On Mon, Oct 12, 2009 at 9:55 AM, Gunnar Peterson wrote:
> Its been awhile since there was a bugs vs flaws debate, so here is a snippet
> from Jaron Lanier
> A: No, no, they're not. What's the difference between a bug and a variation
> or an imperfection? If you think about it, if you make a small change to a
> program, it can result in an enormous change in what the program does. If
> nature worked that way, the universe would crash all the time. Certainly
> there wouldn't be any evolution or life. There's something about the way
> complexity builds up in nature so that if you have a small change, it
> results in sufficiently small results; it's possible to have incremental
> evolution. Right now, we have a little bit -- not total -- but a little bit
> of linearity in the connection between genotype and phenotype, if you want
> to speak in those terms. But in software, there's a chaotic relationship
> between the source code (the "genotype") and the observed effects of
> programs -- what you might call the "phenotype" of a program.
Is this really true though? A small change in libc doesn't change the
whole look and feel of a word processing program. It looks exactly
the same, but maybe behaves very slightly differently over a small
range of inputs, etc.
And, while not being an expert in biology, I'm quite certain that
there are very minor mutations in certain key places that result in
complete system failure or almost entirely fatal diseases, conditions,
etc.
Is the complexity and expression of it really the key piece here? Or
is it general resilience against failure, complexity spread out so
that the common enemies (transcription errors in one place) aren't
fatal. The system is designed against different threat models.
--
Andy Steingruebl
stein...@gmail.com
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___