On Tue, Oct 13, 2009 at 1:59 PM, Gideon N. Guillen <[email protected]> wrote: >> How will source code review catch buffer overrun? > > For C code (what the AES machine made by Smartmatic probably uses since it is > Linux based and is an embeded machine) there are several basic things to > check to catch vulnerabilities. The use of some functions that doesn't check > the bounds of a buffer (for example: gets(), scanf(), strcpy() ), should > raise a red flag. >
Are these the first functions we learn in C? Assuming AES is in C which I don't know. In general, to induce overruns we try to overload the system. In the case of AES, one can hardly overload the system because the input comes from a scanner which is slow in itself. So, I doubt that in the case of AES you arrive at a situation where we have buffer overruns. >> If my test will not catch it then there is this probability it will not >> occur. > > That's what the maker of the AES machine with the vulnerable image processing > library said. > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph > _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
