Vulnerability Development mailing list archives
Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing]
From: Lincoln Yeoh <lyeoh () pop jaring my>
Date: Fri, 29 Mar 2002 10:49:06 +0800
Going through all the input and possible states and all that can be impossible, but when so many programs are so fragile you don't have to - they blow up at the first bend.
Thing is C is such an unfriendly environment we can say an automated program can practically spot 95% of the bugs because 95% of the bugs could have been automatically avoided in the first place - either by some special program, or by using a different language.
Don't have to exploit those 5% high level bugs when you can be root with the 95% right?
That said, many of the web sites out there have the "pass raw cgi parameters to the db" problem. Give a programmer a low level tool and blahblahblah, give a programmer a high level tool and blahblahblah :).
Cheerio, Link. At 11:42 AM 28-03-2002 -0500, Michal Zalewski wrote:
To tell how the process is to behave in certain conditions, you have to be able to predict this behavior, or actually run / go thru the program and see what happens. And you have to know it for all possible input perameters. Both approaches, without making significant sacrifices, are not very feasible for a typical real-life project (say, Sendmail), where
Current thread:
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] auto12012 auto12012 (Mar 28)
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] Michal Zalewski (Mar 28)
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] Michal Zalewski (Mar 28)
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] Syzop (Mar 28)
- Message not available
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] Lincoln Yeoh (Mar 28)
- <Possible follow-ups>
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] auto12012 auto12012 (Mar 28)
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] Michal Zalewski (Mar 28)
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] auto12012 auto12012 (Mar 28)
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] Michal Zalewski (Mar 28)
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] auto12012 auto12012 (Mar 28)
- Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing] auto12012 auto12012 (Mar 29)