Some may say that nor every project requires testing for the potential vulnerabilities from the CWE point of view. I agree. But it's useful to find bugs and fix them in any case. Plus it demonstrates that PVS-Studio can be used to look for security issues.
Thank you for your attention. For those who are willing to follow these news, I suggest subscribing to our RSS channel or just visit our blog on Fridays when we post our regular reports about the corrected errors.