Science of Security
2012-Jul-17 16:39 UTC
[Nut-upsdev] Buffer Overflow Vulnerability Study at Auburn University
Dear Sir/Madam, We are two graduate students from Auburn University, working with Professor Munawar Hafiz. We are working on an empirical study project to understand the software engineering practices that go in companies that produce secure software; in particular, we are concentrating on how developers write code to prevent buffer overflow and integer overflow vulnerabilities. We are interested in the software development process: how you develop software, how you test and analyze programs to detect vulnerabilities, and what processes you follow to remove bugs. In particular, we are interested about automated tools that software developers use. We are expecting that there is a common insight in the security engineering process that can be reusable. We request your assistance by participating in this research study. We would greatly appreciate it if you would share with us your experience by answering the questions at the end of this email. Please send the answers to SSE at auburn.edu You can reply back with the answers, or send a text/doc/pdf attachment. We may send some follow up questions based on your response in future. Your response(s) will be kept confidential, and will only be aggregated with those of other reporters. Please let us know if you have any questions/concerns regarding the study. Thanks in advance for your support. X. Li and Y. Rawajfih Software Analysis, Transformations and Security Group Auburn University Working under the supervision of: Dr. Munawar Hafiz Assistant Professor Dept. of Computer Science and Software Engineering Auburn University Auburn, AL http://munawarhafiz.com/ Questions: (There are twelve questions.) There was a vulnerability reported in SecurityFocus vulnerability list: [BID: 53743]: ?Network UPS Tools (NUT) 'addchar()' Function Buffer Overflow Vulnerability ?. For questions 3-10, please try to refer to the development practices before the vulnerability was reported? Also, please refer to any changes in the corresponding practices as a result of the reported vulnerability. 1. How long have you been a software developer? How long have you been affiliated with this software? 2. What is the size of the current code base? 3. Do you follow a coding standard? Is it a standard determined by your group? 4. What do you do manage and correct bugs in your software? 5. Do you use any automated tools to detect buffer overflow or integer overflow or any other bugs? Describe the tools. Are these static or dynamic analysis tools? 6. Do you use fuzzing? Which tools do you use? 7. Do you have a test suite? Unit Tests? What about regression tests? 8. Do you have a beta testing or alpha testing phase? How many people (approximately) were involved? 9. Buffer overflows often result from the use of unsafe function, such as strcpy. Do your software use those? Which string library do you use? 10. Did you use any compiler options to detect integer overflow vulnerabilities? 11. Did you have specific phases during development when you concentrated on fixing security issues? 12. Were you part of the original development team? How big was the core team? How big is it now? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20120717/8af830ef/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: InformationLetter.pdf Type: application/pdf Size: 786659 bytes Desc: InformationLetter.pdf URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20120717/8af830ef/attachment-0001.pdf>