[e-lang] An attack on a mint

David Wagner daw at cs.berkeley.edu
Tue Mar 4 18:29:01 EST 2008


Raoul Duke writes:
>might a test-driven approach help?

My opinion:

There's no way a test-driven approach would have caught the bug in
the mint.  Unless you happen to think of writing a test that implements
exactly this attack (with the fake purse, the recursive invocation, and
everything), your tests wouldn't detect the vulnerability.  And if you
did manage to anticipate this kind of attack, you wouldn't need the test.

The problem seems to be that the space of possible attacks is enormous.
A single test only tests a single point in that space, so testing as a
way of eliminating subtle attacks seems pretty hopeless.

Testing seems good when you want to ensure that desired functionality
is indeed present (that the code does do the good things you want it
to do) but not so good when you want to ensure that undesired behavior
is absent (that the code doesn't do bad things you don't want it ever
to do).  Testing is good at checking that the system behaves properly
under anticipated conditions, but not so good at checking behavior under
unanticipated conditions.


More information about the e-lang mailing list