Trang web này sẽ có chức năng hạn chế trong khi chúng tôi trải qua bảo trì để cải thiện trải nghiệm của bạn. Nếu một bài viết không giải quyết được vấn đề của bạn và bạn muốn đặt câu hỏi, chúng tôi có cộng đồng hỗ trợ của chúng tôi đang chờ để giúp bạn tại @FirefoxSupport trên Twitter và /r/firefox trên Reddit.

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

Could I please get help from Mozilla Firefox developers with regard to my buffer/integer overflow vulnerability study?

  • 2 trả lời
  • 1 gặp vấn đề này
  • 1 lượt xem
  • Trả lời mới nhất được viết bởi sse.auburn.edu

more options

Dear Sir/Madam, I am a graduate student at Auburn University, working with Dr. Munawar Hafiz. We are working on an empirical study project to understand the software engineering practices used in companies that produce secure software. In particular, we are concentrating on how developers write code to prevent buffer overflow and integer overflow vulnerabilities. We are interested in the software development process: how you develop software, how you test and analyze programs to detect vulnerabilities, and what processes you follow to remove bugs. We are looking into automated tools that software developers use, and are expecting that there is a common insight in the security engineering process that can be reusable.

We request your assistance by participating in this research study. We would greatly appreciate it if you would share your experience with us by answering the questions at the end of this email. You can reply back with the answers, or send a text/doc/pdf attachment. We may send some follow up questions based on your response in future. Your response(s) will be kept confidential, and will only be aggregated with those of other reporters. Please let us know if you have any questions or concerns regarding the study. Thanks in advance for your support.

Y. Rawajfih Software Analysis, Transformations and Security Group Auburn University

Working under the supervision of: Dr. Munawar Hafiz Assistant Professor Dept. of Computer Science and Software Engineering Auburn University Auburn, AL http://munawarhafiz.com/

Questions: (There are eleven questions.) 1. How long have you been a software developer?

2. How long have you been affiliated with Mozilla? Were you part of the original development team for this software?

3. What is the size of the current code base?

4. Did you follow a coding standard when developing this software? Is it a standard determined by your group?

5. What did you use to manage bug reports in your software? Does it satisfy your requirements? Are there other software options that you would consider switching to?

6. Did you use any compiler options to detect integer overflow vulnerabilities? Do you think that they are useful?

7. Did you use any automated (static or dynamic analysis) tools to detect buffer overflows, integer overflows, or any other bugs? Which tools did you use? Why these tools?

8. Did you use fuzzing? Which tools did you use and why? If you wrote your own fuzzer, why did you write it yourself? Was it written from scratch or by extending some other fuzzing tools?

9. Did you have specific phases during development where you concentrated on fixing security issues? Did you have a test suite, unit tests, or regression tests?

10. Buffer overflows often result from the use of unsafe functions, such as strcpy. Does your software use those? If you use a different string library, why is it used? Is it an in-house library or an off-the-shelf library? Did you migrate your code to use the string library?

11. The following vulnerability was reported in the SecurityFocus vulnerability list: [53225]: “Mozilla Firefox, SeaMonkey, and Thunderbird CVE-2012-0470 Heap Buffer Overflow Vulnerability”. Were any changes made to your development process /practices as a result of the reported vulnerability? If so, please specify.

Dear Sir/Madam, I am a graduate student at Auburn University, working with Dr. Munawar Hafiz. We are working on an empirical study project to understand the software engineering practices used in companies that produce secure software. In particular, we are concentrating on how developers write code to prevent buffer overflow and integer overflow vulnerabilities. We are interested in the software development process: how you develop software, how you test and analyze programs to detect vulnerabilities, and what processes you follow to remove bugs. We are looking into automated tools that software developers use, and are expecting that there is a common insight in the security engineering process that can be reusable. We request your assistance by participating in this research study. We would greatly appreciate it if you would share your experience with us by answering the questions at the end of this email. You can reply back with the answers, or send a text/doc/pdf attachment. We may send some follow up questions based on your response in future. Your response(s) will be kept confidential, and will only be aggregated with those of other reporters. Please let us know if you have any questions or concerns regarding the study. Thanks in advance for your support. Y. Rawajfih Software Analysis, Transformations and Security Group Auburn University Working under the supervision of: Dr. Munawar Hafiz Assistant Professor Dept. of Computer Science and Software Engineering Auburn University Auburn, AL http://munawarhafiz.com/ Questions: (There are eleven questions.) 1. How long have you been a software developer? 2. How long have you been affiliated with Mozilla? Were you part of the original development team for this software? 3. What is the size of the current code base? 4. Did you follow a coding standard when developing this software? Is it a standard determined by your group? 5. What did you use to manage bug reports in your software? Does it satisfy your requirements? Are there other software options that you would consider switching to? 6. Did you use any compiler options to detect integer overflow vulnerabilities? Do you think that they are useful? 7. Did you use any automated (static or dynamic analysis) tools to detect buffer overflows, integer overflows, or any other bugs? Which tools did you use? Why these tools? 8. Did you use fuzzing? Which tools did you use and why? If you wrote your own fuzzer, why did you write it yourself? Was it written from scratch or by extending some other fuzzing tools? 9. Did you have specific phases during development where you concentrated on fixing security issues? Did you have a test suite, unit tests, or regression tests? 10. Buffer overflows often result from the use of unsafe functions, such as strcpy. Does your software use those? If you use a different string library, why is it used? Is it an in-house library or an off-the-shelf library? Did you migrate your code to use the string library? 11. The following vulnerability was reported in the SecurityFocus vulnerability list: [53225]: “Mozilla Firefox, SeaMonkey, and Thunderbird CVE-2012-0470 Heap Buffer Overflow Vulnerability”. Were any changes made to your development process /practices as a result of the reported vulnerability? If so, please specify.

Giải pháp được chọn

The Firefox developers are unlikely to see your post here. You could try the mozilla.dev.security newsgroup and see whether anyone there is interested in participating. You also could check the archives there and of course past Security Advisories for further discussion of the particular CVE you mentioned.

http://www.mozilla.org/security/

https://groups.google.com/forum/?fromgroups#!forum/mozilla.dev.security

Bug 734288 – ASAN: Heap-buffer-overflow WRITE of size 1 at nsSVGFEDiffuseLightingElement::LightPixel

Đọc câu trả lời này trong ngữ cảnh 👍 1

Tất cả các câu trả lời (2)

more options

Giải pháp được chọn

The Firefox developers are unlikely to see your post here. You could try the mozilla.dev.security newsgroup and see whether anyone there is interested in participating. You also could check the archives there and of course past Security Advisories for further discussion of the particular CVE you mentioned.

http://www.mozilla.org/security/

https://groups.google.com/forum/?fromgroups#!forum/mozilla.dev.security

Bug 734288 – ASAN: Heap-buffer-overflow WRITE of size 1 at nsSVGFEDiffuseLightingElement::LightPixel

more options

Ok, I'll try that. Thank's a lot!