[OTR-dev] Buffer Overflow Study at Auburn University - OTR developers I would really appreciate your help!

Auburn Study sse.auburn.study at gmail.com
Thu Nov 8 11:38:14 EST 2012


Hi All,

I am a graduate student at Auburn University, working with Dr. Munawar
Hafiz. We are working on an empirical study project to understand the
software engineering practices used in companies that produce secure
software. In particular, we are concentrating on how developers write
code to prevent buffer overflow and integer overflow vulnerabilities.
We are interested in the software development process: how you develop
software, how you test and analyze programs to detect vulnerabilities,
and what processes you follow to remove bugs. We are looking into
automated tools that software developers use, and are expecting that
there is a common insight in the security engineering process that can
be reusable.

We request your assistance by participating in this research study.
We would greatly appreciate it if you would share your experience with
us by answering the questions at the end of this email. We may send
some follow up questions based on your response in future. Your
response(s) will be kept confidential, and will only be aggregated
with those of other responders. Please let us know if you have any
questions or concerns regarding the study. Thanks in advance for your
support.

Yasmeen Rawajfih
Software Analysis, Transformations and Security Group
Auburn University

Working under the supervision of:
Dr. Munawar Hafiz
Assistant Professor
Dept. of Computer Science and Software Engineering
Auburn University
Auburn, AL
http://munawarhafiz.com/


Questions: (There are ten questions.)

1.       How long have you been a software developer?

2.       How long have you been affiliated with OTR? Were you part of
the original development team for this software?

3.       What is the size of the current code base?

4.       Did you follow a coding standard when developing this
software? Is it a standard determined by your group?

5.       What did you use to manage bug reports in your software? Does
it satisfy your requirements? Are there other software options that
you would consider switching to?

6.       Did you use any compiler options to detect integer overflow
vulnerabilities? Do you think that they are useful?

7.       Did you use any automated (static or dynamic analysis) tools
to detect buffer overflows, integer overflows, or any other bugs?
Which tools did you use? Why these tools?

8.       Did you use fuzzing? Which tools did you use and why? If you
wrote your own fuzzer, why did you write it yourself? Was it written
from scratch or by extending some other fuzzing tools?

9.       Did you have specific phases during development where you
concentrated on fixing security issues? Did you have a test suite,
unit tests, or regression tests?

10.   Buffer overflows often result from the use of unsafe functions,
such as strcpy. Does your software use those? If you use a different
string library, why is it used? Is it an in-house library or an
off-the-shelf library? Did you migrate your code to use the string
library?



More information about the OTR-dev mailing list