Dailydave mailing list archives
Re: The value of knowing reverse engineering
From: Matt Hargett <matt () use net>
Date: Wed, 22 Feb 2006 20:41:49 +0000
Chad Loder wrote:
On Wed, Feb 22, 2006 at 07:43:35AM +0000, Matt Hargett wrote:Alexander Sotirov wrote:This is my experience also -- I really like the way Mark Mitchell has been managing things so far given the resource and time constraints.halvar () gmx de wrote:I've been following GCC development for a while, and I have the impression thatnow with all the discussion about GCC's security features, I can quip in a bit more than one line. Rolf and me are having long discussions after having had crazy problems with GCC's code generation over the time -- Rolf really wants to get rid of GCC for our products, and I can't blame him. The amusing thing is that I think that reverse engineers and developers are an almost disjoint set, because apparently developersjust 'live' with broken code generation, and many RE's don't develop enoughto notice broken compilers.they are pretty good about fixing wrong code generation bugs. From the discussions on the GCC mailing list it seems that these bugs usually get assigned highest priority and are resolved quickly.Oh come on! gcc devotes 99% of its time figuring out how to eat invalid and nonstandard code.
WTF does that have to do with them dealing with *code generation* bugs in a timely fashion?
Also, what in the world would warrant you making such an overtly aggressive response?
So developers continue to write garbage code, and gcc continues to do its magic, and nobody really knows or cares what gets emitted.
Apparantly Halvar does ;>
Oh...and don't even get me started on buggy builtins, which IMHO remains a big unexplored security risk. So forgive me for being totally underwhelmed by the new security features which are being layered on top of this hopelessly bloated thing that gets bigger and and nastier with every release.
You are, of course, entitled to that opinion. I personally thing TreeSSA is really cool and the inter-procedural tracking in 4.1 is also pretty nifty. Has anyone looked at the API to see how it would accomodate a simple statistical static checker and put Coverity and Fortify out of business?
Current thread:
- The value of knowing reverse engineering halvar (Feb 21)
- Re: The value of knowing reverse engineering Alexander Sotirov (Feb 22)
- Re: The value of knowing reverse engineering Matt Hargett (Feb 22)
- Re: The value of knowing reverse engineering Chad Loder (Feb 22)
- Re: The value of knowing reverse engineering Matt Hargett (Feb 23)
- Re: The value of knowing reverse engineering Chad Loder (Feb 23)
- Re: The value of knowing reverse engineering Matt Hargett (Feb 22)
- Re: The value of knowing reverse engineering Alexander Sotirov (Feb 22)