Gary McGraw wrote:
Hi all (especially david),
The story you repeated about ITS4 finding a vulnerability
> "that can't happen" is wrong.
The tool FIST (a fault injection tool for security) which we decribed
> in an Oakland paper from 1998 was what you were thinking of.
> (FIST was also produced at cigital...the paper was by anup ghosh,
> tom o'connor, and myself.). FIST found a vulnerbility that we could not
> figure out how to exploit. Some 6 months later, a security researcher
> figured out how and published the sploit.
Ah! That explains why I couldn't find it. Right basic story, and right
company... but wrong tool. Thanks for the correction.
I think it's a very good cautionary tale, and not everyone's
heard it. Could you post a little more information about that
here, with citations (URLs where possible)? I believe a preprint
of the FIST paper you mean is here, correct?:
http://www.cigital.com/papers/download/ieees_p98_2col.pdf
--- David A. Wheeler
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php