Happy Auditing

Contributed by jose on 2002-12-13 from the many-trained-eyes-make-robust-code dept.

"Another semester over here, and this time something remotely useful came of it. As part of an independant study I put together a short paper on practical auditing for security vulnerabilities. It's not entirely polished and I'd like to add more binary auditing examples, but it can be found at
http://www.daemonkitty.net/lurene/papers/Audit.pdf
Comments, corrections, etc are always welcome."

Lurene's paper is pretty cool, I looked at some early drafts. I think that people who are interested in getting into auditing are going to want to look at this and add it to their library.

(Comments are closed)

Comments

By Christopher M. Paul () chris.paul@teamrci.com on 2002-12-13 05:30 http://www.teamrci.com

It's like this. ONe night you set up your own PF firewall (took this novice about an hour - frikin thing is rock frikin solid ever since).

Then college students are helping your consulting business with its chances for 2003.

I LOVE THIS OS!!!

I just want to cover my office with fishy posters

Anyone ever hear the band from new orleans, the Radiators?
Comments
1. By W () on 2002-12-13 09:07
  
  Me too! Let's start a club!
2. By W () on 2002-12-13 10:44
  
  Me too! Let's start a club!
3. By metoo () on 2002-12-16 22:07
  
  metoo!!11
By zil0g () on 2002-12-13 06:43

Yeah, good work on the paper, it's nice to have "the errors of our ways" all sumoned up in one place, now I want more of it, more details, more examples, more quotable material like "... Any usage of gets should be an immediate clue that our program is vulnerable, not only at that point, but probably many others. It should be quickly replaced with a sane buffered and checked input loop, or exploited, depending on your purpose."
hahaha :)
By Anonymous Coward () on 2002-12-13 06:46

section 4: Heap Overflows and Free Bugs. There's a few grammar problems with the first sentence.
Comments
1. By Rob Sessink () rob_ses@web.de on 2002-12-13 07:55 mailto:rob_ses@web.de
  
  Yeah so, mail the writer don't complain here
  Comments
  1. By Anonymous Coward () on 2002-12-13 21:08
    
    "Comments, corrections, etc are always welcome."
    
    Guess what? Considering you can reply(post comments) to the story makes this forum more than appropriate to make "comments", and suggest "corrections".
2. By Anonymous Coward () on 2002-12-13 08:01
  
  There's a few grammar problems with the first sentence.
  
  There are a few grammar problems in the first sentence.
  
  Dumbass.
  Comments
  1. By W () on 2002-12-13 09:06
    
    HEH HEH HEH HEH HEH. :-)
    
    It's always funny when someone who badmouths others grammar have bad grammar themselfes. And english is my second language, so I get these kinds of remarks all the time.
    
    Comments
    
    By Anonymous Coward () on 2002-12-13 15:49
    
    THEMSELVES!
    
    By Anonymous Coward () on 2002-12-13 21:33
    
    Don't believe everything you read. :)
  2. By Anonymous Coward () on 2002-12-13 21:31
    
    You've failed, miserably.
    
    I'm incorrect according to your environment? How about according to the Oxford dictionary? :)
    
    "is" and "are" have the same meaning.
    Dumbass.
    
    "in" and "with" are both prepositions with similar meanings. Which makes either words appropriate in their use.
    Dumbass.
    
    Last, and of most importance. You've commited the commonly known informal fallacy of 'ad hominem' abusive. You've ignored my statement, and have verbally abused me. Doing so does not prove my statement invalid.
    
    Stating that there is no grammar problems with the paper would have been of more use than trying to attack the person making the statement.
    
    Hopefully, you're bird brain will lead you in the right direction instead of backwards, next time.
    
    Comments
    
    By jolan () on 2002-12-14 02:51
    
    Hopefully, you're bird brain will lead you in the right direction instead of backwards, next time.
    
    Don't you mean "your bird brain"?
    
    Dumbass.
    
    By Anonymous Coward () on 2002-12-14 07:21
    
    I feel no pain when I deflate the obviously engorged ego of such cretins as yourself. In other words-- I don't feel a damned bit of guilt for what I'm about to do, largely because you suffer from some sort of severe mental deficiency.
    
    Let's begin, shall we?
    
    "Is" and "are" are both conjugations of the verb "be". "Is" is the third person singular present indicative form of "be". "Are" is the second person singular and plural and first and third person plural present indicative form of "be". The two words are derived from the same verb, but serve very different purposes.
    
    As the two words refer to different quantities of objects (since, in this case, we are concerned solely with the issue of singular vs. plural, rather than the considerably more tricky issue of first vs. second vs. third person), the words are grammatically distinct.
    
    A failure to properly recognize the quantity of objects being referred to by the verb (in this case, mistakes) indicates an incomplete mastery of English grammar.
    
    Dumbass.
    
    Your obviously unresearched statement that "in" and "with" have similar meanings is laughable. Both "in" and "with" have multiple definitions, leading to a variety of potential uses for both words. However, the words are by no means completely interchangeable.
    
    The first definition of the word "in" is "within the limits, bounds, or area of". The mistakes which we previously discussed were clearly contained within the bounds of the first sentence of the fourth section of the linked paper.
    
    Let us, for the sake of contrast, examine the use of the word "with" in the same context. The word "with" generally indicates a distinction between subject and object of the sentence. This can be clearly seen in the common usages of the word "with" (for instance: "accompanying", "next to", or "alongside of").
    
    Dumb bitch.
    
    I'd also like to take the chance to point out that our motivations are similar. You were attempting to improve the grammar of Ms. Lurene Grenier, perhaps hoping that improved grammar on her part would result in greater acceptance of her ideas. I attempted to improve the grammar of an anonymous coward, hoping that improved grammar on his (or her) part would result in greater acceptance of his (or her) ideas.
    
    Calling you a dumbass was simply my way of bringing to your attention the fact that you are woefully lacking in credentials as a grammar instructor. Even your response to my original comment is positively *riddled* with grammatical errors. I am unimpressed with your moral outrage, and I haven't the patience, time, or masochistic tendencies required to correct the errors in the comment to which I am currently responding.
    
    If you wish to learn more about grammar, I suggest taking an American seventh grade English class. Such courses usually lay a strong foundation of grammar skills upon which you may build an understanding of my criticisms.
    
    Cretinous dumbass.
    
    Comments
    
    By Libby () on 2002-12-14 15:58
    
    One note - not all 7th grade grammar classes excel at bringing their students to an appropriate level of Enlish competency. This leads to people like myself and my good friend Lurene who can't use grammar, to use the colloquialism, "for shit." I am sure our teachers attempted to impart this knowledge, but amidst the chaos of the students the lessons were sorely lacking.
    
    However, the grammatical capabilities, or lack thereof, of Lurene really don't affect the content of her paper, except to anal retentive bastards who think they know everything.
    
    anal retentive cretinous dumbass.
    
    Comments
    
    By Anonymous Coward () on 2002-12-14 18:34
    
    I didn't think that the (few) grammatical errors in Lurene's paper affected the content. The paper was insightful, intelligent, and well-written. I have NOT, at any point, criticized Lurene's paper, largely because I could care less about a few grammatical errors in a paper.
    
    What I *did* take time to criticize were the errors made by the original poster. If such an obviously incapable person feels himself to be skilled enough to dictate grammar to Ms. Grenier, then he should certainly be humble enough to accept similar instruction from a person with a greater mastery of the English language than his.
    
    Maybe calling him a dumbass was out of line. However, being truthful was always more important to me than being polite.
    
    Comments
    
    By Libby () on 2002-12-15 04:15
    
    I didn't mean that *you* are a dumbass, sorry. I meant the original poster was, for implying that the few errors nullified the content of the paper. I completely agree with you. And I am aware that there are gramatical errors in the paper - I even pointed some of them out to lurene. She decided the content was more important to focus on. And I agree. (mostly)
    and yes, calling him a dumbass probably was a little harsh at first... until his second post.
    
    Comments
    
    By Dr. Spike () on 2002-12-15 22:36
    
    ... and that hits the nail on the head.
    
    If you look about two posts down you'll see a good example of constructive criticism... I just wish more posts were along those lines :-/
    
    I'm just happy that somebody took the time to write this paper, and more happy that they decided to share it with the rest of us. Obviously there will be a few rough edges - this is a draft after all!
  3. By Dr. Spike () on 2002-12-15 22:28
    
    lol
By pixel fairy () yes, sometimes on 2002-12-13 09:59 mailto:yes, sometimes

that logo is really cool!
By W () on 2002-12-14 00:47

Geekgirls are cool.
By pravus () on 2002-12-13 14:52

overall, not bad. a few grammar/spelling mistakes, but that's probably last on the list.

also, the example in 7.1 seems wrong. she writes:

if((fd = open(tmpfile, O_WRONLY)) == NULL)

but this should be

if((fd = open(tmpfile, O_WRONLY)) == -1)

since open returns -1 on error. NULL (typically 0) could be a valid file descriptor. she's probably thinking about fopen() which returns a (FILE *).

all-in-all, not bad. there are definately quite a few helpful tips.
Comments
1. By vincent () vincent at igc ethz ch on 2002-12-14 17:20 mailto:vincent at igc ethz ch
  
  it's spelled
  "definItely"
  
  ;-)
  
  take care,
  v.
By Anonymous Coward () on 2002-12-13 15:24

Not intending to take anything away from the normal day to day news. But this is perhaps one of the most useful stories linked in a long time.
Comments
1. By Anonymous Coward () on 2002-12-13 21:36
  
  Indeed. Something to learn from is always welcome.
By daemonkitty fanboi () on 2002-12-13 18:47

So she posts nude pictures of herself, has pictures of her kissing another extremely cute chick, writes device drivers and contributes to ports for OpenBSD *AND* she writes very decent technical papers on auditing? Lurene, you officially rule.

Please note, that list was not necessarily done in order of importance.
Comments
1. By Anonymous Coward () on 2002-12-14 17:56
  
  I don't get it.
  
  She's a dyke. She's not interested in men. That includes you and me. How could this possibly turn you on?
  Comments
  1. By daemonkitty fanboi () on 2002-12-14 20:15
    
    Just because there's no credible chance that she'd 'm sever fuck me (being a lesbian is entirely aside from that point mind you) doesn't mean I can't appreciate her for being attractive and a talented geek girl. I pity the fact that you only choose to see women as attractive if there's a chance (however remote) of you having sex with them.
    
    Comments
    
    By argol () tom@argol.org on 2002-12-14 22:05 http://www.argol.org
    
    You're Lurene, unfortunately it happens that young males are confused concerning the exact location of their brain ; above or below their belt...
    
    By argol () tom@argol.org on 2002-12-14 22:07 http://www.argol.org
    
    s/You're Lurene/You're right Lurene/
    
    Comments
    
    By daemonkitty fanboi () on 2002-12-15 08:15
    
    I love the fact that you think I'm her. Sorry chief, I'm definitely male.
    
    By Lurene () lurene@daemonkitty.net on 2002-12-15 16:38 http://www.daemonkitty.net/lurene/
    
    Don't worry Tom, he's not me. How 'bout them chocolates? :)
    
    Comments
    
    By argol () tom@argol.org on 2002-12-15 17:40 http://www.argol.org
    
    I'll ship the chocolates tomorrow,
    You'll taste the best chocolates ever (-:
  2. By some guy () on 2002-12-15 20:16
    
    Chicks who dig OpenBSD (or anything *nix related, heck, anything computer-related) are cute. What their sexual preference is, is completely irrelevant.
    And why would it be weird that a guy may get attracted to a lesbian? She won't be interested, indeed, but that's not the point.
    What you're saying is the same as saying it's ridiculous for a (regular) guy to feel attracted to a beautiful photo model, which will almost certainly never show any interest in him either.
    Or do you just have a problem with dykes?
    
    (now let's quit this off-topic crap)
By tase () tanase@alioth.net on 2002-12-13 21:27 mailto:tanase@alioth.net

from now on i'll get an erection everytime i see C.
By Anonymous Coward () on 2002-12-14 01:55

Anyone interested in this sort of thing should probably also check out David Wheeler's Secure
Programming docs. I found it quite comprehensive.
By Anonymous Coward () on 2002-12-14 03:24

http://www.daemonkitty.net/lurene/lurene-pics/dykeheadshot.jpg

hot? are you losers completely demented?
Comments
1. By Anonymous Coward () on 2002-12-14 20:21
  
  Well, they're not as hot as your mom, but this was especially compelling:
  
  http://www.daemonkitty.net/lurene/lurene-pics/beautifulkiss.jpg
2. By Anonymous Coward () on 2002-12-17 16:34
  
  hot? are you losers completely demented?
  
  As a male who likes females, I think they're a couple of cuties and wish them all the happiness they can handle.
  
  You obviously don't know what "hot" is.
  
  I hope you enjoy fucking your fist, because that's all you deserve.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]