Thou shalt have no other gods before the ANSI C standard 1423
But look at the supposedly-malicious input suggestions from alt.folklore.computers participants: inputs that are arbitrary files, or all ones, all zeros, or composed of arbitrary line numbers. Those are examples of mere error and mischance. An intelligent attacker can look at the specific file format, then design and test inputs to find cases the programmers missed.
This is *not* just theoretical. Naive buffer-overflow mistakes abound, but those are rarely the ones significant enough to make news. Most of the newsworthy buffer-overflow exploits are far subtler than someone using gets() or not bothering to check lengths. Decoding modern formats is far trickier than most people realize. As I wrote in a previous post:
Audio-video codecs are excruciatingly complex. They're real-time, computationally-intensive programs, and they need low-level access to certain hardware. We all know to check the validity of data on input, but that alone is nowhere near secure. AV streams are encoded and decoded in multiple layers. Adversaries might feed in valid encodings of valid encodings of cleverly engineered invalid encodings.
That post drew no responses. People are happy to go on talking about the simple errors they can catch, or would not have made, but no one has solved the real problem facing us today.
Thou shalt have no other gods before the ANSI C standard 1424
JMFBAH Not necessarily. It depends on the system. Keeping a system up is about availability. Ensuring that your data is not corrupted or tampered with...
Spec'ing security is easy, and no where near sufficient. I recently asked for literature citations that describe truly adversarial testing. Beyond a joke, there was nothing from the clbuttic literature.
Thou shalt have no other gods before the ANSI C standard 1425
Agree. For some period of years I was a "working manager", i.e. I ran a smallish product development group (including budget, hire-fire, etc...
Thou shalt have no other gods before the ANSI C standard 1426
I've been "stuck" in management-like positions a couple of times, but have avoided (so far, anyway) not also actively...
Alt Folklore Computers Newsgroups