On Tues, 22 Aug 2006 00:51
Bill Royds wrote:
>
> ASN.1 is a formal language to describe data structures for
> use of a number of protocols. One would expect that
> protocols that use ASN.1 as their structure grammar should be
> quite secure.
> But there have probably been more vulnerabilities in ASN.1
> based protocols than any other. SO even a formal grammar is
> probably not good enough to define "correct" input.


Using formal specification does not imply correct implementation...

Following is a nice paper about a british software company using formal method
all the way from specification to implementation:
http://www.spectrum.ieee.org/sep05/1454
Just two excerpts:
"average of less than one error in every 10 000 lines of delivered code"
"[this company] fix for free any problem that came up in the first year of
operation"

JDG

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards