Open source apps get DHS fix-up
- By Joab Jackson
- Jan 10, 2008
Eleven open source programs have passed a major milestone in a vulnerability remediation program funded by the Homeland Security Department.
Under DHS' Open Source Code Hardening Project, widely used open source programs are scanned for bugs and potential vulnerabilities. The results are then given to the volunteer developers who maintain these programs. Those applications that have been fixed are being moved to the next level of testing.
- Amanda, a backup and recovery program
- Network Time Protocol, a protocol for synchronizing time over the Internet
- OpenPAM, a set of pluggable authentication modules
- OpenVPN, Virtual Private Networking software
- Overdose, an instant messaging client
- Perl, a programming language
- PHP, Web programming language
- Postfix, an e-mail administration program
- Python, a scripting language and
- Samba, Network file sharing software for Microsoft Windows networks
- TCL, a scripting language.
San Francisco-based Coverity completed the scans using a Web-hosted version of its commercial static analysis software called Prevent. On a nightly basis, Coverity retrieved the latest of the code base of the software and scanned it. The results were then posted. Developers could then log in and examine the potential bugs.
Static analysis, usually done when the program is compiled, is different from usual testing in that the approach looks for vulnerabilities in the code, and then "figures out whether there is any way to reach this line of code with [a range of] variables and paths," said David Maxwell, open source strategist for Coverity.
For the first rounds of testing, Coverity looked for 12 types
of defects, such as "dead code" (portions of the code unreachable by normal execution) and resource leaks (memory allocated but no longer used by the program).
Although Coverity is actively scanning more than 40 open source programs, the 11 programs listed previously have corrected all the bugs in the latest round of testing.
Each of these programs will move to Coverity's "Rung 2" level of scanning, which uses a newer version of Prevent. This new version, version 3, will feature a new set of vulnerability tests, new graphical environment, additional checks to prevent false positives and better categorization tools.
Eventually, Rung 2 will also offer a new type of scan, called a Boolean Satisfiability Test.
"Instead of just doing data flow analysis, it does value-based analysis. It looks at all the conditions required to reach certain parts of the code and sees whether they are satisfiable or not," Maxwell said.
Maxwell noted that this particular test will not be available immediately, as most of the developers are not quite ready to work with the new crop of vulnerabilities it might expose.
The scanning is one part of the $1.2 million three-year DHS program, which Coverity is completing along Stanford University, which looks for new ways to analyze software for defects, and Symantec Corp., which provides feedback on the success of vulnerability analysis.
Joab Jackson is the senior technology editor for Government Computer News.