Hi,
A few people have asked about work they can do on OpenSSH that stands
the chance of winning them a bug bounty from Google''s program to reward
open source security[1].
Some big things that we are missing relate to our test suite. Right now
we don''t have any automated way to run valgrind or AddressSanitizer and
get good coverage. Some of the developers do this manually, and we do
have some automatic detection of certain classes of memory faults when
the regression suite is run on OpenBSD, but we really want more tools
looking at the code with better coverage and on more platforms.
So, if you want a project to work on you could:
1) Make a test suite (or modify our regression test suite) that runs
the OpenSSH tools under valgrind, with good code/feature coverage and
produces a useful summary report for each tool.
2) Same for AddressSanitizer
3) Port AddressSanitizer to OpenBSD so we can add it to the regress
suite there. While this isn''t OpenSSH directly, LLVM is now covered[2]
by the bug bounty program and I''d be happy to make a statement of how
this work has contributed to OpenSSH''s security :)
IMO any of these would make quite a difference to our proactive efforts
to find bugs, particularly in the portable version.
-d
[1]
http://googleonlinesecurity.blogspot.com.au/2013/10/going-beyond-vulnerability-rewards.html
[2]
http://googleonlinesecurity.blogspot.com.au/2013/11/even-more-patch-rewards.html
