Re: malicious code
From: Crispin Cowan (crispin@wirex.com)
Date: 01/28/03
- Previous message: Jeff Williams: "Re: malicious code"
- In reply to: Jeff Williams: "Re: malicious code"
- Next in thread: lists@notatla.demon.co.uk: "Re: malicious code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Jan 2003 21:31:59 -0800 From: Crispin Cowan <crispin@wirex.com> To: Jeff Williams <jsquared@erols.com>
Jeff Williams wrote:
>I'm not looking for technology. It is going to be a very long time before
>software can even find unintentional security errors. I was hoping that
>someone had done some research on how human code review can find malicious
>logic. Is the problem exactly the same as searching for inadvertent
>security flaws, or are there specialized techniques for searching out
>malicious logic.
>
Given that a would-be attacker who wants to embed a back door in a
program can do so by embedding code that looks *exactly* like an
inadvertent security flaw, then I'd say yes, looking for malicious code
is exactly like a security audit for inadvertent flaws. Overt back doors
are just easier to see.
What better way to leave a back door in code than to deposit a half
dozen subtle buffer overflows?
Crispin
-- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
- application/pgp-signature attachment: stored
- Next message: Ed Carp: "safe strcpy()?"
- Previous message: Jeff Williams: "Re: malicious code"
- In reply to: Jeff Williams: "Re: malicious code"
- Next in thread: lists@notatla.demon.co.uk: "Re: malicious code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
