Format String Vulnerability Study at Auburn University

Science of Security SSE at auburn.edu
Tue Jul 17 09:42:42 PDT 2012


Dear Sir/Madam,
We are two graduate students from Auburn University, working with Professor Munawar Hafiz.  We are working on an empirical study project to understand the software engineering practices that go in companies that produce secure software; in particular, we are concentrating on how developers write code to prevent buffer overflow and integer overflow vulnerabilities. We are interested in the software development process: how you develop software, how you test and analyze programs to detect vulnerabilities, and what processes you follow to remove bugs. In particular, we are interested about automated tools that software developers use. We are expecting that there is a common insight in the security engineering process that can be reusable.
We request your assistance by participating in this research study.  We would greatly appreciate it if you would share with us your experience by answering the questions at the end of this email. Please send the answers to SSE at auburn.edu
You can reply back with the answers, or send a text/doc/pdf attachment. We may send some follow up questions based on your response in future. Your response(s) will be kept confidential, and will only be aggregated with those of other reporters. Please let us know if you have any questions/concerns regarding the study.
Thanks in advance for your support.
X. Li and Y. Rawajfih
Software Analysis, Transformations and Security Group
Auburn University

Working under the supervision of:
Dr. Munawar Hafiz
Assistant Professor
Dept. of Computer Science and Software Engineering
Auburn University
Auburn, AL
http://munawarhafiz.com/








Questions:
 (There are twelve questions.)
There was a vulnerability reported in SecurityFocus vulnerability list: [BID: 53150]: “X.Org Input Device Format String Vulnerability ”.
For questions 3-10, please try to refer to the development practices before the vulnerability was reported? Also, please refer to any changes in the corresponding practices as a result of the reported vulnerability.
1. How long have you been a software developer? How long have you been affiliated with this software?

2. What is the size of the current code base?

3. Do you follow a coding standard? Is it a standard determined by your group?

4. What do you do manage and correct bugs in your software?

5. Do you use any automated tools to detect buffer overflow or integer overflow or any other bugs? Describe the tools. Are these static or dynamic analysis tools?

6. Do you use fuzzing? Which tools do you use?

7. Do you have a test suite? Unit Tests? What about regression tests?

8. Do you have a beta testing or alpha testing phase? How many people (approximately) were involved?

9. Buffer overflows often result from the use of unsafe function, such as strcpy. Do your software use those? Which string library do you use?

10. Did you use any compiler options to detect integer overflow vulnerabilities?

11. Did you have specific phases during development when you concentrated on fixing security issues?

12. Were you part of the original development team? How big was the core team? How big is it now?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg-devel/attachments/20120717/0bac09de/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: InformationLetter.pdf
Type: application/pdf
Size: 786659 bytes
Desc: InformationLetter.pdf
URL: <http://lists.x.org/archives/xorg-devel/attachments/20120717/0bac09de/attachment-0001.pdf>


More information about the xorg-devel mailing list