Conversation

university of minnesota today coming out with groundbreaking research that the best C programmers in the world can't tell if you're giving them bad C maybe C is bad

634

eevee

@eevee

Apr 21, 2021

"actually c is fine if you just never make any mistakes" Actually chris the developers of the god damn linux kernel are not even this superhuman so i seriously doubt you are

259

eevee

@eevee

Apr 21, 2021

but also to be clear, deliberately trying to sneak vulnerabilities into someone else's software without their knowledge is pretty fucked up, what

225

Replying to

I feel like I would have been tricked by this regardless of the programming language literally just on the basis of the authority of "affiliated with the university of minnesota"

Ridley @ WATCH LYCORECO

Replying to

and

yeah this is mostly that they sent a bunch of patches claiming to be fixing issues found by static analysis tools, implying that they knew what they were doing, and coming from a reasonably trustworthy source --> the patches got fairly little review

Replying to

and

I've glanced through their paper and I don't see them accounting for or even mentioning the bias that would exist when you submit patches from a university Vs say, an individual account.

Replying to

They didn't submit them that way. You're confusing the good faith patches that are being reverted from the university with the ones submitted from sockpuppet email addresses for the experiment using Gmail.

Replying to

Are you sure? This patch doesn't seem to be very "good faith" (though it's possible I'm missing something here?). lore.kernel.org/linux-nfs/YH5%

Replying to

They've been regularly involved in submitting fixes based on static analysis. Not all of those patches are correct. Tools have many false positives and the students make mistakes. Do you have any evidence that this has to do with the study, which seemed to use gmail addresses?

1:10 PM · Apr 22, 2021Twitter Web App

Replying to

You could look through lots of other fixes submitted to fix issues uncovered by static analysis from many other sources and find the same thing. Many of those patches are not fixing real issues. Some attempt to fix real issues incorrectly. Others attempt to fix non-issues.

Replying to

Static analysis does uncover real issues, but most of the issues are usually false positives. It's then up to the programmer to make a proper fix. They're often unfamiliar with the code, and the issues are often quite subtle. It's C, so many tiny mistakes lead to code exec bugs.

Replying to

I based my original reply in this thread, here someone claims that the patch set I linked above (from a uni email) is part of the paper : lore.kernel.org/linux-nfs/YH+z You're right that they may be innocent patches, I've read a few threads about that since leaving my comment here...

Replying to

in this case the patch doesn't line up with the description at all. It's hard to believe it's a good faith patch.

Show replies