[Cryptography] Buffer Overflows & Spectre

Natanael natanael.l at gmail.com
Wed Nov 21 10:01:10 EST 2018

Den ons 21 nov. 2018 04:07 skrev Jon Callas <jon at callas.org>:

> [...] Moreover, there are no direct analogues of such a problem to
> automotive technologies. (Note that I didn’t call it a bug; it’s not a bug,
> it is an emergent consequence of design.

Here's how I see it:

There's things designed to an exact intent, and those who are not.

Of those that are designed to an exact intent, there are those who follow
it as expected (bug free) and those who don't (buggy).

(Things without an exact intent can still be buggy, but when there's no
expectation to compare to it's not easy to define what's buggy or not.)

The bug can be in code that don't follow the specification. The bug can be
in a design / specification / architecture that don't follow the intent.
The bug can be in unexpected interactions with other systems in the typical
environment, or in a false assumption about how the user will behave.

All of those are bugs, because those are properties about the thing we
built which can be changed such that it no longer behaves in violation of
the intent during typical use. This means it previously *did something
wrong*, given that the intent behind the thing must take typical use into
consideration. Doing something wrong is a bug.

As soon as you advertise a computer as safe for usage for things like
encryption, then you have advertised an intent where every property of the
computer that violates this security is a bug.

As a sidenote: The bug can also be in your expectation. If you the correct
answer to your question isn't what you expected, your expectation was

Sometimes the unexpected or unwanted behavior also comes down to
fundamental physics, in which case it's not a bug because you *can't*
change it. In this case, it's once again the expectation of impossible
behavior that was wrong.

TL;DR: Whenever your expected behavior is possible to achieve, unexpected
behavior is a bug.

> <http://www.metzdowd.com/mailman/listinfo/cryptography>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181121/5bd6cb68/attachment.html>

More information about the cryptography mailing list