Don't have the chops to vet the paper myself; those of you who do deep CS want to comment? @LeaKissner @yonatanzunger @FioraAeterna and all my other friends.https://twitter.com/polytomous/status/1025869511004577792 …
That's certainly not the case for OpenSSH, even though it's written in C. Software where vulns are rare and effectively finite is possible. The problem is nobody wants to spend resources on doing that rather than on superlinearly ballooning features and bug-surface.
-
-
It might be nice for something less-examined than OpenSSH that runs on the command line.... if the chaff bugs were indistinguishable to automated analysis and not too expensive to inject.
-
The injection would be in the revision history (or the binary if just binary level) and therefore anyone looking to find/fix real bugs would just build with them removed.
-
I think this principle actually applies to proprietary binaryware too - a smart attacker will review not just the latest revision but do advanced analysis of change history, and could identify all the chaff relatively easily.
End of conversation
New conversation -
-
-
There's a classic paper on bugs (reported) in OpenBSD over time. https://www.usenix.org/legacy/events/sec06/tech/full_papers/ozment/ozment.pdf …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.