Hey fellows, >> I have always found it worrying that there appears to be a quality gap >> between academics working on tough problems (e.g. Eros/Coyote and secure >> operating systems, processor hacking, crypto, etc.) and those working on >> what we face on a daily basis. Why?
before this gets too far: - It's rather arrogant to criticize (all) academics for lacking abilities even only very few and select individuals throughout security industry have. And btw. no curriculum I ever saw includes security skills, that matter. I don't think it's the job of academia though. Too few companies cooperate with universities. Too few of them really could. """ Our future work focuses on scaling to larger and more programs, to more types of exploits, and to other relevant problem settings. There is plenty still to do. """ (http://security.ece.cmu.edu/aeg/) Taken from Sean's thesis (http://seanhn.files.wordpress.com/2009/09/thesis1.pdf) a while ago: "To build a completely automated and general tool for exploit generation is not, in our opinion, a realistic goal." [...] "There are many tasks that are common to almost all exploits that make research into the field both necessary and valuable. In terms of tool development though a system that is a hybrid of automated analysis techniques with human intuition and judgement would seem to be an attractive option." (page 74) I'd like to mention that they seem (no implementation given jet) utilize KLEE. Therefore they will have source-access. Sean focused on DBI. Reading between the lines of course, I assume people mixed that up a little. Thanks for reading, -- Marius crazylazy.info
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
