[JOB OFFER] System administrator
Disclaimer: I am not affiliated with this company. I was asked by a friend to pass this along. All the CVs/inquiries should be sent directly to the contact listed in the forwarded message. -- Forwarded Message -- Hi-tech Company is looking for a seasoned Linux / Communications/ Data Security Sys Admin with at least 5 years of experience in a medium /large multinational company (minimum 500 PC/servers). Required skills ·Linux Red Hat and/ or other flavors ·Communications – TCP/IP, MPLS, Cisco Routers, Switches and IPT. ·Data Security – good knowledge of Checkpoint FW1, Juniper SSL-VPN, Symantec SEP Endpoint, eSafe and/or Fortinet application firewalls ·Oracle DB ·Storage – NetApp ·Backup CA BrightStore ·Windows XP / Windows 2003 Server – advantage · Great Inter-personal skills. · Willing to travel abroad · Willing to work at unusual hours. CVs to: ta...@oasis-tech.net --- ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
Elazar Leibovich wrote: IIRC the problem was using a different library, and tracing which problems are yours and which are of the library. See for instance this rant http://www.mega-nerd.com/erikd/Blog/CodeHacking/house_of_cards.html I haven't really got into this, so maybe the suprresion files does allow you to quickly fix it. The way I see it, a problem in a library you use is still a problem in your product. This is not really a false positive. It's more complex than that. The code currently work on the embedded device. This is a mission critical device, so we cannot make changes to the runtime code without testing it throughly first. I try therefor to fix the problem in the emulation level without touching the actual code. (for instance, overriding a certain problematic function which used an uninitialized variable, and got away with it in the embedded device, but not in the desktop, or, replace the macro which stores a specific memory address (hex number) which is used by a the code, and is obviously relevant only for the embedded device) I'll repeat it again, and then stop, as I don't want it to become a war. The fact it is mission critical is another reason to fix all warnings, not a reason to ignore them. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
if you are running on windows - you can use purify - it's a commercial tool, it costs money, but it is worth every cent. it used to have a 2-weeks free evaluation version - so you could check that it works well with your product before you ask management for money. of-course, if you are running on windows - you are asking this question on the wrong forum ;) regarding false positives - from my experience, it's a price worth paying - once you manage to clean them out, you have much easier debugging later on. --guy Elazar Leibovich wrote: I tried using valgrind in a different project. The main problems I've had with valgrind are speed (which is not a problem here) and false positives. Getting gdb to report that during runtime has its advantages. Anyhow, I was hoping to hear about products/valgrind add-ons etc I do not know. The main practical problem with it, is convincing management that getting a linux box or VM and build the code on it is worth our while... On Tue, Jan 12, 2010 at 12:27 AM, guy keren c...@actcom.co.il mailto:c...@actcom.co.il wrote: valgrind will tell you whenever you are using an un-ninitialized variable. it'll do so using runtime analysis. have you tried using valgrind at all? --guy Elazar Leibovich wrote: Just a remark, as some people asked me about it privately. I'm not interested in static analysis (which gcc gives for uninitialized variables). But with runtime analysis of where the uninitialized variable have been actually used when the code was run. This is useful in many situations (for instance, when having 3000 (literally) static warnings, some of similar spirit, and no time to check them all) I didn't find anything parallel to that for gcc. On Mon, Jan 11, 2010 at 11:54 PM, Elazar Leibovich elaz...@gmail.com mailto:elaz...@gmail.com mailto:elaz...@gmail.com mailto:elaz...@gmail.com wrote: We have a big legacy embedded code we need to maintain. Often, we wish to run some functions of the code on the PC with injected input, to test them or to test changes we've done to them without loading the code to the device it should run on. The code is written with C. Obviously, this is not an easy task, it is more difficult because, the code is bug ridden, and many times it works by accident (for example, a NULL pointer added a constant and then derefeced, this worked because the memory address was legal). Since the code is big, our strategy is: compile just the parts you need, debug it enough so that it would run on the PC, and keep the changes. Hopefully, after enough time, all (or most) of the code would be runnable on a PC. We use gcc+gdb to compile and debug the code. In Visual Studio's cl.exe there are some security checks http://msdn.microsoft.com/en-us/library/aa289171(VS.71).aspx at run time. This can really assist debugging. For example knowing when an unintialized variable was used can save you alot of frustration when trying to figure out why you're getting a wrong numberic results. My questions are: 1) Are there parallel (or better) runtime security checks for gcc/gdb? I found the -fstack-protection stack canary switch, but are there more of this type? 2) What other tools are there which offer similar protection? Valgrind of course is the first thing that comes to my mind, but I'll be glad to hear any more ideas. For example, I would love to be able to get a warning whenever a pointer is dereferenced twice, where the first time the pointer points at the memory address of variable x, and the second time it points to variable y. That way I'll get a warning for the following bug: int x[3] = {1,2,3};int y[3] = {4,5,6}; int *p = x; for (int i=0;i=3;i++,p++) (*p) = (*p)++; // note the = 3) We use win32 for regular development, so if anyone knows what is the support for such tests in cygwin/mingw, I'll be glad to hear about it. Thanks Elazar Leibovich ___ Linux-il mailing list Linux-il@cs.huji.ac.il mailto:Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
Elazar Leibovich wrote: On Tue, Jan 12, 2010 at 8:02 AM, Shachar Shemesh shac...@shemesh.biz mailto:shac...@shemesh.biz wrote: Elazar Leibovich wrote: I tried using valgrind in a different project. The main problems I've had with valgrind are speed Yes, that is known. and false positives. That one is new to me. Can you elaborate? IIRC the problem was using a different library, and tracing which problems are yours and which are of the library. See for instance this rant http://www.mega-nerd.com/erikd/Blog/CodeHacking/house_of_cards.html I haven't really got into this, so maybe the suprresion files does allow you to quickly fix it. suppressions are very easy to generate (after you learn to spell the word ;) - you run valgrind with the flag --gen-suppressions - and every time it hits a problem - it will ask you whether to generage a suppression. if you say yes, it'll print the suppression info on screen. you copy this to a file, edit it a little to your liking (to make it a bit more general - i.e. not depend on the specific part in your code that invoked the problematic 3rd-part library), and it works. by the way - we had real false-positives in valgrind, that were fixed in a later valgrind version. so you will have to check this as well. --guy ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Runtime security/memory checks for gcc/gdb
2010/1/12 Elazar Leibovich elaz...@gmail.com: On Tue, Jan 12, 2010 at 8:02 AM, Shachar Shemesh shac...@shemesh.biz wrote: Elazar Leibovich wrote: I tried using valgrind in a different project. The main problems I've had with valgrind are speed Yes, that is known. and false positives. That one is new to me. Can you elaborate? IIRC the problem was using a different library, and tracing which problems are yours and which are of the library. See for instance this rant http://www.mega-nerd.com/erikd/Blog/CodeHacking/house_of_cards.html I haven't really got into this, so maybe the suprresion files does allow you to quickly fix it. Suppressions are exactly for this. And since valgrind has the option to write suppression file excerpts, it is very convenient. However, you should be careful about those, as you may be tempted to suppress errors which seem to come from the library (I often have to suppress compiler-library bugs), but are actually your own bugs, manifested in a line inside the library. I missed the system that you do use, but if you are using powerPC with Linux or AIX, there are strong free-as-in-beer tools from IBM ( http://haifux.org/lectures/199/, the slides contain a summary of several FOSS tools, too ). On Alpha there is the third tool which is very strong. Getting gdb to report that during runtime has its advantages. Anyhow, I was hoping to hear about products/valgrind add-ons etc I do not know. The main practical problem with it, is convincing management that getting a linux box or VM and build the code on it is worth our while... Personally, I think that you should start with gcc. Just because it spews out thousands of warnings does not mean they are not all relevant. Compiler warnings are the easiest to fix, easiest to find, and are often written off for no justifiable reason. It's more complex than that. The code currently work on the embedded device. This is a mission critical device, so we cannot make changes to the runtime code without testing it throughly first. I try therefor to fix the problem in the emulation level without touching the actual code. (for instance, overriding a certain problematic function which used an uninitialized variable, and got away with it in the embedded device, but not in the desktop, or, replace the macro which stores a specific memory address (hex number) which is used by a the code, and is obviously relevant only for the embedded device) Having a good runtime error checks (such as valgrind) will help me with recognizing this anomalities. I'm not sure at which version this started, but gcc 4.4.2 with -Wextra catches your second example (array bounds problem). That surprising, more complex instances could be reducable to the halting problem (number of times we advance p might depend on any complex function). Didn't work for me. (Does it check that during runtime? perhaps it doesn't work with mingw). le...@leibo-pc ~ $ cat tmp.c int main(int argc,char **argv) { int x[10],y[10],i=0; int *p = x; for (;i=13;i++,p++) *p = (*p)++; return 0; } le...@leibo-pc ~ $ /cygdrive/c/MinGW/bin/gcc.exe --version gcc.exe (TDM-2 mingw32) 4.4.1 Copyright (C) 2009 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. le...@leibo-pc ~ $ /cygdrive/c/MinGW/bin/gcc.exe -Wextra -Wall tmp.c tmp.c: In function 'main': tmp.c:2: warning: unused variable 'y' tmp.c:1: warning: unused parameter 'argc' tmp.c:1: warning: unused parameter 'argv' Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Runtime security/memory checks for gcc/gdb
2010/1/13 guy keren c...@actcom.co.il: if you are running on windows - you can use purify - it's a commercial tool, Why the condition of Windows? Purify is available for Linux as well. --Amos ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il