One reply deep in comment 26951319 I demonstrate that typing the "3" instead of "2" improperly access memory space that may or may not be allocated. This type of out-of-bounds access is mismanaging memory.
drinkypoo the math is as easy as 3 >= 3. See here:
// deal with the length update first
bcount = ss.sourceDataLength;// previous length
ss.sourceDataLength = bcount + databitlen;// new length
if (ss.sourceDataLength < (bcount | databitlen))// overflow
if (++ss.sourceDataLength2[0] == 0)// increment higher order count
if (++ss.sourceDataLength2[1] == 0)// and the next higher order ++ss.sourceDataLength2[3];// and the next one, etc.
And the problem (in Blender.c:1808) is because of here, in the array's declaration:
DataLength sourceDataLength2[3];// high order parts of data length// note: the array size determines the maximum length supported
In C, the array blah[3] has three elements: blah[0], blah[1] and blah[2]. Accessing blah[3] is just random memory and might actually be in use for something else.
People do make mistakes. Even geniuses, when they're trying really hard to be careful. Personally, I see recognizing that as a validation for code review (including the automated code review that I do).
I want the winning entry for this competition to be flawless to the extent that's feasible. Right now, my job includes finding SHA-1 for cryptographic key generation, and telling people to replace that with something better. I don't want to be pulling out SHA-3 in a couple years, too.
Oh, interesting. VALGRIND looks like dynamic analysis. The results in the article are from static analysis. Each is really useful, but they tend to find different sorts of problems.
If you'd like to download the five problematic submissions and run VALGRIND against them, please email me the results. I'd be interested to see what is actually detected.
I should add that I work for Fortify and that I initiated the SHA-3 review in my spare time as a private project. The Slashdot article on December 21 caught my interest.
I'll add another plug in the parade of shameless plugs.
My employer is Fortify Software; we make a static analyzer that performs good quality cross tier analysis of popular languages like Java, JavaScript and PHP.
In addition to the static analysis, we also have a QA assistance tool that uses Java bytecode instrumentation to follow taints dynamically through the application and correlate with the static findings.
The prevailing theory is that there isn't enough Martian gravity and magnetic field to hold a heavier atmosphere than it has now. The solar wind would keep whisking away the gas.
Funny, but everyone contributed to the software vulnerabilities that are putting us most at risk today: 1) poor data validation and 2) buffer overflows.
Microsoft has stepped up and fixed their BOs in the kernel. If you work around computers you must have noticed there's no more BSODs these days.
Further, Microsoft has REALLY stepped up when it comes to formalizing defensive design, threat modeling and then implementing an anti-XSS/etc wrapper in the.NET Framework. It doesn't do 100% of the job but it patches a big hole.
Funny joke, but a lot of vulnerability is in external and internal web applications implemented with sql injection/xss/httprs vulnerabilities, or with frameworks with these vulnerabilities baked in.
Between those (poor data validation), and the difficulty in implementing device drivers in C without buffer overflows, we have a pretty big potential problem long before the lusers' bad behaviour even comes into the picture.
There is a weird problem with cybercrime and software security... that nobody wants to believe there is a problem! It would be great if at least Slashdot would recognize this, but just look at the posts/moderation here. Geez.
Clearly there's enough information to make an educated guess.
1a) The NSA has been operating for ?? years, and what do you think they're doing? Hardening Linux and open sourcing the results? Yes. Improving encryption algorithms? Yes. They probably are up to some activities they don't talk about. What do you suppose those are?
1b) The USAF has come out and said (as much; search slashdot) they are working on defense as well as offense.
3. Certainly if the participants are disciplined and know what they're doing (do you have ANY reason to believe otherwise??) the victims have NO idea they are being violated.
There are more than two goals. In addition to information disclosure and DOS there are the threats/goals of faking identity, tampering, repudiation and elevation of privilege.
The STRIDE model is the one of the accepted ways of categorizing threats in electronic crime/warfare.
Really, the sensible solution is to continue to rely upon the insurance system for added policing. If cell phone driving is as bad as I think it is, people who carry on with this behavior will simply have more accidents and higher premiums.
The fact that it's a law now will mean only pompous idiots will continue phone driving.
Repeating research that's been done before is one way of sanity checking the latest findings. It may be a little wasteful of mice and resources, but the alternative is we get carried away with our beliefs and assumptions.
There must be many areas of research where the results tell A, then B, then A and B again. It would seem to me like a sign that we're not testing what we think we're testing. Other times I suppose there is fraud involved.
I think what is so cool about science is that nothing is strongly assumed; we humans always take the position that we don't really know the answer so we try to find out. My field was Mathematics, which has the opposite dynamic (declaring what's true, given some starting points and rules to work off of).
Disclaimer: my blood pressure is rising reading these comments, and I haven't read TFA.
So brian0918, I guess I'm going at you twice now. I think research goes in this order:
1. Survey people about what they eat/do and how sick they get. 2. Correlate away. You have to guess at the parameters. 3. Publish your findings. CowboyNeal and kdawson write a misleading article summary that pisses you off. STEPS 1 2 AND 3 ARE ENTIRELY OPTIONAL. 4. Based on a) thorough examination from 1&2 b) sloppy partial examination from 1&2, c) sponsor's suggestion d) wild-ass guess or religious zeal, you set up a controlled experiment. 5. Treat some mice nice, and change ONE parameter for the other mice. See who gets sick. 6. Publish the results. "If mice hold an ohmmeter while I hurt their feelings, more of them have heart attacks." Or maybe the results is just "no change".
My point is you seem to volunteer that step 3 pisses you off. Well, me too sometimes. But I think by the time you get to step 6, EVEN if step 4 is based on NO GOOD reason at all, we still know something at the end of step 6. We either know something, or we know something ain't so. It doesn't seem like "dangerous misinformation" to me.
Don't you think contrasting different kinds of fats and nutrients would be the logical NEXT controlled mouse experiment?
I don't think we're ready as a species to start caging up humans and proscribing them diets just to confirm theories about eating and health. The current system: developing hunches based on observational correlation and then doing controlled experiments on little mice -- works out pretty well for now.
Slashdot Mirror
Application error codes are positive numbers. Win32 error codes are negative numbers.
...the people (whoever they are) who are actually evaluating the algorithms themselves.
I figured out who they are.
One reply deep in comment 26951319 I demonstrate that typing the "3" instead of "2" improperly access memory space that may or may not be allocated. This type of out-of-bounds access is mismanaging memory.
Yes, it was yours. Thank you very much for the inspiration. I'm glad to help in what little way I can.
I'm really in awe of the people (whoever they are) who are actually evaluating the algorithms themselves.
drinkypoo the math is as easy as 3 >= 3. See here:
bcount = ss.sourceDataLength;
ss.sourceDataLength = bcount + databitlen;
if (ss.sourceDataLength < (bcount | databitlen))
if (++ss.sourceDataLength2[0] == 0)
if (++ss.sourceDataLength2[1] == 0)
++ss.sourceDataLength2[3];
And the problem (in Blender.c:1808) is because of here, in the array's declaration:
DataLength sourceDataLength2[3];
In C, the array blah[3] has three elements: blah[0], blah[1] and blah[2]. Accessing blah[3] is just random memory and might actually be in use for something else.
Yeah, both very good points.
People do make mistakes. Even geniuses, when they're trying really hard to be careful. Personally, I see recognizing that as a validation for code review (including the automated code review that I do).
I want the winning entry for this competition to be flawless to the extent that's feasible. Right now, my job includes finding SHA-1 for cryptographic key generation, and telling people to replace that with something better. I don't want to be pulling out SHA-3 in a couple years, too.
Oh, interesting. VALGRIND looks like dynamic analysis. The results in the article are from static analysis. Each is really useful, but they tend to find different sorts of problems.
If you'd like to download the five problematic submissions and run VALGRIND against them, please email me the results. I'd be interested to see what is actually detected.
I should add that I work for Fortify and that I initiated the SHA-3 review in my spare time as a private project. The Slashdot article on December 21 caught my interest.
I'll add another plug in the parade of shameless plugs.
My employer is Fortify Software; we make a static analyzer that performs good quality cross tier analysis of popular languages like Java, JavaScript and PHP.
In addition to the static analysis, we also have a QA assistance tool that uses Java bytecode instrumentation to follow taints dynamically through the application and correlate with the static findings.
Doug
Cars, please! I understand it in cars.
Neocons don't like unionised labour. Democrats love them.
Democrats like gay people, and neocons hate them.
Other than that, they're the same.
The prevailing theory is that there isn't enough Martian gravity and magnetic field to hold a heavier atmosphere than it has now. The solar wind would keep whisking away the gas.
translation: mod off-topic or troll.
Funny, but everyone contributed to the software vulnerabilities that are putting us most at risk today: 1) poor data validation and 2) buffer overflows.
Microsoft has stepped up and fixed their BOs in the kernel. If you work around computers you must have noticed there's no more BSODs these days.
Further, Microsoft has REALLY stepped up when it comes to formalizing defensive design, threat modeling and then implementing an anti-XSS/etc wrapper in the .NET Framework. It doesn't do 100% of the job but it patches a big hole.
Funny joke, but a lot of vulnerability is in external and internal web applications implemented with sql injection/xss/httprs vulnerabilities, or with frameworks with these vulnerabilities baked in.
Between those (poor data validation), and the difficulty in implementing device drivers in C without buffer overflows, we have a pretty big potential problem long before the lusers' bad behaviour even comes into the picture.
There is a weird problem with cybercrime and software security... that nobody wants to believe there is a problem! It would be great if at least Slashdot would recognize this, but just look at the posts/moderation here. Geez.
Clearly there's enough information to make an educated guess.
1a) The NSA has been operating for ?? years, and what do you think they're doing? Hardening Linux and open sourcing the results? Yes. Improving encryption algorithms? Yes. They probably are up to some activities they don't talk about. What do you suppose those are?
1b) The USAF has come out and said (as much; search slashdot) they are working on defense as well as offense.
3. Certainly if the participants are disciplined and know what they're doing (do you have ANY reason to believe otherwise??) the victims have NO idea they are being violated.
Good security consultants are billing $1000-$2000 per day because so few smart software engineers know what a big problem security is becoming.
This is not an escalation constrained to intelligence organizations.
There are more than two goals. In addition to information disclosure and DOS there are the threats/goals of faking identity, tampering, repudiation and elevation of privilege.
The STRIDE model is the one of the accepted ways of categorizing threats in electronic crime/warfare.
http://msdn.microsoft.com/en-us/library/ms954176.aspx
Really, the sensible solution is to continue to rely upon the insurance system for added policing. If cell phone driving is as bad as I think it is, people who carry on with this behavior will simply have more accidents and higher premiums.
The fact that it's a law now will mean only pompous idiots will continue phone driving.
Pointers make routes into one big array of destinations.
Then let them figure out how to drive.
Repeating research that's been done before is one way of sanity checking the latest findings. It may be a little wasteful of mice and resources, but the alternative is we get carried away with our beliefs and assumptions.
There must be many areas of research where the results tell A, then B, then A and B again. It would seem to me like a sign that we're not testing what we think we're testing. Other times I suppose there is fraud involved.
I think what is so cool about science is that nothing is strongly assumed; we humans always take the position that we don't really know the answer so we try to find out. My field was Mathematics, which has the opposite dynamic (declaring what's true, given some starting points and rules to work off of).
I use cheese, you insensitive clod!
Disclaimer: my blood pressure is rising reading these comments, and I haven't read TFA.
So brian0918, I guess I'm going at you twice now. I think research goes in this order:
1. Survey people about what they eat/do and how sick they get.
2. Correlate away. You have to guess at the parameters.
3. Publish your findings. CowboyNeal and kdawson write a misleading article summary that pisses you off. STEPS 1 2 AND 3 ARE ENTIRELY OPTIONAL.
4. Based on a) thorough examination from 1&2 b) sloppy partial examination from 1&2, c) sponsor's suggestion d) wild-ass guess or religious zeal, you set up a controlled experiment.
5. Treat some mice nice, and change ONE parameter for the other mice. See who gets sick.
6. Publish the results. "If mice hold an ohmmeter while I hurt their feelings, more of them have heart attacks." Or maybe the results is just "no change".
My point is you seem to volunteer that step 3 pisses you off. Well, me too sometimes. But I think by the time you get to step 6, EVEN if step 4 is based on NO GOOD reason at all, we still know something at the end of step 6. We either know something, or we know something ain't so. It doesn't seem like "dangerous misinformation" to me.
Everything Neuronaut says below, and also:
Don't you think contrasting different kinds of fats and nutrients would be the logical NEXT controlled mouse experiment?
I don't think we're ready as a species to start caging up humans and proscribing them diets just to confirm theories about eating and health. The current system: developing hunches based on observational correlation and then doing controlled experiments on little mice -- works out pretty well for now.