I submitted this with a different title from the web page to get more attention to the issue. Not many people care about FreeRADIUS. I suspect there will be more interest in the underlying issues.
We run FreeRADIUS through four different static analysis tools, and have hundreds of regression tests. After the OpenVPM issues recently, I asked Guido Vranken to look into FreeRADIUS.
In short, fuzzing and address sanitization found about as many security issues as were found by all other techniques in the last 10 years.
Everyone: Please use fuzzers and address sanitizers on your C code. It will find things.
1 comment
[ 5.0 ms ] story [ 10.5 ms ] threadWe run FreeRADIUS through four different static analysis tools, and have hundreds of regression tests. After the OpenVPM issues recently, I asked Guido Vranken to look into FreeRADIUS.
In short, fuzzing and address sanitization found about as many security issues as were found by all other techniques in the last 10 years.
Everyone: Please use fuzzers and address sanitizers on your C code. It will find things.