* Automated vulnerability detection
@ 2022-11-07 12:28 Stephan Lipp
2022-11-08 12:47 ` Nick Clifton
0 siblings, 1 reply; 3+ messages in thread
From: Stephan Lipp @ 2022-11-07 12:28 UTC (permalink / raw)
To: binutils
Cc: Marcel Böhme, Thorsten Holz, Pretschner, Alexander, Hassler,
Keno, Philipp Görz
Dear all,
Do you use static analysis tools or fuzzers to test Binutils (2.29)?
Together with Dr. Marcel Böhme (MPI-SP), Prof. Thorsten Holz (CISPA),
Prof. Alexander Pretschner (TUM), Keno Hassler, and Philipp Görz (both
also with CISPA), we are currently analyzing the strengths and
weaknesses of automated static and dynamic testing techniques in finding
vulnerabilities.
We are happy to share any insights from our analysis which might be also
helpful to you. Thank you very much in advance!
Best regards,
Stephan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Automated vulnerability detection
2022-11-07 12:28 Automated vulnerability detection Stephan Lipp
@ 2022-11-08 12:47 ` Nick Clifton
2022-11-09 11:13 ` Stephan Lipp
0 siblings, 1 reply; 3+ messages in thread
From: Nick Clifton @ 2022-11-08 12:47 UTC (permalink / raw)
To: Stephan Lipp
Cc: Marcel Böhme, Thorsten Holz, Pretschner, Alexander, Hassler,
Keno, Philipp Görz, Binutils
Hi Stephan,
> Do you use static analysis tools or fuzzers to test Binutils (2.29)?
Yes and no. We - the GNU Biuntils project - do not use static analysers
or fuzzers directly. But there are quite a few groups out there who do
use these tools to analyse the binutils sources and report problems that
they find. We are always pleased to receive these reports and investigate
the issues that they find.
Aside - I assume that referring to version "2.29" in your email is a typo
and that you meant 2.39. Version 2.29 is quite old now.
> We are happy to share any insights from our analysis which might be also helpful to you. Thank you very much in advance!
If you do find bugs in the binutils sources we are always happy to receive
them. If you can, it really helps us if you are able to file bug reports
via the bur reporting system found here:
https://sourceware.org/bugzilla/enter_bug.cgi?product=binutils
Cheers
Nick
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Automated vulnerability detection
2022-11-08 12:47 ` Nick Clifton
@ 2022-11-09 11:13 ` Stephan Lipp
0 siblings, 0 replies; 3+ messages in thread
From: Stephan Lipp @ 2022-11-09 11:13 UTC (permalink / raw)
To: Nick Clifton
Cc: Marcel Böhme, Thorsten Holz, Pretschner, Alexander, Hassler,
Keno, Philipp Görz, Binutils
Hi Nick,
Thank you very much for your response!
We are currently using an older version of Binutils to see how well
these tools detect known vulnerabilities (CVEs). Thank you for pointing
us to this reporting system. I think it also makes sense to see what was
reported there for the version we use in our study.
In case we find a new vulnerability, we will of course report it through
your bug tracking system.
Best regards,
Stephan
On 08.11.22 13:47, Nick Clifton wrote:
> Hi Stephan,
>
>> Do you use static analysis tools or fuzzers to test Binutils (2.29)?
>
> Yes and no. We - the GNU Biuntils project - do not use static analysers
> or fuzzers directly. But there are quite a few groups out there who do
> use these tools to analyse the binutils sources and report problems that
> they find. We are always pleased to receive these reports and
> investigate
> the issues that they find.
>
> Aside - I assume that referring to version "2.29" in your email is a typo
> and that you meant 2.39. Version 2.29 is quite old now.
>
>
>> We are happy to share any insights from our analysis which might be
>> also helpful to you. Thank you very much in advance!
>
> If you do find bugs in the binutils sources we are always happy to
> receive
> them. If you can, it really helps us if you are able to file bug reports
> via the bur reporting system found here:
>
> https://sourceware.org/bugzilla/enter_bug.cgi?product=binutils
>
> Cheers
> Nick
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-09 11:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-07 12:28 Automated vulnerability detection Stephan Lipp
2022-11-08 12:47 ` Nick Clifton
2022-11-09 11:13 ` Stephan Lipp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).