RE: Dynamically Debugging for Security Bugs -- a useful tool ?

SGI Irix has the Case-Vision debugger 'cvd' that will step backward, or at least it did a few years ago.

It also had the ability to reset the instruction point, or jump to another block of code. This was useful for debugging inetd apps where we could put a infinite while loop ( while (1) {}; ) and then attach to the process after inetd created it and jump out of the loop and debug the application. FYI I worked with the case vision debugger in 1993-1995, and am only now seeing other tools come close to it.

There were many times when I was tired and accidently stepped over something, and was able to step back in cvd and try things over.

There is a open source debugger wildebeest "wdb" that might give you a base project to work from.

http://www.sgi.com/developers/devtools/irix_tools.html

One of the debuggers listed is probably the grandchild of the debugger I used to use.

Best regards!

William H. Roe, Jr.
Software Architect, CISSP
TCS Healthcare Technologies
500 Wall Street
Auburn, California 95603
broe@tcshealthcare.com

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----
From: P. S. [mailto:p.s@campus.ie]
Sent: Tuesday, March 11, 2003 1:17 PM
To: secprog@securityfocus.com
Cc: sectools@securityfocus.com
Subject: Dynamically Debugging for Security Bugs -- a useful tool ?

Hello All,

    I am doing research in the software visualisation field, and would like to know if a project idea I have would be useful to the security community. As well as that, I am looking for any features/techniques/idea's that you think should be taken into account, or any unforseen difficulties etc. Or if in fact, this project would not benefit programmers at all in their search for security bugs ?

   Since this post is on the long side, you can skip PART 1 if you are already familiar with the software visualisation field. PART 2 is related work and describes some tools that demonstrate useful techniques. PART 3 describes my proposal, this can be read on its own if you do not wish to read the other sections :)

PART 1 :: INTRODUCTION

   Incase anyone is unfamiliar with the software visualisation field, a definition of program visualization can be defined as follows:

"the program is specified in the conventional, textual manner, and the graphics is used to illustrate some aspects of the program or its run-time execution." [Myers 1986].

The goal of all visualisations can be identified as:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

"transforming information into a meaningful, useful visual representation from which a human observer can gain understanding"
[Stasko, Domingue, Brown, Price 1998]

If you would like more information on the above references or more detailed information about the software visualisation field, please email me and I will be happy to send on the information.

PART 2 :: RELATED WORK

    In 1991, [Agrawal et al 1991] discussed a technique called program "slicing". Given a variable and a program location, it is possible to determine the statements that affect the value of that variable for the test case. Restoration of the program state is also supported by backtracing.

    The ability to debug backwards and forwards is demonstrated in the tool: ZStep95 [ZStep 95a] and [ZStep 95b], http://web.media.mit.edu/~lieber/Lieberary/ZStep/ZStep.html . This was a prototype tool for debugging LISP. It has VCR-like controls that let the programmer go backwards/forwards during debugging, the results of which can be seen on screen. There is a QuickTime demonstration here: http://web.media.mit.edu/~lieber/Lieberary/ZStep/ZStep.mov .

PART 3 :: PROPOSAL

    The area's of computer security and visualisation are being used successfully together, to make large log files more readable and visible on screen, without having to grep them manually etc. However, there seems to be little if any work done in helping programmers debug a program for security bugs using software visualisation. If anybody knows of such debuggers, I am very keen to find out about them, so please let me know.

    I propose to implement a dynamic graphical debugger, to aid programmers in the search for security bugs. It would employ the techniques described in PART 2, as its core. For example, the ability to step backwards in the program and see the various variable values previous to now, the ability to choose a variable and see all the statements that affect its value, the ability to identify user controlled variables (e.g. $HOME etc.) and the ability to automatically run the program with different combinations of input for these user controlled variables e.g. a very long $HOME or a $HOME that contains control characters etc.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

    Also, a representation of stack sizes should be available to the programmer on-screen. These can be seen to grow and shrink as you step through your program.

    What I would like to know is, would such a tool be useful in the search for security bugs ? What other features would you see as essential or nice to have ? Also what IDE would you see this benefitting, KDevelop (C++), Eclipse (Java), NetBeans (Java), etc etc ? Obviously, Eclipse and NetBeans may be limited as they are for Java programming and security bugs are more rampant in C++, C etc. Any comments or criticisms you may have are very welcome.

Thank-you very much for your time,
SP.

REFERENCES

[ZStep 95a] Lieberman, H., Fry, C., "Bridging the Gap Between Code and
Behavior in Programming", ACM Conference on Computers and Human Interface (CHI-95), Denver, April 1995.

[ZStep 95b] Lieberman, H., Fry, C., "ZStep 95, A Reversible, Animated
Source Code Stepper", in Software Visualization: Programming as a Multimedia Experience, John Stasko, John Domingue, Blaine Price, Marc Brown, eds., MIT Press, 1997.

--
_______________________________________________
Get your free email from 
http://www.campus.ie

Powered by Outblaze