Secure Coding mailing list archives
Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis
From: mouse at Rodents.Montreal.QC.CA (der Mouse)
Date: Thu, 25 Jan 2007 15:45:15 -0500 (EST)
Opinions on binary vs. source code (and design!) analysis, anyone?Analyzing source code is independent of machine architecture.
Only if the code is (supposed to be) architecture-independent. If the code is deliberately architecture-dependent, static analysis needs to know that, and know which the salient properties of its target architecture(s) is(are), in order to do a proper job.
Efforts which merely change attacker behavior are a waste of time.
I disagree. It depends on the effort required to provoke the change, the change in attacker behaviour, and the tradeoffs involved in the threat model. To pick a historic example, fixing the "rlogin -l -froot" bug "merely" changed attacker behaviour to password guessing, but in most environments it was nevertheless a win. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis Kenneth Van Wyk (Jan 22)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis ljknews (Jan 22)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis Blue Boar (Jan 22)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis Crispin Cowan (Jan 24)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis der Mouse (Jan 25)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis Chris Wysopal (Jan 22)
- Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis ljknews (Jan 22)