Thou shalt have no other gods before the ANSI C standard 1575

On Wed, 23 Feb 2005 02:25:31 +0000 (UTC) in alt.folklore.computers,

AFAICS these are just some of the baseline regressions to check the program is functional when junk is chucked at it, and I was thinking more of feeding streams of zeros, ones, etc., from saydev-zero or yes(1), overnight to see if the program holds up, exits, or exhibits any "interesting" behaviours after a period of time. These kinds of simple tests should be able to demonstrate whether there are any simple defects, like buffer overflows, lurking somewhere in the infrastructure. Such simple approaches may not get far, if the code is written defensively to handle or ignore such inputs, and more subtly crafted input may need to be devised to allow end to proceed to the point where testing may be able to demonstrate the (non-)existence of buffer overflow defects. The code I've seen with buffer overflow defects just seem to be examples of normal non-defensive programming, and the patches I've seen to fix them don't do anything other than add appropriate length checking, so it should be fairly easy to demonstrate by testing whether such checks are or are not done at appropriate points within a body of code. If you can fairly easily test for, demonstrate, and eliminate buffer overflow defects, one need not worry about not having ABC, exploits of buffer overflows, or other extraordinary measures to mitigate the impact of exploits.

-- Thanks. Take care, Brian Inglis Calgary, Alberta, Canada

fake address use address above to reply