Elsewhere

Links to writings of mine published elsewhere.

vendorcheck: the simplest Go static analysis tool

github.com/FiloSottile/vendorcheck is a small tool that will make sure all your Go dependencies are properly vendored. It's so simple that it serves well as a static analysis tool skeleton, so I wrote a code-along that explains how to load and play with Go packages: Building the simplest…

"LuckyMinus20": Yet Another Padding Oracle in OpenSSL CBC Cipher Suites

Early this week, a new OpenSSL error code padding oracle dropped. Padding oracles are one of the most fun crypto vulnerabilities, so I gave this one the full treatment: a ten lines PoC and CLI test, obviously based on a patched Go crypto/tls https://github.com/FiloSottile/CVE-2016-2107 an…

Coverage for end-to-end tests of Go programs

Getting coverage of Go unit tests (the ones in _test.go files) is easy, but there's no documented way to get coverage of tests run externally, against a running "main" binary, like integration tests. I wrote about a hack I used to solve this on the CloudFlare Blog.…

Creative foot-shooting with Go RWMutex

Hi, I'm Filippo and today I fucked up. I introduced (and caught in staging) a deadlock in RRDNS which didn't show up in tests. Unreleased RLock won't blow up until you call Lock. Read about it on the CloudFlare blog. Creative foot-shooting with Go RWMutex | CloudFlare Blog (archive)…

DNS parser, meet Go fuzzer

I ran go-fuzz against github.com/miekg/dns and found some interesting crashers. I documented the whole process on the CloudFlare blog. There's a bonus: fuzzing is not only for crashes! DNS parser, meet Go fuzzer | CloudFlare Blog (archive)…