Thou shalt have no other gods before the ANSI C standard 1423

Hank Oredson

But look at the supposedly-malicious input suggestions from alt.folklore.computers participants: inputs that are arbitrary files, or all ones, all zeros, or composed of arbitrary line numbers. Those are examples of mere error and mischance. An intelligent attacker can look at the specific file format, then design and test inputs to find cases the programmers missed.

This is *not* just theoretical. Naive buffer-overflow mistakes abound, but those are rarely the ones significant enough to make news. Most of the newsworthy buffer-overflow exploits are far subtler than someone using gets() or not bothering to check lengths. Decoding modern formats is far trickier than most people realize. As I wrote in a previous post:

Audio-video codecs are excruciatingly complex. They're real-time, computationally-intensive programs, and they need low-level access to certain hardware. We all know to check the validity of data on input, but that alone is nowhere near secure. AV streams are encoded and decoded in multiple layers. Adversaries might feed in valid encodings of valid encodings of cleverly engineered invalid encodings.

That post drew no responses. People are happy to go on talking about the simple errors they can catch, or would not have made, but no one has solved the real problem facing us today.

Spec'ing security is easy, and no where near sufficient. I recently asked for literature citations that describe truly adversarial testing. Beyond a joke, there was nothing from the clbuttic literature.

-- --Bryan