Date: Wed, 25 Mar 2015 09:38:12 +0300 From: Alexander Cherepanov <ch3root@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: Ideas for the robustness gsoc task On 2015-03-25 01:07, Alexander Cherepanov wrote: Some additions. > General cleaning > ~~~~~~~~~~~~~~~~ > > - Figure out which C standard we want (discuss on john-dev), document > it, convert to it. > > - Figure out which coding style we want (discuss on john-dev), document > it, convert to it. > (character encoding for various files, indent(1) options) > > - Unify function names (get_salt -> salt etc.). This makes > grepping/refactoring easier. > > - Get rid of unused global symbols (see > http://www.openwall.com/lists/john-dev/2013/05/11/5 , > http://www.openwall.com/lists/john-dev/2013/05/11/6 ). > > - Get rid of unused macros (see > http://www.openwall.com/lists/john-dev/2013/05/18/2 , > http://www.openwall.com/lists/john-dev/2013/05/19/4 ). > > - Look for strncmp with n==1 (see > http://www.openwall.com/lists/john-dev/2013/05/12/18 ). > > - Identify embedded copies of other software. > > Misc > ~~~~ > > - Hardened build > > - Constification and format interface clarification (see > http://www.openwall.com/lists/john-dev/2013/05/07/33 ). > > Cleaning hashes loading Replace by: Fixing input data handling > ~~~~~~~~~~~~~~~~~~~~~~~ - List sources of input data and classify its trustworthiness (discuss in john-dev). Preliminary, from untrusted to less untrusted: -- hashes -- wordlists -- rules -- chr -- config files (non-rules parts) -- command line options -- environment variables > - Review loader.c (see > http://www.openwall.com/lists/john-dev/2015/03/23/3 ). > > - Revamp valid(), salt() etc. in all(?) formats: Replace by: - Review and revamp valid(), salt() etc. in all(?) formats: > -- sync cpu/opencl/cuda formats (see > http://www.openwall.com/lists/john-dev/2015/03/22/1 ); > > -- get rid of strtok() (because it requires to make a copy of input > string); > > -- get rid of atoi() and other functions exhibiting undefined behavior; > > -- ...probably by switching to a generic parsing functions (to be written). - Review wordlist loading and rules application - Review handling of other input data - Review other parts of the code > Static ananlysis > ~~~~~~~~~~~~~~~~ > > - gcc with various options > > - compile as C++ ? > > - clang with various options > > - Clang Static Analyzer > > - cppcheck > > - splint? > > - ... > > Dynamic analysis > ~~~~~~~~~~~~~~~~ > > - Valgrind > > - AddressSanitizer > > - Undefined Behavior Sanitizer > > - MemorySanitizier? > > - ThreadSanitizer? > > Fuzzing > ~~~~~~~ > > - Custom fuzzer (see > http://www.openwall.com/lists/john-dev/2015/03/07/10 , > http://www.openwall.com/lists/john-dev/2015/03/07/15 ). > > - AFL > > - fuzz 2john tools > > - fuzz command-line options > > - fuzz environment variables > > - fuzz config files - fuzz chr files - (Dynamic analysis and Fuzzing) Build for different platforms: at least 32-bit, ideally big-endian - Test with increased LINE_BUFFER_SIZE -- Alexander Cherepanov
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.