Gary McGraw wrote:
Though I don't quite understand computer science theory in the same way that
Crispin does, I do think it is worth pointing out that there are two major
kinds of security defects in software: bugs at the implementation level, and
flaws at the design/spec level. I think
So - aren't a lot of the Internet security issues errors or omissions in the
IETF standards - leaving things unspecified which get implemented in
different ways - some of which can be exploited due to implementation flaws
(due to specification flaws)?
Mike H.
-
Michael
On Mon, 11 Jun 2007, Crispin Cowan wrote:
Gary McGraw wrote:
Though I don't quite understand computer science theory in the same way
that Crispin does, I do think it is worth pointing out that there are two
major kinds of security defects in software: bugs at the implementation
Steven M. Christey wrote:
On Mon, 11 Jun 2007, Crispin Cowan wrote:
Kind of. I'm saying that specification and implementation are
relative to each other: at one level, a spec can say put an iterative
loop here and implementation of a bunch of x86 instructions.
I agree with this
I agree with Ryan, at the top skill levels anyway. Binary reverse
engineering seems to have evolved to the point where I refer to binary as
source-equivalent, and I was told by some well-known applied researcher
that some vulns are easier to find in binary than source.
But the bulk of public
Crispin Cowan wrote:
Do you suppose it is because of the different techniques researchers use
to detect vulnerabilities in source code vs. binary-only code? Or is
that a bad assumption because the hax0rs have Microsoft's source code
anyway? :-)
I'm in the process of hiring an outside firm for
On Tue, 12 Jun 2007, Michael S Hines wrote:
So - aren't a lot of the Internet security issues errors or omissions in the
IETF standards - leaving things unspecified which get implemented in
different ways - some of which can be exploited due to implementation flaws
(due to specification