Who Watches Over Coverity?

[Steve G]

>Nevertheless, with Red Hat having invested so much into SELinux is there also
>considerable thought put into developing a Coverity-like project to get to those
>lingering security threats first?

I periodically go through open source code with FlexeLint. It finds the same bugs
that Coverity does, but also provides many false positives. So, going from the
report to fixing bugs is a fair amount of work.

I have also experimented with smatch. It seemed to be on the right track, but is
a patch to a now ancient compiler. I think if open source wanted a Coverity-like
tool, this project should be revived.

At the moment, I think the tack taken is to improve gcc's reporting of bugs. Very
few programs do: -Wall -W -Wformat-string -Wfloating-point. When looking for
bugs, I try to increase the output from gcc since it does a decent job of finding
some of the same bugs Coverity does. They just hide as signed-unsigned
comparisons.

Also note that gcc has be improved by adding a propolice-like extension that many
programs are compiled with; relro has been added to most network facing or setuid
programs (as well as PIE flags); and Fortify Source has been improved by
extending it to many other functions.

In my opinion, these enhancements help the overall security of Fedora/RHEL beyond
just what SE Linux does. I don't think we should be complacent either, but its
not as dire as it was 2 years ago when I was doing many code audits and finding
real problems. (I also plan to start a new round of audits in a month or two when
some of the LSPP tasks are finally whipped.)

Have you tried out smatch? The project seems dead, but probably the best starting
point.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com