* Perry E. Metzger:

> Marcos el Ruptor <[EMAIL PROTECTED]> writes:

>> Nonsense. Total nonsense. A half-decent reverse engineer does not
>> need the source code and can easily determine the exact operation of
>> all the security-related components from the compiled executables,
>> extracted ROM/EPROM code or reversed FPGA/ASIC layout
> I'm glad to know that you have managed to disprove Rice's
> Theorem.

Call me a speciest, but it's not clear if Rice's Theorem applies to

While Marcos' approach is somewhat off the mark ("source-code
equivalent that works for me" vs. "conformance of potentially
malicious code to a harmless spec"), keep in mind that object code
validation has been performed for safety-critical code for quite a
while.  The idea is that code for which some soundness property cannot
be shown simply fails validation.  It doesn't matter if the validator
is not clever enough, or if the code is actually bogus.

(And for most (all?) non-trivial software, source code acquisition
costs are way below validiation costs, so public availability of
source code is indeed a red herring.)

Florian Weimer                <[EMAIL PROTECTED]>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to