As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I was wondering since all updated operating systems guard against stack and heap type overflows via ASLR, Canary Checks, and other such methods, are memory corruption exploits still prevalent? Given that the administrator of the system is competent and protects the system from brute force or libc attacks, I honestly can't see many other ways. They only thing that I can possibly imagine for someone to attack a system is to overwrite function pointers on the stack but thats about it. Maybe if someone found a clever way of predicting random numbers, the schemes that rely on random results could be defeated, however it seems unlikely. It seems the only way to exploit someone else's system given now a days is to trick root or the admin into installing your software. Are the old days of code injection over? I'm at this from the perspective of breaking updated protected systems.
You do not need to trick the admin into installing your software if vulnerable software is already installed.
It is much easier to use higher-level constructs to have a OS command injected.
E.g.: a web application allowing to upload a file to arbitrary location, a web application using user-controllable input to build an OS command.
Related
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
This is more a philosophical question but its one I've been pondering for some time now.
I don't know anything about computer security or how computers are broken into. I thought hackers used disassembling software on executable software to create malware and other things.
My question is would making some software open source make it vulnerable to hackers or do I have reverse engineering confused with hacking?
Making something open source does not inherently make it more vulnerable. Trying to hide what you are doing is known as Security Through Obscurity, and it doesn't work very well.
Making something open source makes things easier for casual hackers, since they can see how your app works more easily. On the other hand, making it open source also lets anyone who is interested look through your code and report security vulnerabilities. They're two sides of the same coin.
For the most advanced threats, they'll get through regardless of whether your code is open source or not. On the other hand, honest volunteers are much less likely to bother trying to find and fix bugs in a closed source product.
So basically, it depends. In general, you're better off open sourcing things if you think people are actually going to be interested in the project.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
I am intermediate Linux user which has basic knowledge of programming (c, perl, js ...) and some system troubleshooting (strace, SystemTap, lsof ...) and I am tired of Googling the messages which comes to Linux logs (/var/log/messages). I would like to improve my Linux kernel knowledge. Since Linux (and it's utilities like ssh etc.) is open source there are source codes available somewhere. So my question is: How can I troubleshoot/debug Linux problems on source code level? Is this even possible for intermediate Linux user? Where to begin and how to improve my programming skills and Linux kernel knowledge this way?
Honestly, Goole will always be your best bet for specific requests.
But if you want theoretical knowledge, read books (or the ebook equivalent that you can find ... on Google). Best of luck.
The Linux kernel cross reference might be helpful. You can browse the source by clicking links.
Try it here (there are other URLs, but I find this one most reliable from my location):
http://lxr.free-electrons.com/
Use a git clone of the Linux source's stable tree.
git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
Your version will be tagged; run git tag in the directory. Checkout that version, for example git checkout v3.4.45. Then you may run git grep *log message*. You may get no hits, so you can trim the string until you do. For instance, numbers, driver and module names are often in a format string.
Kernel messages will usually have printk, dev_err, BUG, etc. in the source. Often you will be able to tell from lsmod whether a module is present in your system or not. The module names and source files usually match. So you get a clue as to whether the code is present in your system.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
I've been watching the development of Node.js and frameworks like Express for a while. I finally found some time to play around and am enjoying it.
Does anyone know why Node's current version is only 0.10.0? I know it doesn't really matter but it makes it seem like an extremely new and unstable project when in fact it seems that it's being used quite a bit and even by some big players.
Well, it is new, it's only been around since 2009.
That may seem old to you whippersnappers but I primarily program in a language from the '70s and sometimes on machines that have been around since the '60s.
But seriously, it probably has more to do with the numbering scheme than any actual immaturity. As you can see here, there have actually been quite a few releases.
If you wait a little while, the release plan calls for a 0.12 (code cleanup mostly) to be followed by 1.0 which, based on comments, will be the "final" product (though there will still be more versions since predictions aren't perfect). Many projects start with a (crappy) 1.0 and improve that. The philosophy for node.js seems to have been to approach 1.0 as the fully-polished end product.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
Is it still possible for someone to learn and start contributing to the linux kernel? looks like the contributor list seems to be dominated by paid employees from large companies. Is there still a chance that one can get their patches or bugs in the kernel or is it sort of saturated with great developers? I'm thinking on focussing on the networking subsystem. Sorry, if all this sounds too noobish, but any opinions on all this? Is it even worth it to start on this route? I plan to spend my evenings and weekends for however long it takes, assuming I will be able to make some contribution.
Thanks.
Yes. Example: Con Kolivas (of course you could also cite that in order to give arguments against hobbyist development). See also this survey (original source):
For the evaluation period, almost 19% of changes were reportedly contributed by unaffiliated hobbyists.
Write something interesting and relevant, head over to the mailing list (or vice versa: Ask if something is interesting at the mailing lists, then head over to development). Not even the head of development Linus Torvalds is looking at your professional status.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
I want to work with the Linux kernel, but I have no idea where to start. Is there a sort of ticketing system somewhere where bugs and such are distributed? Where can I get ideas for potentially useful contributions?
EDIT: Yes I know what I'm doing. I've been writing my own modifications for a good while now, and I'm doing an independent project under one of the operating systems researchers at my university next semester.
The reason I ask is I'd like to contribute my expertise to the dev process, and I don't know where to start in terms of organization. In terms of technical matters, I'm just about there.
Start with these: Kernel Bugs involving typo.
(Search everyday until you find something promising).
Search that bug database with keywords like "comment", "typo", "documentation", "minor bug", etc.
Also, search under the category Documentation here.
Learn the process first. Then, attempt to contribute something significant.
Pick a subsystem and subscribe to the relevant mailing list. Spend some time studying the subsystem. Start small and fix simple bugs then gradually do work of higher significance. You may want to look at the TODO files in the kernel source directory, especially for drivers in staging.
Get a GIT tutorial. You may also watch this