Fortify Source: A Deeper Dive into Function Hardening on Linux and OS X

Source fortification is a powerful tool in modern compilers.  When enabled, the compiler will inspect the code and attempt to automatically replace risky functions with safer, better-bounded versions.  Of course, the compiler can only do that if it can figure out what those bounds should be, which isn't always easy.  The developer does not get much feedback as to the success rate of this process, though.  The developer knows that they may have enabled source code fortification (-D_FORTIFY_SOURCE), but they do not get a readout on how many of their memcpy instances are now replaced with the safer memcpy_chk function, for example. This is important to the consumer because just looking to see that a good software build practice was intended does not reveal whether the practice actually improved the safety in the resulting application. That made us really curious to dig into the data on source fortification and its efficacy. 

Read more

Software Application Risks on the OSX Continuum

In our previous post about the score histograms for Windows, Linux, and OSX, we promised deeper dives to come. We also noted interesting things about each continuum and reminded people that the real value is being able to compare risk present in various software within a single continuum.  No we will take our first look at where some applications of interest live on the score continuum for OSX.  We'll look at three categories of software here: browsers, office suites, and update software.  

Read more