[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)

* Steven M. Christey (coley@LINUS.MITRE.ORG) [000613 04:12]:
> *3) If it can be proven that the trigger code for P1 is the same as the
>     trigger code for P2, then P1 and P2 must be MERGED, even if the
>     method of exploitation may be different.

You have to be careful here. What is 'tigger code'.  You can trigger
most buffer overflow with a long enough string of As. Does that mean
all buffer overflows in the same library are the same? No.  It is very
common for someone to find an overflow this way but not bother to
write a specific shellcode exploit.

Elias Levy
Si vis pacem, para bellum

Page Last Updated or Reviewed: May 22, 2007