Login at Kodi Home

lord_voldemort · 2020-03-15, 18:21

Hi, I am Harish and was looking at the project "Automatic add-on checker for binary add-ons" for GSoC 2020.
I was wondering how different it would be from the python add-on checker and for "check for potentially malicious code", do you intend to use some static analysis tool. Because afaik static analysis provides very limited information to detect malicious code and static verification is a ongoing research and there might not be many off-the shelf tools available for this.
Thanks

**Razze** · 2020-03-16, 12:55

There are parts, that would be similar on both and static analysis is just one tool that we could use to get the ecosystem a bit nicer.

lord_voldemort · 2020-03-16, 13:00

(2020-03-16, 12:55)Razze Wrote: There are parts, that would be similar on both and static analysis is just one tool that we could use to get the ecosystem a bit nicer.

Could you suggest something that you have in mind regarding detecting malicious code? What I understood is that static analysis might help in some aspects of code like 'resources leaks', 'concurrency issues', etc. and this is what is being called as 'malicious code' in the project.

**Razze** · 2020-03-21, 21:19

(2020-03-16, 13:00)lord_voldemort Wrote:
(2020-03-16, 12:55)Razze Wrote: There are parts, that would be similar on both and static analysis is just one tool that we could use to get the ecosystem a bit nicer.

Could you suggest something that you have in mind regarding detecting malicious code? What I understood is that static analysis might help in some aspects of code like 'resources leaks', 'concurrency issues', etc. and this is what is being called as 'malicious code' in the project.

Yeah, that's fine for a start. We might also want to blacklist certain api's from C++ I guess. But just searching for those and filtering is probably fine. It's supposed to be helpful for reviewers, not trying to replace them for now.

lord_voldemort · 2020-03-27, 15:07

(2020-03-21, 21:19)Razze Wrote:
(2020-03-16, 13:00)lord_voldemort Wrote:
(2020-03-16, 12:55)Razze Wrote: There are parts, that would be similar on both and static analysis is just one tool that we could use to get the ecosystem a bit nicer.

Could you suggest something that you have in mind regarding detecting malicious code? What I understood is that static analysis might help in some aspects of code like 'resources leaks', 'concurrency issues', etc. and this is what is being called as 'malicious code' in the project.
Yeah, that's fine for a start. We might also want to blacklist certain api's from C++ I guess. But just searching for those and filtering is probably fine. It's supposed to be helpful for reviewers, not trying to replace them for now.

Can we include https://github.com/xbmc/xbmc/issues/17514 into the project. Because it seems that given python add-on checker is already in place and additional work required to do essentially same work for binary add-ons shouldn't take too long. And this will definitely improve ecosystem of binary add-ons.
If you have any other relevant issue in mind, can you please reply here?