LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

[Posted November 22, 2011 by ris]

SC Magazine looks at a tool to help look for holes in Linux. "It identifies similar source files based on file names and content to identify relationships between source packages. Fuzzy hashing using ssdeep produces hashes that can be used to determine similar packages. Graph Theory is used to perform the analysis."
(Log in to post comments)

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 22, 2011 21:11 UTC (Tue) by nix (subscriber, #2304) [Link]

ssdeep is potentially useful for all sorts of other fuzzy matching stuff, too, even though its authors were focused on vulnerability scanning. (I'm planning to reuse the algorithm in a deduplicating backup system, if and when I ever actually write it rather than just tossing designs about.)

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 23, 2011 21:06 UTC (Wed) by martinfick (subscriber, #4455) [Link]

Have you looked into BUP? It already does inner file level deduplication in backups.

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 25, 2011 18:35 UTC (Fri) by nix (subscriber, #2304) [Link]

Yep, I'm stealing ideas from bup as well. However, git's packfile delta-detection mechanism doesn't scale well when asked to look at very large files, and if you chop it into chunks you have the problem that an insertion near the start of the file throws off all the chunk boundaries. These problems *are* soluble, but you can't keep using git if you do that...

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 25, 2011 22:18 UTC (Fri) by jrn (subscriber, #64214) [Link]

> However, git's packfile delta-detection mechanism doesn't scale well when asked to look at very large files, and if you chop it into chunks you have the problem that an insertion near the start of the file throws off all the chunk boundaries.

... which is why bup uses a rolling hash to decide where to cut.

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 23, 2011 21:27 UTC (Wed) by khc (subscriber, #45209) [Link]

I haven't looked into the details of ssdeep, but from the abstract of the linked publication (http://www.sciencedirect.com/science/article/pii/S1742287...) it looks like something that I am familiar with, which definitely predates the publication date. Using the algorithm as the basis of a deduplication backup system is a good idea, but I think if/when you implement it you will find making it perform well maybe harder than it seems.

(I work on a deduplication storage product)

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 25, 2011 18:36 UTC (Fri) by nix (subscriber, #2304) [Link]

Yeah, figuring out an algorithm that has acceptable performance has been fun.

Tool detects library bundling?

Posted Nov 22, 2011 22:55 UTC (Tue) by dmarti (subscriber, #11625) [Link]

"Mozilla Firefox had embedded libpng and was vulnerable for more than three months after the flaw was discovered."

This is why you shouldn't bundle libraries, isn't it?

Tool detects library bundling?

Posted Nov 22, 2011 23:53 UTC (Tue) by pabs (subscriber, #43278) [Link]

They need it because they forked libpng to add APNG support, which the libpng authors refuse to accept:

http://en.wikipedia.org/wiki/APNG

Tool detects library bundling?

Posted Nov 23, 2011 0:08 UTC (Wed) by dmarti (subscriber, #11625) [Link]

Hooray! dancing pigs!

Tool detects library bundling?

Posted Nov 23, 2011 8:31 UTC (Wed) by renox (subscriber, #23785) [Link]

Well not really, "dancing pigs" is about users' behaviour, here this is the developers who chose to fork a library for APNG support and don't monitor closely the source library which is a shame.
I think that we can safely say that 99% of users don't care about APNG and they never even heard of APNG..

Tool detects library bundling?

Posted Nov 23, 2011 9:42 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Sure, but you can see why it's hard to avoid the joke, right? I mean, APNG is exactly suitable for displaying dancing pigs. And dancing pigs are closely associated with bad decisions made in favour of features no-one really needed over security.

Developers and dancing pigs

Posted Nov 23, 2011 18:10 UTC (Wed) by dmarti (subscriber, #11625) [Link]

Yes, the original dancing pigs rule was about end users, but you can apply it to developers, too. "Given a choice between coding for security and dancing pigs, developers will implement the dancing pigs every time."

Tool detects library bundling?

Posted Nov 23, 2011 13:37 UTC (Wed) by sammythesnake (guest, #17693) [Link]

What happened to MNG? I thought that was going to be the animated PNG equivalent, and I'm sure I heard of that many years ago (8+?)

http://www.libpng.org/pub/mng/

Cheers & God bless
Sam "SammyTheSnake" Penny

Tool detects library bundling?

Posted Nov 23, 2011 14:15 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

AFAIK, APNG is just a string of png files with a delay and a loop chunk (there's probably more, but the point is that it's simple). MNG is not and instead has loops, logic and other constructs.

http://www.libpng.org/pub/mng/spec/

MNG never took off and SVG will kill it

Posted Nov 24, 2011 3:31 UTC (Thu) by CChittleborough (subscriber, #60775) [Link]

MNG is a full-featured 2D raster graphics system. It allows you to create sprites, which can be static images or animations (sequences of images), then make them move around the viewport, with layer-based compositing. It uses two image formats in addition to good old PNG: Delta-PNG for compressing a sequence of PNG images, and "JNG" (JPEG Network Graphics), for JPEG compressed images in a PNG-style chunk format with an optional alpha channel. It has "commands to move, copy and paste images (rather than replicate them as in GIF)", plus "nested loops for complex animations" (quoting from www.libpng.org/pub/mng/).

In short, MNG has pretty much everything you could ask for in a raster-based 2D animation system. But it lacks something important: artist-friendly MNG-oriented editing software. (There are popular video editors that can output MNG, but they have their own native format. There are tools for creating/editing MNG content, but none of them ever became popular.) The result is a marked shortage of MNG content of interest to the wider populace. As a result, there is not much demand for MNG-viewers ... and the vicious cycle goes on.

Another factor is that SVG+javascript can do everything MNG can do (except JPG+alpha images) and a lot more besides, and all you need is a text editor. (It may be called Scalar Vector Graphics, but it is good for raster images as well.) For non-programmers, SVG has purely declarative animations that are as powerful as MNG (AFAIK), but IE and Webkit don't support SVG Animations (yet?). (MNG does have one advantage: one file contains the whole thing, whereas SVG practically requires the raster images to be delivered separately.)

So those of us who liked MNG are going to be disappointed. Sigh.

Tool detects library bundling?

Posted Nov 23, 2011 13:39 UTC (Wed) by clugstj (subscriber, #4020) [Link]

Well, no. There was never a "need" for APNG. They chose to fork libpng (instead of using MNG), so they are responsible for the fallout from this choice.

Tool detects library bundling?

Posted Nov 24, 2011 9:55 UTC (Thu) by MaxSt (guest, #70509) [Link]

Mozilla never suffered any fallout, and you'll be surprised how many people downloaded APNG plugin for Chrome.

I think APNG was a good move

Posted Nov 24, 2011 12:15 UTC (Thu) by CChittleborough (subscriber, #60775) [Link]

As I understand it, APNG was a quick-and-somewhat-dirty hack to solve an aesthetic problem: Mozilla used animated GIFs for their throbbers, but GIFs don't support transparency. (If you accept that Mozilla "needs" to compete with IE/Safari/etc on appearance, you could even say that Mozilla needed an animation format that supported transparency.)

Mozilla could have brought libmng back, but the 5 reasons they gave for dropping it in 2003 (see the first comment here) are all still valid, plus there are security risks in supporting a large library which reads and interprets complicated files from the web. I think that they were wise to design a no-frills variant of PNG and hack support for it into libpng, and that they were also wise to support APNG images in web content, not just in chrome. OTOH, I'm glad the PNG guys did not accept APNG into the PNG standard, because it is fairly crude. YMMV.

Here's hoping Mozilla does a better job of following any future bug fixes to libpng.

I think APNG was a good move

Posted Nov 24, 2011 15:44 UTC (Thu) by MaxSt (guest, #70509) [Link]

PNG is an extensible format, it allows third-parties to create PNG extensions by inventing their own chunks. So who can blame Mozilla for creating "acTL", "fcTL" and "fdAT" chunks... But it makes little sense to try to include every possible extension into PNG standard and libpng. Mozilla should have asked libpng developers to provide easy-to-use callback interfaces for handling third-party chunks outside of libpng.

Tool detects library bundling?

Posted Nov 23, 2011 23:22 UTC (Wed) by Lennie (subscriber, #49641) [Link]

"This is why you shouldn't bundle libraries, isn't it?"

Tell that to the Chromium/Chrome guys, they bundle everything.

Tool detects library bundling?

Posted Nov 29, 2011 1:17 UTC (Tue) by cmccabe (guest, #60281) [Link]

Most of Chrome's userbase is running Microsoft Windows or Apple iOS. These operating systems don't have dependency management. Google had to build their own updater from scratch and bundle copies of all of their own libraries. In a lot of ways, what they created is similar to an OS within the OS.

They could have done things a lot differently on Linux, but it was easier just to reuse the same code on all three operating systems.

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 22, 2011 23:06 UTC (Tue) by pabs (subscriber, #43278) [Link]

As someone who has been helping maintain Debian's massive embedded-code-copies file, using this tool would be a major step up from existing practices.

http://wiki.debian.org/EmbeddedCodeCopies

We're already checking packages and binary files for a limited number of different embedded code/data situations, but using this ssdeep-based tool would be be a much-welcome complement to these efforts.

http://lintian.debian.org/tags/embedded-feedparser-librar...
http://lintian.debian.org/tags/embedded-javascript-librar...
http://lintian.debian.org/tags/embedded-library.html
http://lintian.debian.org/tags/embedded-pear-module.html
http://lintian.debian.org/tags/embedded-php-library.html
http://lintian.debian.org/tags/duplicate-font-file.html

As a result I've mailed the Debian security team and also the researcher to see if we can get his work ported to Debian and run over the archive on a regular basis.

http://lists.debian.org/debian-security/2011/11/msg00044....

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 23, 2011 6:41 UTC (Wed) by linusw (subscriber, #40300) [Link]

This thing seems to be a static code analysis tool similar to Coverity, which indeed also helps to fix a few bugs out there. But - and this is the crucial question - do these static analysis tool companies pool their knowledge or are they all doing proprietary secret sauce in their code repositories and fuzzy databases? Imagine what they could do with an open community exchanging ideas.

It feels to me like right now doing tools like this seems like a pretty easy way to attract venture capital.

Is there some independent scientific scrutiny on the effectiveness of each tool of this type? Such as if a researcher would input a corpus of code with known bugs and see which tools identified which bugs? With such "benchmarks" they could gain a higher level of trust.

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 23, 2011 19:57 UTC (Wed) by gmaxwell (subscriber, #30048) [Link]

It's just fuzzy source code matching, nothing as advanced as coverity/clang-scan-build. The idea is that the same vulnerabilities get copied into lots of code, so if you find it once you can fuzzy search to find it other places.

There is an academic paper on the site where you can download the code. No secret sauce here.

Tool kills hidden Linux bugs, vulnerabilities (SC Magazine)

Posted Nov 25, 2011 14:15 UTC (Fri) by michaeljt (subscriber, #39183) [Link]

> There is an academic paper on the site where you can download the code. No secret sauce here.

Is the hash/signature database that he is matching against also available somewhere? I couldn't seem to find a link.

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds