[15929] in bugtraq
Re: StackGuard with ... Re: [Paper] Format bugs.
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Mon Jul 24 14:11:54 2000
Message-ID: <200007232056.e6NKuxi03776@cvs.openbsd.org>
Date: Sun, 23 Jul 2000 14:56:59 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Alan DeKok <aland@STRIKER.OTTAWA.ON.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Sat, 22 Jul 2000 11:43:26 EDT."
<200007221543.LAA04529@cpu1751.adsl.bellglobal.com>
> Theo de Raadt <deraadt@cvs.openbsd.org> wrote:
> > Automated tools do not help because you still have to check for the
> > last category by hand, so you might as well read everything.
>
> That's like saying "'Make' doesn't help, because you can always fall
> back to 'ls -l' and 'cc ...'"
>
> Automated tools HELP. They are not ENOUGH. I tried to make this
> clear in the documentation for my scanner. An automated scanner can
> help to protect you against the obvious security bloopers.
But I insist; for me, as a source code auditor, tools like yours do
not help.
They are crutches. I bet that most people will use your tool, and
then get a nice happy feeling thinking they are safe.
A complete source code read is needed.
I have deleted your comments on changing stdarg, since any changes
like that are not ever going to happen.
