Looking for strcpy() and sprintf() is near to worthless for security auditing of software other than simple programs, written by beginners -- I have a lot of strcpy() in my programs, and there were only two cases of buffer overflows, both didn't involve either, and were caused by sloppy manipulations with pointers on my part with no "help" from libc whatsoever. There would be no way in hell finding them in the binary except by "human-assisted decompilation" of large piece of code or "brute-force" feeding all kinds of weird input (not just long strings -- in those cases simple long string wouldn't do anything). This gives cracker an advantage -- whoever by some accident, patience or extreme curiosity about an unremarkable piece of binary code would find a bug first, would know it, and would know that it's unlikely that many people know it -- after that if that person would want to fix it, he wiould notify author, author would fix it and done with it (in the case when author would actually listen), but if instead that person would exploit the overflow, even on the large scale, it would be very hard to identify unless with another large amount of luck. With Open Source cracker has no such advantage -- a piece of code that manipulates pointers in some unobvious manner is likely to attract attention very soon, so even if cracker will find an exploit soon, he won't have much time to use it. And since most of people who mess with sources of open source software are not crackers, it's more likely that the first person who will find a bug will fix it, making it worthless for crackers.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/19/1421#1421