How will source code review catch buffer overrun? If my test will not catch it then there is this probability it will not occur.
On Tue, Oct 13, 2009 at 1:17 PM, Gideon N. Guillen <[email protected]> wrote: >> I'm talking in the context of checking the Automated Election System, as to, > > Alright, let's use the buffer overrun vulnerabilities in the context of AES, > because it happened before in an AES system used by a state in US. The AES > machine proposed in our country is using an optical scanner to count votes > from a ballot. Over the years, several buffer overrun vulnerabilities have > been discovered on image processing libraries. An existing AES from another > country shipped with image processing libraries with these kind of > vulnerabilities. And someone found out a way to create an input (on paper to > be scanned) tat will exploit this buffer overrun vulnerabilities to execute > any kind of instruction. Those instructions can be "dada-g-bawas" routine. > > There's no way in the world you can catch that using "outcome based" only > tests. > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph > _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
