Tool Kills Hidden Linux Bugs, Vulnerabilities 47
mask.of.sanity writes with this excerpt from SC Magazine:
"Australian researcher Silvio Cesare has released a tool capable of automatically detecting bugs and vulnerabilities in embedded Linux libraries. The script correlates vulnerability advisory CVEs for third-party libraries to determine if holes have carried over to Linux platforms or have not been patched. Such holes often escape the eye of developers because the libraries may not be kept updated with sources. This is further compounded because vulnerabilities in cross distributed packages can leave Linux platforms vulnerable."
And they're going to call the tool... (Score:2, Insightful)
"Regression Testing"
Automatically detect bugs and vulnerabilities??? (Score:2, Insightful)
Re:Automatically detect bugs and vulnerabilities?? (Score:5, Insightful)
You probably already know this, but Rice's Theorem etc only apply to supposed decision procedures. It's quite possible to write a program which will often recognize that other programs have some nontrivial semantic property (halting, having a particular kind of bug, etc) and will decide correctly on a broad class of real-world programs. You just can't write one which will always give you a yes or no answer in finite time and always be right.
Re:90% false positives?! (Score:3, Insightful)
I think what the grandparent meant is that a tool which reports 90% noise is a tool that people don't use.