Re: The value of knowing reverse engineering

[Alexander Sotirov <asotirov () determina com>]

halvar () gmx de wrote:
> now with all the discussion about GCC's security features, I can quip in
> a bit more than one line. Rolf and me are having long discussions after
> having had crazy problems with GCC's code generation over the time --
> Rolf really wants to get rid of GCC for our products, and I can't blame
> him. The amusing thing is that I think that reverse engineers and
> developers are an almost disjoint set, because apparently developers
> just 'live' with broken code generation, and many RE's don't develop enough
> to notice broken compilers.

Hey Halvar,

I've been following GCC development for a while, and I have the impression that
they are pretty good about fixing wrong code generation bugs. From the
discussions on the GCC mailing list it seems that these bugs usually get
assigned highest priority and are resolved quickly.

While developers are generally pretty clueless about assembly, I doubt that this
applies to compiler developers. It takes a really good understanding of the
architecture to write a good instruction scheduler or a peephole optimization pass.

Can you give some examples of GCC bugs that you've encountered?

Your observation about the value of development experience for a security
researcher is very true. I would also add system administration and IT support
experience to the list, especially if you are working on network security or
penetration testing. It is much easier to break something when you know how you
are supposed to use it first.

Alex