Security assessment techniques for Go projects | Trail of Bits Blog


15 bookmarks. First posted by cji 6 days ago.


Security assessment techniques for Go projects
from twitter
7 hours ago by blackthorne
RT : Security assessment techniques for Go projects ()
from twitter
5 days ago by ripienaar
1. Static analysis
2. Dynamic analysis - Fuzzing, Property testing
* Diverging from more traditional fuzzing approaches, Go’s testing package (typically used for unit and integration testing) provides the testing/quick sub-package for “black box testing” of Go functions. In other terms, it is a basic primitive for property testing. Given a function and generator, the package can be used to build a harness to test for potential property violations given the range of the input generator.
3. Fault injection - Fault injection has been surprisingly effective when attacking Go systems. The most common mistakes we found using this method involve the handling of the error type.
4. Compiler tricks
* Subverting the type system - exposing non-exported functions without mass renaming
* Compiler-generated coverage maps
* Type-width safety - test against both 32-bit and 64-bit platform builds to identify platform-specific problems
5. Dependencies
go-lang  vulnerability-research 
5 days ago by ENOTTY