>Nevertheless, with Red Hat having invested so much into SELinux is there also >considerable thought put into developing a Coverity-like project to get to those >lingering security threats first? I periodically go through open source code with FlexeLint. It finds the same bugs that Coverity does, but also provides many false positives. So, going from the report to fixing bugs is a fair amount of work. I have also experimented with smatch. It seemed to be on the right track, but is a patch to a now ancient compiler. I think if open source wanted a Coverity-like tool, this project should be revived. At the moment, I think the tack taken is to improve gcc's reporting of bugs. Very few programs do: -Wall -W -Wformat-string -Wfloating-point. When looking for bugs, I try to increase the output from gcc since it does a decent job of finding some of the same bugs Coverity does. They just hide as signed-unsigned comparisons. Also note that gcc has be improved by adding a propolice-like extension that many programs are compiled with; relro has been added to most network facing or setuid programs (as well as PIE flags); and Fortify Source has been improved by extending it to many other functions. In my opinion, these enhancements help the overall security of Fedora/RHEL beyond just what SE Linux does. I don't think we should be complacent either, but its not as dire as it was 2 years ago when I was doing many code audits and finding real problems. (I also plan to start a new round of audits in a month or two when some of the LSPP tasks are finally whipped.) Have you tried out smatch? The project seems dead, but probably the best starting point. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
