[Cryptography] Heartbleed and fundamental crypto programming practices
John Kemp
john at jkemp.net
Thu Apr 17 12:52:00 EDT 2014
On 04/16/2014 11:05 PM, dan at geer.org wrote:
>
>
> W.r.t. programmatic code analysis, false positives, and so forth
Which have a dependency on languages (where protocols and APIs are
languages too).
>
> Heartbleed and Static Analysis
> http://blog.regehr.org/archives/1125
>
> A New Development for Coverity and Heartbleed
> http://blog.regehr.org/archives/1128
>
> both due to John Regehr, Univ of Utah
These sorts of things have been suggested for a while:
http://langsec.org/insecurity-theory-28c3.pdf
Write a parser for the input language (protocol) accepted by your
program. That parser should have a preferably regular or deterministic
context-free grammar.
"Stay away from the halting problem".
- johnk
>
>
> --dan
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
More information about the cryptography
mailing list