Automated vulnerability detection

Automated vulnerability detection

[Stephan Lipp]

Dear all,

Do you use static analysis tools or fuzzers to test Binutils (2.29)? 
Together with Dr. Marcel Böhme (MPI-SP), Prof. Thorsten Holz (CISPA), 
Prof. Alexander Pretschner (TUM), Keno Hassler, and Philipp Görz (both 
also with CISPA), we are currently analyzing the strengths and 
weaknesses of automated static and dynamic testing techniques in finding 
vulnerabilities.

We are happy to share any insights from our analysis which might be also 
helpful to you. Thank you very much in advance!

Best regards,
Stephan

Re: Automated vulnerability detection

[Nick Clifton]

Hi Stephan,

> Do you use static analysis tools or fuzzers to test Binutils (2.29)?

Yes and no.  We - the GNU Biuntils project - do not use static analysers
or fuzzers directly.  But there are quite a few groups out there who do
use these tools to analyse the binutils sources and report problems that
they find.  We are always pleased to receive these reports and investigate
the issues that they find.

Aside - I assume that referring to version "2.29" in your email is a typo
and that you meant 2.39.  Version 2.29 is quite old now.


> We are happy to share any insights from our analysis which might be also helpful to you. Thank you very much in advance!

If you do find bugs in the binutils sources we are always happy to receive
them.  If you can, it really helps us if you are able to file bug reports
via the bur reporting system found here:

   https://sourceware.org/bugzilla/enter_bug.cgi?product=binutils

Cheers
   Nick

Re: Automated vulnerability detection

[Stephan Lipp]

Hi Nick,

Thank you very much for your response!

We are currently using an older version of Binutils to see how well 
these tools detect known vulnerabilities (CVEs). Thank you for pointing 
us to this reporting system. I think it also makes sense to see what was 
reported there for the version we use in our study.

In case we find a new vulnerability, we will of course report it through 
your bug tracking system.

Best regards,

Stephan

On 08.11.22 13:47, Nick Clifton wrote:
> Hi Stephan,
>
>> Do you use static analysis tools or fuzzers to test Binutils (2.29)?
>
> Yes and no.  We - the GNU Biuntils project - do not use static analysers
> or fuzzers directly.  But there are quite a few groups out there who do
> use these tools to analyse the binutils sources and report problems that
> they find.  We are always pleased to receive these reports and 
> investigate
> the issues that they find.
>
> Aside - I assume that referring to version "2.29" in your email is a typo
> and that you meant 2.39.  Version 2.29 is quite old now.
>
>
>> We are happy to share any insights from our analysis which might be 
>> also helpful to you. Thank you very much in advance!
>
> If you do find bugs in the binutils sources we are always happy to 
> receive
> them.  If you can, it really helps us if you are able to file bug reports
> via the bur reporting system found here:
>
>   https://sourceware.org/bugzilla/enter_bug.cgi?product=binutils
>
> Cheers
>   Nick
>