Something I used to tell my troops when I was in the Army ... Don't sit back in your area and bitch about something. Anyone can bitch. If you bring a problem to light, bring a potential solution as well...
I don't mean that as harsh as it sounds when I read it back. I just mean to say that all of you smart folks who identify these problems can surely posit a solution to them.... Ferg -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Marius Sent: Saturday, December 11, 2010 12:48 PM To: [email protected] Subject: Re: [Dailydave] Automatic Exploitation Paper Peer Review Hey fellows, >> I have always found it worrying that there appears to be a quality >> gap between academics working on tough problems (e.g. Eros/Coyote and >> secure operating systems, processor hacking, crypto, etc.) and those >> working on what we face on a daily basis. Why? before this gets too far: - It's rather arrogant to criticize (all) academics for lacking abilities even only very few and select individuals throughout security industry have. And btw. no curriculum I ever saw includes security skills, that matter. I don't think it's the job of academia though. Too few companies cooperate with universities. Too few of them really could. """ Our future work focuses on scaling to larger and more programs, to more types of exploits, and to other relevant problem settings. There is plenty still to do. """ (http://security.ece.cmu.edu/aeg/) Taken from Sean's thesis (http://seanhn.files.wordpress.com/2009/09/thesis1.pdf) a while ago: "To build a completely automated and general tool for exploit generation is not, in our opinion, a realistic goal." [...] "There are many tasks that are common to almost all exploits that make research into the field both necessary and valuable. In terms of tool development though a system that is a hybrid of automated analysis techniques with human intuition and judgement would seem to be an attractive option." (page 74) I'd like to mention that they seem (no implementation given jet) utilize KLEE. Therefore they will have source-access. Sean focused on DBI. Reading between the lines of course, I assume people mixed that up a little. Thanks for reading, -- Marius crazylazy.info _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
