[ntp:security] Re: Concerning a possible bug in the 'ntp' package

David Wagner daw at cs.berkeley.edu
Fri Sep 2 02:46:54 UTC 2005

> Are the tools you used generally available?  If so (and if they are not
> too hard to use) I'd like to consider using them to "vet" our code before
> it is released.

Yes.  However, you might find it disappointing, as it is a research
prototype.  I don't want to over-sell what it provides.  

Basically, MOPS is a model checker that allows to check fairly general
properties about the order in which actions are taken along paths
through the code.  We have expressed a few security bugs as properties of
this form.  The property related to the bug report we sent talks about
temporary file handling.  However, our ruleset of security properties
is very small and covers only a small fraction of the possible security
issues you might see in the real world.  A commercial-grade tool would
have a much bigger ruleset, and indeed there are several startups out
there building such tools, but we can't compete with them.

The best open-source competitor out there is RATS.  RATS has a much more
extensive ruleset, and is a pretty decent tool to help with security
audits and code reviews.  However, RATS also has a much higher rate
of false positives (warnings that aren't real bugs), because RATS is
essentially a fancy grep that doesn't reason about code paths.  Thus the
motivation for our research project.  MOPS was built as a research platform
to evaluate new techniques, but not as a complete solution.

If you're feeling particularly adventurous, and don't mind that the
value of using MOPS to you folks is going to be pretty limited, here is
how to use it to vet your code.

The MOPS tool is available from Sourceforge:
You'll want the latest version in CVS.

You can apply it to the ntp code via something like this:
  mkdir /tmp/mops-out
  mkdir /tmp/mops-tmp
  cd ntp-VERSION
  make clean
  mops -m /PATH/TO/mops/properties/tempfile-properties.mfsa \
    -o /tmp/mops-out -t /tmp/mops-tmp -- make
If the /tmp/mops-out/HTMLtrace directory is empty, then MOPS did not
produce any warnings.  Otherwise, you can view them with
  firefox /tmp/mops-out/HTMLtrace/index.html

I just tried it on ntp-dev-4.2.0b-20050827, and MOPS reports no
warnings.  I'm still investigating whether that is because the latest
version is free of vulnerabilities, or because MOPS missed a real bug.

One more note: MOPS works by instrumenting the calls to gcc that occur
during the build process, after preprocessing.  Thus, it will only
check the code that is compiled for the platform that you build it on;
everything else that has been #ifdef'd away is ignored by MOPS.

More information about the security mailing list