Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The value of knowing reverse engineering

From: Matt Hargett <matt () use net>
Date: Wed, 22 Feb 2006 20:41:49 +0000
Chad Loder wrote:

On Wed, Feb 22, 2006 at 07:43:35AM +0000, Matt Hargett wrote:

Alexander Sotirov wrote:

halvar () gmx de wrote:

now with all the discussion about GCC's security features, I can quip in
a bit more than one line. Rolf and me are having long discussions after
having had crazy problems with GCC's code generation over the time --
Rolf really wants to get rid of GCC for our products, and I can't blame
him. The amusing thing is that I think that reverse engineers and
developers are an almost disjoint set, because apparently developers
just 'live' with broken code generation, and many RE's don't develop enough 
to notice broken compilers.
I've been following GCC development for a while, and I have the impression that 
they are pretty good about fixing wrong code generation bugs. From the
discussions on the GCC mailing list it seems that these bugs usually get
assigned highest priority and are resolved quickly.
This is my experience also -- I really like the way Mark Mitchell has been managing things so far given the resource and time constraints. 

Oh come on!

gcc devotes 99% of its time figuring out how to eat invalid and nonstandard
code.
WTF does that have to do with them dealing with *code generation* bugs in a timely fashion?
Also, what in the world would warrant you making such an overtly aggressive response? 



So developers continue to write garbage code, and gcc continues to do its
magic, and nobody really knows or cares what gets emitted.


Apparantly Halvar does ;>



Oh...and don't even get me started on buggy builtins, which IMHO remains
a big unexplored security risk.

So forgive me for being totally underwhelmed by the new security features
which are being layered on top of this hopelessly bloated thing that gets
bigger and and nastier with every release.
You are, of course, entitled to that opinion. I personally thing TreeSSA is really cool and the inter-procedural tracking in 4.1 is also pretty nifty. Has anyone looked at the API to see how it would accomodate a simple statistical static checker and put Coverity and Fortify out of business?
Previous By Date Next
Previous By Thread Next

Current thread: