[Cryptography] I don't get it.

[ianG]

On 16/04/2014 11:30 am, ianG wrote:
> On 15/04/2014 21:46 pm, Peter Fairbrother wrote:

> ...
>> I am no expert in bugs, but it seems to me that about 99% of the
>> reported security bugs and holes and so-on could be solved by having a
>> secure checking compiler. Which checked for most of the known holes, or
>> perhaps just even the top five.
> 
> 
> Yes, possibly.  But that still leaves 1%.  Now look at how many kloc
> we're dealing with.  I'd guess OpenSSL is O(100kloc) so that still
> leaves many bugs.


Just spotted, some more on the statistical nature of things:


=====
http://blog.sei.cmu.edu/post.cfm/secure-coding-for-the-android-platform
...
Software programmers produce more than 100 billion new lines of code for
commercially available software put into operation each year, according
to a recent article published in Defense Systems. Meanwhile, programming
errors happen at an estimated rate of 15 to 50 errors per 1,000 lines of
code. Even with the advent of automated testing tools, the article
states that “numerous studies and a substantial amount of research
suggest that approximately one error per every 10,000 lines of
production code still exists after testing. That would equate to
10,000,000 errors in the code produced each year.”
=====

Now, how many lines in OpenSSL?  Plug it in and get an estimate of bugs
left...

The existence of bugs is statistical;  the exploitation is not.

iang


ps; statistical here means "follows the law of big numbers" but it
doesn't read so well.