Indistinguishable from Jesse

Apple employee Greg Parker has ported Valgrind to Mac, and plans to release his work soon after Leopard is released in October. He's been working on it for quite a while.

I'm excited about being able to use Valgrind on Mac. Valgrind's "Memcheck" is much better at catching dangling-pointer bugs and heap buffer-overflow bugs than simply watching for crashes (even with MallocScribble enabled). Running a fuzzer with Memcheck can reveal exploitable memory safety bugs that would not have triggered crashes otherwise.

Update 2008-09-29: Greg Parker has released his port as a patch.

Update 2009-02-06: Valgrind developer Nicholas Nethercote has imported Greg's patch into a branch of Valgrind's SVN repository.

Update 2009-06-02: Valgrind trunk now supports Mac.

I wrote a tool called Lithium that automatically reduces large testcases, such as real-world web pages or testcases produced by jsfunfuzz. It can usually reduce a 3000-line jsfunfuzz crash testcase to 3-10 lines in several minutes, considerably faster than I can reduce by hand. Perhaps more importantly, I can do something else while it reduces the testcase.

• Documentation for using Lithium
• Description and analysis of Lithium's algorithm
• Download Lithium (0.9.1)

There are two (related) reasons I'm not calling it "Lithium 1.0" yet. First, I'm hoping to improve the way "interestingness tests" are written. Currently, they're separate programs that communicate to Lithium using their exit code, which limits error handling and might slow Lithium down. I'd like to make the interestingness tests be Python files, but I'm not sure what the best way to do that is. (Should Lithium __import__ the interestingness test? Or should the interestingness test import Lithium and be renamed to e.g. "reduce_crash.py"?)

Second, it would be useful to be able to pass extra arguments to the program being tested. For example, it would be useful to be able to pass a profile name to Firefox, or to pass a Firefox path to Valgrind. One possibility is to put the program being tested last on the command line, so extra positional arguments become options to that program. This solution would only work for interestingness tests that launch a single program (so it wouldn't work for a "renders differently in these two Firefox builds" test, for example), but maybe that's okay. Another possibility is to require the use of a config file for passing arguments to programs being tested (so you don't end up typing all of ".../firefox-bin -P foo" on Lithium's command line).

I'll probably use the MIT license for Lithium (but not for timed_run.py, which was mostly written by Chris Cooper and Bob Clary).

I filed my 3000th bug today. It looks like I've passed Gemal, but I'm still trailing Seth and timeless.

Schedule Chicken is a game that nobody wins.

-- Mike Schroepfer, at this morning's Gecko status meeting.

Consumer Reports "State of the Net" (via johnath):

In the past six months, [spyware] infections prompted 850,000 U.S. households to replace their computers.

I imagine that most of the new machines run Windows. Microsoft's near-monopoly position may mean that the company brings in more revenue by allowing spyware to thrive. Never mind the fact that the cost of designing secure code and safe user interfaces would eat into any company's profits due to software insecurity costs being an externality. Hampering spyware could hurt Microsoft's revenue.

Users rarely look at display advertisements on websites. Of the four design elements that do attract a few ad fixations, one is unethical.

Can you guess which eye-attracting ad design element Jakob Nielsen considers unethical?

1. Plain text
2. Faces
3. Cleavage and other "private" body parts
4. Similarity in design to page content

(Read Jakob's article for the answer.)

It looks like Robert Sayre is implementing Gerv's Content Restrictions proposal. This will give web sites a way to specify where in the page scripts are allowed to appear. The idea is that if a site using Content Restrictions has an XSS hole (e.g. due to incorrectly escaped text or incorrectly sanitized user HTML), it won't be exploitable in browsers that support Content Restrictions.

I'd rather see anti-XSS effort focused on improving server-side libraries. For example, if web applications were written in terms of "constructing an HTML DOM tree" or "pushing and popping HTML elements", much less code would have to be audited for "remembering to escape output" (I hate that phrase). But it's hard to argue against something that seems like it will help mitigate holes in existing web applications.

Readers who found this interesting might also enjoy Mozilla's metabug for anti-XSS proposals (dependency tree).

Opera has posted a build with fixes for several crashes found by jsfunfuzz. Cool!

Opera community members posted dozens of comments about it, and I replied to several.