Printing an unsigned char with %x or %u is not absolutely correct
icon/arrow Back to news How to correctly match the format string in the corresponding argument A mistake in C language The C standard library function printf() takes a format string and subsequent arguments of various types. On an architecture where arguments are passed on the stack, the format string tells the printf() function what types […]
An implementation of strings that you can trust to the end of the world
Back to news Using simple implementations with the right functionality Last week, security researcher lcamtuf blogged about CVE-2014-8485, a vulnerability in the Unix strings command. The strings command is a popular way to get hints when stuck in the venerable ADVENT game. Some may also use it to reveal sequences of printable characters other than […]
Bash bug: failure of formal approaches to programming?
Back to news Shellshock’s gravity should not be underestimated You may have heard about Shellshock, a long-standing, recently-discovered bug with serious security consequences. Julien Vanegue commented about this security failure on Twitter: The bash bug is another shiny example which seems to completely escape traditional methods of automated deductive program verification. This was my […]
A dangling pointer is indeterminate
Back to news A case of undefined behaviour in C language This blog post illustrates a lesser-known case of C undefined behavior, that is, using the value of a dangling pointer in a way that most developers consider harmless, such as pointer arithmetics or as operand of a comparison. Anyone who has ever had […]
Finding vulnerabilities in small, challenge-like C programs
Back to news First in a series of technical essays by chief scientist Pascal Cuoq About your hosts I’m Pascal Cuoq, chief scientist at TrustInSoft. This is the first of a short series of technical essays, published here on a trial basis. The essays may resemble in style ones that I contributed over the […]
Software Defined Networking and Security
Back to news Ensuring securing for SDN Software-Defined Networking (SDN) is a new approach to building networks; previously hardwired network topology gets replaced with a software implementation. For large-scale networks (think “cloud”), the additional flexibility and efficiency make all the difference in the world. Within Software-Defined Networking, one trend is to move data using […]
No More Heartbleed
Back to news Eliminating the Heartbleed Bug from OpenSSL The Heartbleed Bug (https://heartbleed.com/) is a severe vulnerability in OpenSSL a popular cryptographic software library. This weakness allows stealing the information protected, by the SSL/TLS encryption used to secure the Internet. OK. So one more bug has been found. What’s next? Maybe a second Heartbleed? […]