OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
Dag-Erling Smørgrav
des at des.no
Fri Apr 25 17:14:24 UTC 2014
Ben Laurie <benl at freebsd.org> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > https://en.wikipedia.org/wiki/Halting_problem
> Curious what the halting problem can tell us about finding/fixing bugs?
Some participants in this thread claim that there is no such thing as a
false positive from a static analyzer. A corollary of the halting
problem is that it is impossible to write a program capable to proving
or disproving the correctness of all programs. Hence, static analysis
must perforce produce both false positive and false negative results.
The purpose of static analysis in a compiler is to identify possible
optimizations; therefore it must be conservative, because a false
negative may result in incorrect code; therefore it will produce many
false positives.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list