De Raadt + FBSD + OpenSSH + hole?
Ronald F. Guilmette
rfg at tristatelogic.com
Mon Apr 21 21:49:52 UTC 2014
In message <alpine.BSF.2.00.1404212324520.32719 at pohjola.cksoft.de>,
Christian Kratzer <ck-lists at cksoft.de> wrote:
>On Mon, 21 Apr 2014, Ronald F. Guilmette wrote:
>>
>> In message <53546795.9050304 at quietfountain.com>,
>> "hcoin" <hcoin at quietfountain.com> wrote:
>>
>>> ... It is for the community to decide whether it is 'worth it'
>>> on a case by case basis given there is no way to prove a program
>>> 'correct' from a security perspective.
>>
>> I guess that I was sick that day in software school.
>>
>> Did I just hear you tell me that I can't prove the following program
>> is "secure"?
>>
>>
>> int
>> main (void)
>> {
>> return 0;
>> }
>
>in an ideal world you could propably. The difficulty ist that even
>above seemingly trival snippet of code is run after initialization of
>the c runtime library and some pre processing of argc, argv.
>
>It gets more complex with c++ contstructors run before main.
>
>If gets even more complex the more software components interact in
>wierd and wonderfull ways.
At the risk of stating the obvious...
Complexity != Impossibility
I think that we need better tools.
But then again, I have always thought that, and undoubtedly always will.
Regards,
rfg
More information about the freebsd-security
mailing list