This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Signed int overflow behaviour in the security context

> Yes, absolutely.  There is a difference between well-defined and
> understood semantics on one hand, and undefined and probably dangerous
> behaviour on the other hand.  It's the difference between security
> audits of C software being hard and completely hopeless.

I disagree.  Code written with security in mind should not cause overflows.
The audit should check for absence of overflows.  What would happen if
the overflow were to occur seems irrelevant to me from an audit perspective.

> To be more precise, the LIA-1 definition is the one people have burned
> deeply into their neurons.  It's the one that should be used by default.

Perhaps.  Perhaps not.  But when one is writing security- or safety-critical
software, one usually uses a subset of the language and it would seem to
be that the subset used should certainly forbid overflows.  In that
case, this doesn't matter.
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]