Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20190615205947.56f2315d@computer>
Date: Sat, 15 Jun 2019 20:59:47 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: Thousands of vulnerabilities, almost no CVEs:
 OSS-Fuzz

Hi Alex,

I think what you're describing has been going on for a while, even
before oss-fuzz.
A combination of compiler sanitizers and better fuzzing techniques has
scaled up bug finding and fixing to a level we haven't had before.

For distributions that promise to backport all security fixes that
creates a situation where it's almost impossible to keep that promise,
they just don't have the manpower to scale up at the same speed as
people find bugs.
Maybe the main takeaway here is to just recognize that, and maybe
distros should be more honest here and be clear what they can and can't
do. And if you run a parser in a high risk environment you may not want
to rely on the outdated version shipping in some LTS distribution.


But I also think it's good to keep some perspective of the bugs we're
talking about.
Many of the bugs oss-fuzz finds are of bug classes where it's quite
unlikely that they directly lead to a security issue (e.g. out of
bounds memory reads - which asan controversially calls "overflows").
Even for the scarier looking vulns like write buffer overflows and use
after free the situation is that these are usually not straightforward
to exploit. All modern distributions have a combination of stack
canaries, ASLR and nonexecutable memory. It's my understanding that
while it's often possible to bypass those, doing so in non-scripting
scenarios (e.g. in an image parser) is really hard and often impossible.

I guess therefore it's still an overall win. While there's a number of
bugs unfixed with public information, in the long term we'll get more
robust code and the number of bugs present should be in steep decline.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.