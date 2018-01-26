Software: libvpx 1.7.0, GNU Binutils, Prometheus, Fuzzing
Libvpx 1.7.0 Released With AVX Optimizations & More
Google's WebM folks quietly released libvpx 1.7.0 earlier this week as the latest version of their VP8/VP9 encoder/decoder library.
FSF Binutils release 2.30 now available
GNU Binutils 2.30 Released
Released this weekend is Binutils 2.30 as the latest collection of these GNU utilities important to the open-source ecosystem.
Monitoring with Prometheus 2.0
Prometheus is a monitoring tool built from scratch by SoundCloud in 2012. It works by pulling metrics from monitored services and storing them in a time series database (TSDB). It has a powerful query language to inspect that database, create alerts, and plot basic graphs. Those graphs can then be used to detect anomalies or trends for (possibly automated) resource provisioning. Prometheus also has extensive service discovery features and supports high availability configurations. That's what the brochure says, anyway; let's see how it works in the hands of an old grumpy system administrator. I'll be drawing comparisons with Munin and Nagios frequently because those are the tools I have used for over a decade in monitoring Unix clusters.
A survey of some free fuzzing tools
Many techniques in software security are complicated and require a deep understanding of the internal workings of the computer and the software under test. Some techniques, though, are conceptually simple and do not rely on knowledge of the underlying software. Fuzzing is a useful example: running a program with a wide variety of junk input and seeing if it does anything abnormal or interesting, like crashing. Though it might seem unsophisticated, fuzzing is extremely helpful in finding the parsing and input processing problems that are often the beginning of a security vulnerability.
Many common types of security vulnerabilities occur when something goes wrong while processing input — for example, the classic buffer overflow. These are interesting in that they tend to manifest first as instability: when input too long for the buffer is read, the program will probably misbehave and simply crash. With careful design of the too-long input, it might be possible to turn this crash into arbitrary code execution. The goal of fuzzing is to find any situations where a program crashes due to unusual input. While fixing these bugs makes the software more stable, it also closes the door on any security issues that could result from them.
