Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: "tqbf" <ashland () pobox com>
Date: Mon, 21 Sep 1998 18:30:02 -0400 (EDT)
If you go over the code in the IP stack for fragment handling, and you know for certain how fragments should be handled, then you can probably get a high assurance that they're handled correctly. If you throw lots of fragments for lots of protocols at it, and your test doesn't encompass overlapping fragments, your level of assurance is lower.
Unless you are formally verifying the code, you can't really perform one type of testing (code review) without the other (black-box testing). Code designed to handle overlapping fragments has been shown to be broken in non-obvious ways before, and this occurred because someone took the time to throw bizarrely overlapping fragments at the code. This is an obvious point, I just wanted to make sure it was clear. ----------------------------------------------------------------------------- Thomas H. Ptacek Network Security Research Team, NAI ----------------------------------------------------------------------------- "If you're so special, why aren't you dead?"
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Ted Doty (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Darren Reed (Sep 22)
- Re: Penetration testing via shrinkware Ted Doty (Sep 22)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 24)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 21)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)