On Wed, Sep 17, 2014 at 10:40 AM, Pedro Lino <[email protected]> wrote: > Hi Rob > > > Our main focus for finding latent security flaws has been via >> "document fuzzing." It is more complicated to set up than just >> running a static analysis tool but since it involves probing the >> actual running code it is more effective in many ways. Historically >> this is one of the primary ways that editors like OpenOffice are >> exploited. Also, when security researches report security flaws to >> us, they are often flaws found from fuzzing. I don't recall ever >> seeing a report that was derived from static analysis. >> > > You are focusing on security and exploits (which is obviously a very > important area). But I was thinking more in terms of program stability > *during* usage. I assume that Coverity's "project's defect density" would > reflect this? >
The correlation is not clear. I'd note, for example, that the Swiss Supreme Court gave a presentation recently where they said they prefer Apache OpenOffice over LibreOffice because of the greater stability of AOO. If I had to guess, what is probably true is that defect density in newly written code is correlated to real-world quality, as seen by users. But 10-year old code? Over a long period of time serious bugs of this kind -- crash bugs and other instability issues -- tend to be identified by users and are either fixed or at least well-known. We're unlikely to find new serious instabilities by examining ancient code. The other factor is the source of bugs. Research has shown (general academic research, not AOO specifically) that a large percentage of bugs in software are introduced when fixing other bugs. Whenever you touch the code there is an opportunity for adding a new bug. So I'm not a big fan of changing thousands of lines of code based on static analysis. It can very well make the code less stable, not more. Where we've used Coverity results it has been in a much more focused way, looking for specific defects with impact. > > >> If you want to read more about what we're doing with fuzzing you can >> see my presentation from ApacheCon: >> http://www.robweir.com/blog/publications/AOOFuzzing.pdf >> >> Also, if you are really interested in this area I can help you set up >> a fuzzing environment. It works best if you have a machine (or a VM) >> your can dedicate to it for a couple of weeks . >> > > Very interesting stuff. Actually the few times I had any problem with AOO > usage was not while opening files. They happen during regular work sessions > where Calc/Writer/Impress would freeze completely and leave no other choice > other than killing soffice (with consequent data loss) > > So I would be more interested in running a debug build that could log these > occasional crashes (if they are not occasional and I can replicate them, I > create a regular Issuezilla bug report). > What OS are you running on? Regards, -Rob > Regards, > Pedro --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
