Older systems and SMT

[chadbrewbaker]

In my experience as a contractor remediating security issues on CMS systems, I would recommend also opening up the source code of other servers already deployed. It is a nightmare. Angencies have few to little rules or budget to maintain servers from one time spending bills. There needs to be sunlight to clean up these rotting servers.

As a general rule any software in production for more than a few months has a publicly known security issue. The United States is unprepared for widespread use of SMT solvers and concolic testing. In the next few years numerous bugs like "shellshock" will come to light, and it will be mandatory to write/rewrite formal parsers for file formats and other program inputs. Provably correct programs are a matter of national security.

[chadbrewbaker]

Fuzzing-project.org lists a number of known bugs in the wild found with automated testing, https://fuzzing-project.org/software.html

Galois does a fair amount of U.S. Government work employing automated theorem provers, http://saw.galois.com