Secure Coding mailing list archives

RE: Theoretical question about vulnerabilities

From: "David Crocker" <dcrocker () eschertech com>
Date: Mon, 18 Apr 2005 00:09:29 +0100

Crispin wrote:

Proving that all array accesses are within bounds would seem to be
Turing undecidable. Either you are not proving what you way you are
proving, or your programs are not full Turing machines.

Proof: <insert diagonalization argument here :>

Issue: Some people may regard diagonalized programs are a contrivance,
and are only interested in correctness proofs for real programs (for
some value of "real").
<<

The diagonalization argument shows quite nicely they you cannot write a program
that, for any arbitrary input program, can say whether or not it has any array
bounds problem. Which is why we haven't wasted our time trying to write such a
program. Instead, we have produced a tool-supported method that lets us produce
programs (including programs that solve complex problems) that are proven -
subject to correctness of tool chain and processor - not to have array bounds
problems (or many other sorts of problem), for arbitrary inputs.

Crispin's rebuttal: Suppose I want to prove that your program checker
does not have any illegal array references ...
<<

I don't see what you are getting at here. Our proof engine is large and complex;
but because of the way we have built it, the proofs that array indices are in
bounds are not particularly difficult. Of course, you would need to use a
different proof engine - or at least an independent proof checker - to produce
reasonable "proof" of the correctness of the prover itself. Despite this,
running the tool on itself does provide a lot of value, because proof failures
have shown up a number of problems with the tool. Some of these problems would
be very hard to detect by testing. The input space for a program of this type is
so large so that testing can only exercise a small fraction of that space
(actually, an infinitesimal fraction).

David Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development
www.eschertech.com

Current thread:

Re: Theoretical question about vulnerabilities, (continued)
- Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 10)
- RE: Theoretical question about vulnerabilities David Crocker (Apr 11)
  - Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 12)
  - Re: Theoretical question about vulnerabilities der Mouse (Apr 12)
    - RE: Theoretical question about vulnerabilities David Crocker (Apr 12)
    - Re: Theoretical question about vulnerabilities der Mouse (Apr 12)
    - RE: Theoretical question about vulnerabilities David Crocker (Apr 13)
    - Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 13)
    - RE: Theoretical question about vulnerabilities David Crocker (Apr 14)
    - Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 15)
    - RE: Theoretical question about vulnerabilities David Crocker (Apr 17)
- Re: Theoretical question about vulnerabilities Nash (Apr 11)
  - Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 12)
- RE: Theoretical question about vulnerabilities Peter Amey (Apr 12)
- Re: Theoretical question about vulnerabilities karger (Apr 12)
- RE: Theoretical question about vulnerabilities Peter Amey (Apr 13)
  - Re: Theoretical question about vulnerabilities der Mouse (Apr 13)
    - Re: Theoretical question about vulnerabilities Nash (Apr 13)
    - RE: Theoretical question about vulnerabilities David Crocker (Apr 13)
    - Re: Theoretical question about vulnerabilities Crispin Cowan (Apr 13)
    - RE: Theoretical question about vulnerabilities David Crocker (Apr 14)

(Thread continues...)