On Wed, 21 Mar 2007, Manoj Srivastava wrote: > Buffer overflows are _still_ being exploited, decades after it is > known that unchecked user input fed to memory allocated on the > stack. And it does not take a rocket scientist to spot a buffer > overflow.
Some buffer overflows are easy to spot, but others are quite difficult. I'd like to think that the people who have reviewed openbsd's network stack are at least passingly familiar with buffer overflows, and even they've missed them. > I think that evil hacker dudes are not quite so devilishly clever; > there are broad swathes of exploits that stem from very few, well > known classes of programming errors. The classes are well known, but the implementations of those errors can be wildly inventive. > And you do not need to be up to snuff in the latest kiddie exploit > to do so. To find low hanging fruit, sure, but to actually be able to say that you've properly reviewed the code requires knowing a great deal about all of the classes of exploits, not just the common ones. > Nothing is ever enough. There is no last bug, security or otherwise. > But perfection is not the enemy of the good -- and stopping efforts > to improve security or decrease the bug density because one can not > reach perfection is .... weak. No one is arguing that code shouldn't be reviewed. The argument that is being made is that we should acknowledge that some code in the archive is not or cannot be properly reviewed, and from that position act to minimize the damage such code can cause. Don Armstrong -- I'm wrong to criticize the valour of your brave men. It's important to die for one's country when it means being the subject of a king who wears a ruffled collar or a pleated one. -- Cyrano de Bergerac http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
