Security Review Summary of NIST SHA-3 Round 1

Posted by timothy on Sunday February 22, 2009 @07:15AM from the works-in-progress dept.

FormOfActionBanana writes "The security firm Fortify Software has undertaken an automated code review of the NIST SHA-3 round 1 contestants (previously Slashdotted) reference implementations. After a followup audit, the team is now reporting summary results. According to the blog entry, 'This just emphasizes what we already knew about C, even the most careful, security conscious developer messes up memory management.' Of particular interest, Professor Ron Rivest's (the "R" in RSA) MD6 team has already corrected a buffer overflow pointed out by the Fortify review. Bruce Schneier's Skein, also previously Slashdotted, came through defect-free."

3 of 146 comments (clear)

Min score:

Reason:

Sort:

The reason is in the summary... by pathological+liar · 2009-02-22 07:36 · Score: 5, Insightful

... because implementation is where people screw up.
Re:ANSI C by Anonymous Coward · 2009-02-22 07:44 · Score: 5, Insightful

What did they get? You realize this is just an ad for Fortify, right? Out of 42 projects, they found 5 with memory management issues using their tool. Maybe instead of switching to SPARK, the 5 teams that fucked up could ask the 37 that didn't for some tips on how to write correct C.
Who's this Bruce Shneieier guy? by Anonymous Coward · 2009-02-22 07:50 · Score: 5, Funny

"... because implementation is where people screw up."
"Bruce Schneier's Skein, ... came through defect-free."
So by deductive logic, Bruce is a robot. Also previously slashdotted.