Like, the one you linked to is basically "a bunch of people wrote a ton of new protocol parsing code in C++ and shipped it to billions of people. It crashed when we fuzzed for a little while." They promise some "lessons" in part 5, but seriously we already know the lessons.
-
-
Replying to @johnregehr @pcwalton
sometimes I think the existence of research into C vulnerabilities has major negative externalities
0 replies 0 retweets 6 likes -
Replying to @johnregehr @pcwalton
Sure, some research on this stuff is necessary. But I feel like fuzzing and static analysis and smart security researchers is substituting for realizing that shipping desktop apps written in unsafe languages is malpractice.
1 reply 0 retweets 7 likes -
Replying to @johnregehr @pcwalton
Java, JavaScript, Python are all used for a lot of things. And basically none of them have the kind of bugs that the PZ blog post described. An analogy: electrical wiring has gotten a lot safer even though electricity is still dangerous.
1 reply 0 retweets 3 likes
Related: Are you ready for a few years of finding exploitable vulns in the giant ball of C code that is AV1? I know I am :)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.