Re: Integrating two solutions (related to the Calif. bill thread)

From: Ronald Crane <voting_at_lastland_dot_net>
Date: Thu Jan 22 2009 - 13:11:17 CST

Arthur Keller wrote:
> At 8:03 PM -0800 1/21/09, Ronald Crane wrote:
>> 4. Please see the "Limitations of Many Eyes" thread here, begun by
>> Brian Behlendorf on 5/19/08, about a study by David Wagner & Ping
>> Lee, showing code review's unexpectedly-limited efficacy in finding
>> intentionally-placed security flaws. Presumably review is even less
>> efficacious in the functionally-obscure, often highly-concurrent, and
>> lower-level-language environments that usually characterize firmware.
> I'm wondering whether the approach in would have
> made a difference in the Wagner, et al., study.
I'm not exactly sure what that site proposes, but it mentions "100% path
coverage analysis". That's practical only for relatively small projects
with limited concurrency. I'm not sure where the site is going with the
concordance idea, since a crafty attacker would certainly avoid using
any give-away terms in her attack code, and if she had to use them,
she'd obscure them by encrypting them, then using a constant key to
decrypt and display them at runtime.


OVC-discuss mailing list
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Thu Jan 7 00:09:49 2010

This archive was generated by hypermail 2.1.8 : Thu Jan 07 2010 - 00:09:57 CST