Dailydave mailing list archives
Re: Passport, Magazines of Failure.
From: <halvar () gmx de>
Date: Sat, 1 Jan 2005 02:01:56 -0800
Hey all,
source/binary analysis products and how amazingly nothing they all have to show for it. You KNOW that if any of them actually had a product that could produce any kind of results, it would be "Samba bug of the day" month.
There's another interesting thing about automated code analysers: We all underestimate the sheer number of existing but totally irrelevant bugs. From tons of overflows in some ASN.1 encoding code,to negative array indexing (which does not write and can't be made to write, just
to accept characters not otherwise acceptable) in popular mail servers to critical network-facing components that routinely allow you to write 1 byteinto a malloc()'ed buffer of 0 bytes size (but the malloc( 0 ) code doing a malloc( 1 )), we have loads and loads of bugs which are of little to no relevance security-wise.
A (good) code analysis tool will turn up 99% of them, with the result of theanalyst being swamped by results and with no means of properly classifying them.
Cheers,Halvar
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Passport, Magazines of Failure. halvar (Jan 01)
- <Possible follow-ups>
- Re: Passport, Magazines of Failure. pete (Jan 03)