David A. Wheeler's Blog

Mon, 01 Feb 2016

Using open source software to help technology transition of research

If you’re doing software research and development (especially on how to improve computer security), and are thinking about using an open source software (OSS) approach but don’t know a lot about it, here’s something that may help: Using an Open Source Software Approach for Cybersecurity Technology Transition (IDA paper P-5279, aka the “PI guide”). If you’re an old hand at developing Free/ libre/ open source software (FLOSS or OSS), you probably know most of this information. However, I’ve found that a lot of people could use a hand. Here’s that helping hand.

path: /oss | Current Weblog | permanent link to this entry

Address Sanitizer on an entire Linux distribution!

Big news in computer security: Hanno Boeck has recently managed to get Address Sanitizer running on an entire Linux distribution (Gentoo) as an experimental edition. For those who don’t know, Address Sanitizer is an amazing compile-time option that detects a huge range of memory errors in memory-unsafe languages (in particular C and C++). These kinds of errors often lead to disastrous security vulnerabilities, such as Heartbleed.

This kind of distribution option is absolutely not for everyone. Address Sanitizer on average increases processing time by about 73%, and memory usage by 340%. What’s more, this work is currently very experimental, and you have to disable some other security mechanisms to make it work. That said, this effort has already borne a lot of valuable fruit. Turning on these mechanisms across an entire Linux distribution has revealed a large number of memory errors that are getting fixed. I can easily imagine this being directly useful in the future, too. Computers are very fast and have lots of memory, even when compared to computers of just a few years earlier. There are definitely situations where it’s okay to effectively halve performance and reduce useful memory, and in exchange, significantly increase the system’s resistance to novel attack. My congrats!!

path: /security | Current Weblog | permanent link to this entry