Comment by WmyEE0UsWAwC2i
4 years ago
I agree with the sentiment. For a project of this magnitude maybe it comes to develop some kind of static analysis along with refactoring the code to make the former possible.
As per the attack surface described in the paper (section IV). Because (III, the acceptance process) is a manpower issue.
Ironically, one of their attempts were submitting changes that were allegedly recommended by a static analysis tool.
It's possible that they are developing a static analysis tool that is designed to find places where vulnerabilities can be inserted without looking suspicious. That's kind of scary.
Have they submitted patches to any projects other than the kernel?
Guess we have to wait for their next paper to find out.