Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Automatic Exploitation Paper Peer Review

From: Julien Vanegue <julien.vanegue () gmail com>
Date: Sun, 12 Dec 2010 10:58:41 -0800
I guess many will get the joke on the (undecidable) halting problem -- still, hackish or partial solutions can be 
attempted and will answer sometimes.

Coming back on the main topic: industry vs academia

Being myself a mid-product, neither fully academic nor practical mind, i have a mitigated opinion. 

In the case of AEG, we are in presence of high quality formal research for a security problem. I understand why Sean is 
annoyed by a couple of disturbing claims that everyone already identified. Exploitation is much more than 
input-of-death generation (else we could say a fuzzer is almost a AEG system, which clearly it is not)

Now, let me ask you: are the best security industry experts capable of such a formal development? Wouldn't their 
attempt be comparable to the (inverse) attempts of Brumley & al at stepping into the exploit world, in terms of 
short-comings and clumsy claims?

I don't think the folks at CMU wanted to fool anyone, they were simply under-educated in the area of exploitation. 
Still I find the article they wrote very valuable (just as Sean's thesis is -- maybe more comparison with his work 
would have been welcome, both works are more academic than anything else after all). I do not see a reason to trash 
academia or even the authors themselves for having over-estimated the impact of their practical contribution.

If industry or a academia is seeking for more respect or collaboration potential from the other side, we should all 
avoid giving head butts to each other and educate / be educated on what the other is better at. 

My 2c,
Julien





On Dec 11, 2010, at 19:00, Chris Eagle <cse.lists () gmail com> wrote:


On 12/11/2010 1:22 PM, Fergie wrote:

Something I used to tell my troops when I was in the Army ...  Don't sit
back in your area and bitch about something.  Anyone can bitch.  If you
bring a problem to light, bring a potential solution as well...

I don't mean that as harsh as it sounds when I read it back.  I just mean to
say that all of you smart folks who identify these problems can surely posit
a solution to them....


So, there's this little problem I have where given a program to analyze,
all I want to know is whether it ever exits.  Now having brought the
problem to light, I am afraid I have no solution, perhaps you can help?

Sometimes the "solution" is to point out that there is no solution, or
that any potential solution is orders of magnitude more difficult than
one might expect.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: