[Cryptography] I don't get it.
Bowness, Piers
piers.bowness at rsa.com
Tue Apr 15 18:19:20 EDT 2014
On Tue, Apr 15, 2014 at 11:46 PM, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:
> I am no expert in bugs, but it seems to me that about 99% of the
> reported security bugs and holes and so-on could be solved by having a
> secure checking compiler. Which checked for most of the known holes, or
>perhaps just even the top five.
The ability to detect these types of issues is beyond a typical compiler's job; it cannot
infer intent from the code being converted from language to machine code.
Static analysis tools, OTOH, probably would have pointed out the problem that a field
retrieved directly from the network was used to allocate storage without being compared
or filtered. These tools can only do so by looking at the entire code structure (across call
boundaries) and exercising data path analysis from 'source' to 'sink'.
More information about the cryptography
mailing list