Conversation

Notices

1. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 22-May-2024 14:16:19 JST Haelwenn /элвэн/ :triskell:
   @ariadne Also things like improving static analyzers, it's nice to have the C and security knowledge, but applying it over thousands of lines of code doesn't really works (plus software is pretty good at not missing/forgetting things, specially over multiple branches).
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 22-May-2024 20:58:31 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Kornel
     @kornel Nah, flawfinder for example is nicely exhaustive (CWE-wise), but lacks the ability to check context/branches like LLVM/Clang's analyzer (which is comparatively incomplete) does, which makes flawfinder too prone to what would be a false positive in other software.
   • Embed this notice
     Kornel (kornel@mastodon.social)'s status on Wednesday, 22-May-2024 20:58:32 JST Kornel

     in reply to

     @lanodan C needs new type system extensions or annotations to improve static analysis further.
     Current tools hit dead-ends due to problems like pointer aliasing, mutable `const`, and lack of information about thread safety.

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 22-May-2024 22:23:12 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Kornel
     @kornel flawfinder matches on function names but not only.
     
     For example if you pass any kind of variable as formatting argument to printf family of functions, it's going to trigger because users able to pass an arbitrary string can end up being a flaw.
     Meanwhile a much more useful static analyzer would check if a buffer ends up set to said variable.
     
     Similarly checks against known TOCTOU flaws can be done much better with flow checks than labelling some functions as footguns.
     
     And while I guess something like flawfinder which is eager to label footguns can be useful for audits, it's way too noisy as a regular tool.
   • Embed this notice
     Kornel (kornel@mastodon.social)'s status on Wednesday, 22-May-2024 22:23:13 JST Kornel

     in reply to

     @lanodan Well yeah, these are the reasons why you have checkers with false positives and mostly only basic local reasoning.

     From what I see, flawfinder is pattern matching well-known footguns by function name, rather than understanding these kinds of bugs semantically.
     It can of course still be super useful given how common these footguns are, but it's not analyzing C deeply.

     Clang analyzer does a lot of sophisticated analysis, but it is limited by the flexibility/vagueness of C's semantics.

   • Embed this notice
     Kornel (kornel@mastodon.social)'s status on Wednesday, 22-May-2024 22:23:13 JST Kornel

     in reply to

     @lanodan For example, it can't tell you "hey, you need a mutex here".
     Rust can, during normal compilation, not even as a separate analyzer. And not only in function-local obvious patterns, but across many levels of indirection, even callbacks spanning 3rd party libraries. And it's not approximating it, but guarantees it won't miss a case.