So, I’ve been spending some time looking at security stuff the last few days. I’ve let my knowledge slip a bit over the ages. Started looking at it again after discovering the Toronto Area Security Klatch. So, I printed off a copy of Smashing the stack for fun and profit which is a really interesting read and have been heading on from there.
Spent some time puttering around shellcode.org which has some pretty good info, and read through some of the shellcode community postings on livejournal.
It brings up some interesting sounding programs and possibilities. The one that caught my eye was a source code scanner to find bad format string usage in programs (Can’t remember the name or url at the moment). It would be an interesting exercise to extend that concept, except write a full on c compiler. After you get the code into your abstract syntax tree start the analysis from there. You can keep track of what is the dirty data and how its used and probably do other bounds checks and that kinda thing. Not sure how well it would work, but it seems like an interesting idea at least.
Anyway, more to look at and more to read. If you’ve got some interesting links, send em my way. Articles, URLs, tools, whatever.