develooper Front page | perl.perl5.porters | Postings from May 2014

Re: Mayhem heads up

Thread Previous
From:
Reini Urban
Date:
May 5, 2014 14:33
Subject:
Re: Mayhem heads up
Message ID:
CAHiT=DGAxOmos=QBaM7OozXBOmBYpaD91Xj5iNkTU8VpNJGyxw@mail.gmail.com
On Tue, Apr 29, 2014 at 7:44 AM, Tony Cook <tony@develop-help.com> wrote:
> On Tue, Apr 29, 2014 at 08:17:03AM -0400, David Steinbrunner wrote:
>> On 6/28/13, 8:52 AM, "Reini Urban" <rurban@x-ray.at> wrote:
>>
>> >See http://lists.debian.org/debian-devel/2013/06/msg00720.html
>> >
>> >Those perl packages are currentty affected:
>> >eperl, perl-byacc, perl5i
>> >See http://forallsecure.com/reports/dd-list.txt
>> >
>> >This is not really impressive, compared to the number of found asan bugs.
>> >
>> >But the mayhem paper at
>> >http://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf says:
>> >In this paper we present MAYHEM, a new system for automatically ļ¬nding
>> >exploitable bugs in binary (i.e., executable) programs. Every bug
>> >reported by MAYHEM is accompanied by a working shell-spawning exploit.
>> >The working
>> >exploits ensure soundness and that each bug report is security
>> >critical and actionable....
>> >
>> >Most found bugs are stack overflows and format strings exploitations.
>> >Looks like a better valgrind/memcheck to me, with the "advantage" to
>> >create reproducers.
>>
>> With all the Coverity action going on it made me think of the MAYHEM
>> notice above that did not seem to get any attention on p5p beyond the
>> notice.  Did these issue just get silently taken care of?
>
> None of the MAYHEM bugs reported are in perl itself, that I could see.

Mayhem tested only small tested binaries, not libraries.
Such symbolic verifiers taint input state (cmdline, stdin, file input)
and check them through out the program for overflows.

Coverity is not comparable to that. Coverity is just a simple static verifier.

Mayhem is still closed source because it's too dangerous. But now
similar FLOSS tools are catching up. I'm keeping my eye open.

Currently perl or chromium are still too big to be properly
analyzable, but I do not trust that, as solvers are getting better and
the verifiers are getting better rapidly.

With klee you can taint any state within the program and create easier
and faster cases. Many pcre errors were caught this way.

-- 
Reini Urban
http://cpanel.net/   http://www.perl-compiler.org/

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About