Update and place to start

["E. Ratliff" <ratliff@polaris.net>]

Hi,

The source for 2.4.0 has been put into CVS on sourceforge. It will be
updated to 2.4.1 soon. I have run some of the tools against the code and
am putting the generated output in the "reports" module in CVS.
its4.report is there currently. ITS4 has a database of known
vulnerabilities and scans the code for them. It points out risky code, but
that doesn't necessarily mean that the code is buggy or vulnerable.
Nevertheless, it points out good places to begin auditing, so if you are
considering auditing some code and are looking for a good place to start,
pick a file that has an area marked "Urgent" or "Very Risky".

cccc is also an interesting tool, but I am not sure how much use it will
be. (As an aside, it has been running for 18 hours and has not yet
completely analyzed the kernel source.) It does output intermediate
results, and so far it says that McCabe's Cyclomatic Number is 37470. I
found a document that says that anything over 50 is considered extremely
risky and untestable, so I tried running cccc against some other source.
Of the code that I tested Dan Bernstein's publicfile has the lowest value
at 385. Postfix has a value of 6612. Bind is 4427. Bernstein's djbdns is
3029. Interestingly enough, Postfix has more than one comment per line of
code, while Bernstein's code has about 50 lines of code per comment. So
while it is a fun tool, do you have any insight on how exactly to use this
tool to help audit the source? (All of these other runs completed within a
few seconds.)

I will upload parts of the cccc output when the tool has completed its
run.

Happy auditing,

E.

E. Ratliff
ratliff@polaris.net


Kernel-audit:  discussion list for security and the linux kernel
Archive:       http://mail.nl.linux.org/kernel-audit/