Re: malicious code

From: Crispin Cowan (crispinat_private)
Date: Mon Jan 27 2003 - 21:31:59 PST

  • Next message: Ed Carp: "safe strcpy()?"

    Jeff Williams wrote:
    
    >I'm not looking for technology.  It is going to be a very long time before
    >software can even find unintentional security errors. I was hoping that
    >someone had done some research on how human code review can find malicious
    >logic. Is the problem exactly the same as searching for inadvertent
    >security flaws, or are there specialized techniques for searching out
    >malicious logic.
    >
    Given that a would-be attacker who wants to embed a back door in a 
    program can do so by embedding code that looks *exactly* like an 
    inadvertent security flaw, then I'd say yes, looking for malicious code 
    is exactly like a security audit for inadvertent flaws. Overt back doors 
    are just easier to see.
    
    What better way to leave a back door in code than to deposit a half 
    dozen subtle buffer overflows?
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    			    Just say ".Nyet"
    
    
    
    



    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 22:28:10 PST