Boost logo

Boost :

Subject: Re: [boost] [beast] Security
From: Marshall Clow (mclow.lists_at_[hidden])
Date: 2017-12-13 04:57:55

On Tue, Dec 12, 2017 at 7:26 PM, Vinnie Falco via Boost <
boost_at_[hidden]> wrote:

> On Mon, Jul 3, 2017 at 9:42 AM, Phil Endecott via Boost
> <boost_at_[hidden]> wrote:
> > To what extent do we think that Beast should be "secure"? I am
> > thinking mostly about handling malicious input.
> >
> > Has it been reviewed by anyone with specific experience of how
> > HTTP can be attacked? Has it been "fuzzed"?
> We now have the answer to this question:
> <
> 20Hybrid%20Application%20Assessment%202017%20-%20Assessment%20Report%20-%
> 2020171114.pdf>
> Linked from
> <
> html/beast/reports.html#beast.reports.security_review_bishop_fox>
> Bishop Fox did find one serious vulnerability in the processing of
> compressed websocket frames. This flaw was fixed in time for Boost
> 1.66.0.
I can heartily recommend the project OSS-Fuzz.

You figure out how to apply a byte stream to a call in your library, and
they fuzz it. Over and over. Forever.

I have hooked up several of the calls in libc++ (sorting, heap operations,
regex parsers) and it has found a few bugs (all in the regex stuff)

I'm glad to show people how to get started with this.

-- Marshall

Boost list run by bdawes at, gregod at, cpdaniel at, john at