[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[netCDF #BDF-181549]: security vulnerability checking
- To: Robert.M.Candey@xxxxxxxx
- Subject: [netCDF #BDF-181549]: security vulnerability checking
- From: "Unidata netCDF Support" <support-netcdf@xxxxxxxxxxxxxxxx>
- Date: Wed, 14 May 2008 08:54:58 -0600
- Delivered-to: support-netcdf@unidata.ucar.edu by laraine.unidata.ucar.edu (Postfix) with ESMTP id 31BE9CB182; Wed, 14 May 2008 08:54:59 -0600 (MDT) id 0A58ED4FBA; Wed, 14 May 2008 08:54:58 -0600 (MDT)
Hi Robert,
We have made internal checks for buffer overflows in the netCDF
C library, using our extensive test suite and tools such as
Electric Fence, dbx "check access" tools, and the libumem library
on Solaris. Most tools that are good for finding memory leaks
can also check for buffer overflows and other memory access violations
that can be exploited.
We don't believe there are remaining buffer overflows our code, but
would like better tools for detecting these and other security
problems.
NOAA has a license for a commercial tool that scans C, C++, and Java
code for possible security problems. They have run this on netCDF,
but so far won't share the results with us. The tool costs about
$15k, and we couldn't justify purchasing it without knowing whether
it could find any actual problems.
Our latest approach has been to request a scan of our code from
Coverity
http://scan.coverity.com/about.html
who donates analysis of Open Source projects to the developers to help
improve the security of Open Source software. We initially requested
a scan in January 2008, but got no response, so I have just requested
analysis of a smaller subset of our software by Coverity. You might
try the same approach after reading the FAQ on the web site above.
--Russ
Russ Rew UCAR Unidata Program
russ@xxxxxxxxxxxxxxxx http://www.unidata.ucar.edu
Ticket Details
===================
Ticket ID: BDF-181549
Department: Support netCDF
Priority: Normal
Status: Closed
