Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Nov 2014 16:47:09 +0000
From: Nicholas Clifton <nickc@...hat.com>
To: Alexander Cherepanov <cherepan@...me.ru>, oss-security@...ts.openwall.com
CC: binutils@...rceware.org
Subject: Re: Re: Fuzzing objdump (PR 17512) and readelf (PR
 17531)

Hi Guys,

>>> I was just curious how well
>>> this works for real world tasks like objdump crashes.
>>
>> Back to real world deduping. IMHO it's not ideal but works quite well,
>
> Ah, I forgot to add that to really know the quality of the results of
> this approach we have to ask Nick Clifton which actually worked with the
> resulted crashers.

Many of the problems uncovered by Alexander and Hanno stem from the fact 
that the BFD library was never written with security in mind,  It was 
intended to be portable and functional, but handling corrupt files was 
never a priority.  Of course that is no excuse and so that is why I am 
trying to make up for lost time and fix these problems as fast as they 
are reported.

Another problem is that the file formats themselves (PE, COFF, ELF, etc) 
are designed with efficiency in mind, rather than security.  So a lot of 
extra work needs to be done when decoding them in order to make sure 
that out of bounds reads and writes do not occur.

My gut feeling at the moment is that readelf is probably pretty good 
now.  It has a lot of range checking in place and it should be fairly 
robust.  If you are looking for places to check though I would look at 
dynamic symbol tables and unwind tables for various different architectures.

The BFD library is probably less robust than readelf.  Especially when 
it comes to non-ELF file formats.  Resource sections for PE files for 
example could be a fertile area to explore.  Oh, and archives (or 
libraries if you prefer), probably need to be tested as well.

Cheers
   Nick



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ