OpenBSD Journal

Redundant code = security errors?

Contributed by jose on from the error-checking dept.

orcman writes:
"" Slashdot has a blurb about two Stanford researchers, Dawson Engler and Yichen Xie have written a paper (pdf) that looks at redundant code, dead code, etc. which might suggest errors in the kernel (and possibly security holes?) An interesting read, but it raises the question -- how much, if any, redundant code is in the OpenBSD kernel?"
Englar and Xie has written some interesting software analysis tools which they periodically turn loose on OpenBSD, Linux, and other large projects. They find real bugs all the time, but like any analysis engine they also get false positives. This paper (PS) is a comparison of operating system errors broken down by subtypes and reveals some interesting large scale facets about Linux and OpenBSD. Give these papers (and in fact all of their papers in this vein) a good read.

(Comments are closed)

  1. By Chad Loder () on

    It's interesting to note how many different implementations of the DES algorithm OpenBSD has in its source code. Does anyone know how many?

    How about sha1 (it's at least 3 -- the BSD version, the Apache version, and the OpenSSH version. There may be others).

    What are other good examples of stuff that gets duplicated all over the place?

  2. By fansipans () on

    one of the worst things i've encountered/learned in my last two years of full-time programming has to be cut+paste code. in no way should you blindly cut and paste code. try updating it later, try searching for an error and remembering to fix it in 2,3,7 places. i'd have to say duplicated/cut+paste code is one of the top five warning signs of no/horrible system design... which if you're lucky will only result in security issues

  3. By zil0g () on

    Too bad it didn't have more OpenBSD coverage, would have been interesting to see just where the bad code were, was it all in the sysV compat? etc

    it did sound a tad unfair towards OpenBSD tho, to "warn" the Linux hackers at 2.3.99 so they could fix some 100 bugs before comparing it to OBSD 2.8 -- but that's just me of course :-|


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]