Re: [SQU] Code audit? (long post) from Alex Rousskov on 2000-10-25 (squid-users)

From: Alex Rousskov <rousskov@dont-contact.us>
Date: Wed, 25 Oct 2000 10:53:21 -0600 (MDT)

On Wed, 25 Oct 2000, Pete Philips wrote:

> I was wondering if there has ever been a security code audit
> performed on Squid to guard against potential exploits such
> as buffer overflows, string format vulnerabilities etc?

I do not think that there was a formal security code audit.

> I'm no expert in code security but a quick grep of the
> 2.4.DEVEL4 code base reveals:
>
> % pwd
> /tmp/squid-2.4.DEVEL4
> % find . -name "*.c" -exec egrep strcat\|strcpy {} \; | wc
> 161 416 5101
>
> As I said, I'm not an expert, so a ran ITS4 (the C code
> auditor from http://www.cigital.com/its4 ) on the src
> directory:
>
> % pwd
> /tmp/squid-2.4.DEVEL4/src
> % its4 *.c
>
> The (rather long) output is included at the end of this mail.
>
> I'd be interested to hear peoples feedback.

I am not familiar with its4, but it looks like it is using an approach
that is similar to your "find ./ -name "*.c" -exec egrep strcat",
except some C language constructs are also recognized. In most cases
such a search will show wrong warnings for Squid. For example, there
is nothing wrong with the code that uses strcat or strcpy if
boundaries are checked first. Also, many warnings are printed for
external programs that are not a part of the Squid daemon (e.g. cache
manager).

tmf> find apache_1.3.3/src -name "*.c" -exec egrep strcat\|strcpy {} \; | wc -l
330

tmf> find polygraph-2.6/src -name "*.cc" -exec egrep strcat\|strcpy {} \; | wc -l
2

I bet similar results will be reported by its4.

While Polygraph code is ``larger'' than Apache's, the "find strcat"
approach shows that Polygraph is much more secure just because
Polygraph does not use strcat a lot. I am sure that Apache is much
more secure than Polygraph (I would not be surprised if Apache had a
few security audits in the past).

AFAIK, there are no known security exploits in the recent Squid code.
Squid developers fix whatever security holes they are informed of.
However, there are probably some holes left unnoticed. If you would
like to organize a formal security code audit, I bet every developer
would thank you for doing that.

$0.02,

Alex.

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Wed Oct 25 2000 - 10:56:31 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:57 MST