1README for BFBTester 2.0-BETA 2Copyright 2000 Mike Heffner <mheffner@vt.edu> 3http://bfbtester.sourceforge.net 4 5-> I N T R O <- 6 7BFBTester is great for doing quick, proactive, security checks of 8binary programs. BFBTester will perform checks of single and multiple 9argument command line overflows and environment variable 10overflows. Versions 2.0-BETA and higher can also watch for tempfile 11creation activity to alert the user of any programs using unsafe 12tempfile names. While BFBTester can not test all overflows in 13software, it is useful for detecting initial mistakes that can red 14flag dangerous software. 15 16-> U S A G E <- 17 18The basic syntax for running BFBTester is: 19 20bfbtester [-htv] [-d level ] [-r rejects] [-o out-file] 21 [-x max-execs] -asme file [file2 file3 ...] 22Must specify one or more of the following tests: 23 -s Single Argument Test 24 -m Multiple Argument Test 25 -e Environment Variable Test 26 -a Selects all tests 27Options: 28 -h Print this message 29 -t Enable tempfile monitoring 30 -v Print version string 31 -d level Set debug level (default = 0, max = 2) 32 -r rejects Comma separated list of binaries to skip 33 -o out-file Output to out-file rather than stdout 34 -x max-execs Set maximum executables to run in parallel (default = 250) 35file Specific binary or a directory of binaries to test 36 37 38You must specify at least one test to run and you must specify either 39a binary or a directory. 40 41Executable selection is now done in one of several ways: 42 43If the executable filename is specified with a leading 44slash (an absolute path), no selection is used and the 45supplied absolute filename is used. 46 47If there is no leading slash in the filename the selection 48is made in one of two ways (in this order): 49 1) Prepend file name with $PWD and test accesiblity 50 2) Search through $PATH and find first accessible executable 51The first one to succeed is the executable choosen. 52 53If the filename found is a directory, we walk the directory (one 54level deep) looking for executable binaries. 55 56Symbolic links are followed. 57 58 59You can specify binaries to skip (useful when loading a whole 60directory) by using the -r option. 61 62Examples: 63 64bfbtester -s /usr/bin 65 66 Run the single argument test on all binaries in folder /usr/bin. 67 68bfbtester -ta patch traceroute 69 70 Run all tests against patch and traceroute and run the tempfile 71 monitor. 72 73bfbtester -a ./bfbtester 74 75 Tests bfbtester (provided it's in the same directory). Hope it works :) 76 77bfbtester -r kill /usr/bin/kill 78 79 Does nothing. 80 81 82-> N O T E S <- 83 84The following is a crash report: 85 86*** Crash </usr/bin/patch> *** 87 args: -D [05120] 88 envs: (null) 89 Signal: 11 ( Segmentation fault ) 90 Core? Yes 91 92This means "/usr/bin/patch" crashed when fed with an "-D" and a word 935,120 characters long: 94 95$ /usr/bin/patch -D AAA...5,120 characters...AAA 96 97(Numbers in brackets mean replace with a word that many characters 98long) 99 100ALSO: BFBTester is very CPU intensive, and will open many files, so 101you probably don't want to run it on a production machine during it's 102busiest period. Just a warning... 103 104 105-> K N O W N B U G S <- 106 107 [6/04/2000] - Been known to blow up on OpenBSD (pthread related). 108 Workaround is to define LINUX in src/config.h. 109 110-> T O D O <- 111 112 113 114-> T H A N K S <- 115 116To... 117 o Thomas Stromberg <tstromberg@rtci.com> for developing 118 SmashWidgets, from where I got the idea for BFBTester 119 o Compaq for their great TestDrive servers at: 120 http://www.testdrive.compaq.com/ 121 o David Wheeler <dwheeler@ida.org> for suggesting I should put 122 together some type of license and for listing BFBTester in the "Secure 123 Programming for Linux and Unix HOWTO" available at: 124 http://www.dwheeler.com/secure-programs/ 125 o Bill Marquette <wlmarque@hewitt.com> for testing on Solaris and 126 contributing patches 127