[LEGO <luis.ontanon@xxxxxxxxx>]

On 2/15/06, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
> ronnie sahlberg wrote:
> > Eventhough it appears the fuzztesting and the value_string termination
> > audit and the str...() replacement tasks seems to have been very
> > successful
> > (i feel a major decrease in number of vulnerabilities and issues
> > compared to 6 months ago)
> > it would not hurt to add more.
> While looking at the bugs fixed over the last months, I really think
> there are a lot more not yet found :-(

Bugs are like radioactivity, you can make them a fraction of what they
were on time, but there's always going to be another bug!

> Using canary indicates a problem, but sometimes makes it really hard to
> find the cause of such a problem. Using SEGV takes you directly to the
> problem ...

Which I think is good, it eases debugging, it avoids danger.

> > I think that when a canary is found to be corrupted this is evidence
> > of memory corruption and then it is perfectly valid to abort immediately.
> That's just a matter of personal opinion to abort or try to continue ...

My personal opinion:
Why to go ahead? to crash way after the bug happened so that it
becomes hard to find?

Nothing personal :)

--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan