Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Passport, Magazines of Failure.

From: <halvar () gmx de>
Date: Sat, 1 Jan 2005 02:01:56 -0800
Hey all,
source/binary analysis products and how amazingly nothing they all have to show for it. You KNOW that if any of them actually had a product that could produce any kind of results, it would be "Samba bug of the day" month. 

There's another interesting thing about automated code
analysers: We all underestimate the sheer number of existing but
totally irrelevant bugs. From tons of overflows in some ASN.1 encoding code,
to negative array indexing (which does not write and can't be made to write, just 
to accept characters not otherwise acceptable) in popular mail servers to
critical network-facing components that routinely allow you to write 1 byte
into a malloc()'ed buffer of 0 bytes size (but the malloc( 0 ) code doing a malloc( 1 )), we have loads and loads of bugs which are of little to no relevance security-wise. 
A (good) code analysis tool will turn up 99% of them, with the result of the
analyst being swamped by results and with no means of properly classifying them. 

Cheers,
Halvar 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: