First | Previous | Next | Last
|
Thou shalt have no other gods before the ANSI C standard 1580
David Wagner I don't disbelieve that you read that but maybe a little reading in between the lines? 2-5 keypunching errors in the "grammar check" compile perhaps? (little low in...
Thou shalt have no other gods before the ANSI C standard 1581
On Thu, 24 Feb 2005 23:16:08 -0500 in alt.folklore.computers, rpl The in band return code is a...
Thou shalt have no other gods before the ANSI C standard 1582
David Wagner Historical note: Check out the post-WWII development methodology called "Mbuttive Engineering". I think it was first formalized by Lockheed. It is the technique of using, say, 5,000 engineers...
Thou shalt have no other gods before the ANSI C standard 1583
Trevor L. Jackson, III That would be great, of course. I don't doubt that great staff make a big difference, but I am...
Thou shalt have no other gods before the ANSI C standard 1584
On Thu, 24 Feb 2005 20:40:08 +0000 (UTC) in alt.folklore.computers, IIRC some base data came from TRW and USAF, some results published as: Software Engineering Economics...
Thou shalt have no other gods before the ANSI C standard 1585
David Wagner The figures I quoted are mine. They are derived from my own studies...
Thou shalt have no other gods before the ANSI C standard 1586
I haven't found it yet, but I did remember parts of it. The students who took a huge amount of time to complete the task, and thus represented a...
Thou shalt have no other gods before the ANSI C standard 1587
says... I suspect today the results would be governed primarily by the length of the...
Thou shalt have no other gods before the ANSI C standard 1588
Trevor L. Jackson, III I believe there are huge variations in capabilities between the top 5% and...
Thou shalt have no other gods before the ANSI C standard 1589
David Wagner Those are not as common in the literature. I suspect that is due to the expense of gathering the raw data and the fact that the managers at every level want to claim...
Thou shalt have no other gods before the ANSI C standard 1590
says... I don't know. In the early days, the company was too small to have a bureaucracy to convince one way or the other. Later, I suspect that a track record of making...
Thou shalt have no other gods before the ANSI C standard 1591
On Sat, 26 Feb 2005 22:14:21 -0500 in alt.folklore.computers, keith I'm a software type (love programming) and this has happened to me with hardware. Bought a...
Thou shalt have no other gods before the ANSI C standard 1592
Brian Inglis I took a brief look at it, and my initial reaction is that it looks like it misses opportunities to do a better job. I would have a hard time endorsing this...
Thou shalt have no other gods before the ANSI C standard 1593
David Wagner You haven't gone far enough. Your proposal involves exposing the makeup of struct buf, without which the user can't access the size, and...
Thou shalt have no other gods before the ANSI C standard 1594
Tom Linden If you mean elaborate in terms of your PL-I point, I'm not sure. I'll try, but don't take my opinions too...
Thou shalt have no other gods before the ANSI C standard 1595
David Wagner I don't dispute that. I can point to a candidate, but I don't know if it fits your definition of large. Is 25-30 KLOC large by your estimate? I tend...
Thou shalt have no other gods before the ANSI C standard 1596
Trevor L. Jackson, III I tend to think of that as medium, too, but sure, it is a fine place to...
Thou shalt have no other gods before the ANSI C standard 1597
David Wagner Sory it was quite proprietry. I'm certin it is no longer in use...
Thou shalt have no other gods before the ANSI C standard 1598
Trevor L. Jackson, III Nothing really significant. I know of a few examples of exploits based upon errant reads, but...
Thou shalt have no other gods before the ANSI C standard 1599
David Wagner Even if errant reads are a real problem, focusing on errant writes is probably not a mistake. I failed to mention that the NCHECK code should be written by someone...
Thou shalt have no other gods before the ANSI C standard 1600
Trevor L. Jackson, III Yes, I think this is exactly it. I find this a...
Thou shalt have no other gods before the ANSI C standard 1601
David Wagner ... snip ... But this is precisely what is already feasible (and done) in Pascal and Ada, where it is possible to declare sub-range types. As ever, the programmer...
Thou shalt have no other gods before the ANSI C standard 1602
On Mon, 28 Feb 2005 15:30:23 GMT in alt.folklore.computers, CBFalconer Most other HLLs are only available on a few platforms, unless their implementation is written in portable C, and that...
Thou shalt have no other gods before the ANSI C standard 1603
On 1 Mar 2005 08:23:49 -0800 in alt.folklore.computers, Never seen much use of data abstractions in ForTran programs. Your (or his...
Thou shalt have no other gods before the ANSI C standard 1604
Trevor L. Jackson, III One potential challenge with run-time analysis is ensuring sufficient coverage. It might be very easy to miss bugs that are triggered only...
Thou shalt have no other gods before the ANSI C standard 1605
Jean-Marc Bourguet Usually I use source-line usage counters, as in the following Makefile target which exploits "ctrace": $(PCFILES): $(HFILES) $(CFILES) $(OBJS) $(TEST).o # $(CFILES) is overkill o=`basename $$c .c...
Thou shalt have no other gods before the ANSI C standard 1606
Douglas A. Gwyn How does that work again? I don't see how you can deduce path coverage...
Thou shalt have no other gods before the ANSI C standard 1607
Trevor L. Jackson, III Agreed. Why do we need to know whether our development methodology...
Thou shalt have no other gods before the ANSI C standard 1608
Trevor L. Jackson, III extremely high. Would you write any of these in a memory-safe language? These are not the common case. Generally, operating system components tend not...
Thou shalt have no other gods before the ANSI C standard 1609
I want to modify that buttertion a little before accepting it. CORE operating system components...
Thou shalt have no other gods before the ANSI C standard 1610
On Mon, 28 Feb 2005 05:19:39 -0800 in alt.folklore.computers, "Tom One problem is that C is also an...
Thou shalt have no other gods before the ANSI C standard 1611
Trevor L. Jackson, III Well, I only wish we had people like you managing more of our security-critical software projects, and I wish we had an industry that made it possible to...
Thou shalt have no other gods before the ANSI C standard 1612
On Thu, 24 Feb 2005 21:09:50 +0000 (UTC) in alt.folklore.computers, You might find this reference interesting, from Risks Digest quoted below: "Re: Component Architecture (Blaak, RISKS-23.74) Wed, 23 Feb 2005 21:35:30 -0000...
Thou shalt have no other gods before the ANSI C standard 1613
David Wagner We do have such an industry, but it is tiny precisely because it is not well rewarded. Perhaps we are facing the some kind of challenge Detriot faced in...
Thou shalt have no other gods before the ANSI C standard 1614
If you could set aside the condescending atbreastude which you seem to enjoy so much, you might see that nobody is saying the naive things you're attributing...
Thou shalt have no other gods before the ANSI C standard 1615
Charlie Gibbs Well, no, that's not all he's saying. As I read the posts, he offered and defended these tests as non-trivial examples of resisting adversaries. I'd go so far as to say they...
Thou shalt have no other gods before the ANSI C standard 1616
Hank Oredson Agreed! This is a much better formulation of the problem. I like this much better. It makes clear what the goal...
Thou shalt have no other gods before the ANSI C standard 1617
My personal preference, on either side of the issue, starts with scenario analysis. The "what might someone (attacker, defender) try and do" questions. For a very early e-commerce web...
Thou shalt have no other gods before the ANSI C standard 1618
I'm one of those a.f.c. posters, and have never suggested such a thing. Your point is exactly correct though, and should be part of the test plan. i.e. a good definition of "malicious...
Thou shalt have no other gods before the ANSI C standard 1619
Trevor L. Jackson, III Actually, no, that's not what I had in mind. What I had in...
Thou shalt have no other gods before the ANSI C standard 1620
David Wagner I suspect that is false. Detecting exploitable conditions often involves simulating the atual operation or exercising the real software in a lab setting. Once the actual...
Thou shalt have no other gods before the ANSI C standard 1621
Trevor L. Jackson, III Occasionally, black-box end is indeed quite useful during a security review. But most of the time, I find that the majority of the time, work, and value of a security...
Thou shalt have no other gods before the ANSI C standard 1622
David Wagner snip IME there is a different. Checking invariants requires a run-time evaluation of an expression, typically a predicate, and that evaluation typically requires some non-shippable scaffolding -- a testing harness. Certifying...
Thou shalt have no other gods before the ANSI C standard 1623
Trevor L. Jackson, III Naah, actual end is neither necessary nor sufficient. It is not necessary: Hoare logic...
Thou shalt have no other gods before the ANSI C standard 1624
Trevor L. Jackson, III Afterthought: I neglected to pay enough attention to the term security review. IME this can mean one...
Adversarial Testing, was Thou shalt have no 1625
Douglas A. Gwyn I disagree. The value of the model is precisely the fact that a single instance of the game does not have a dominant strategy. As...
Adversarial Testing, was Thou shalt have no 1626
Trevor L. Jackson, III" No, it is that both will apply the same process of reasoning. And since...
Adversarial Testing, was Thou shalt have no 1627
the ww1 trench cooperation ... if i don't shoot at you, you don't shoot at me ... there is some quid-pro-quo. the disk engineering have extremely detailed error tracking over period of years ... if the...
Adversarial Testing, was Thou shalt have no 1628
It is easy to prove that you can get free energy from nothing, if you are not careful how you draw a box around "the system under consideration." Most of the perpetual motion machines...
Adversarial Testing, was Thou shalt have no 1629
Bryan Olson It's an interesting idea. No, I haven't seen it tried out in practice. There is a more limited version of this...
Thou shalt have no other gods before the ANSI C standard 1630
There weren't too many females on the manufacturing floor, and most of them were used to her by the time...
Thou shalt have no other gods before the ANSI C standar
Tedious explanation (without spoilers): "Bratsche" really is the German word for viola (i.e., the alto-sized member of the violin family). "Bratsche" in fact (no joke) derives from the Italian...
Thou shalt have no other gods before the ANSI C standard 1632
Be very carefull... very, very careful. Alcohol and readnews are a dangerous mix. One New Years Eve in '92 or 93...
Thou shalt have no other gods before the ANSI C standard 1633
Douglas A. Gwyn Those are the contexts, but the book you recommended does not address the intersection of the topics: systematic methodology asappliedtosecurity. And BTW several other authorities, notably Yourdon, have strong disagreements...
Thou shalt have no other gods before the ANSI C standard 1634
Trevor L. Jackson, III There is nothing special brought to the table with regard to "security" when it comes to avoiding buffer overrun bugs. It is a matter of software...
Thou shalt have no other gods before the ANSI C standard 1635
Don't know if I'm up to a long ramble on this one, let's try. A large project (1M lines of code...
Thou shalt have no other gods before the ANSI C standard 1636
I *know* I am going to regret this, but a few items that jump out very quickly... years...