LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Testing needs instrumentation

Testing needs instrumentation

Posted May 21, 2008 15:21 UTC (Wed) by dd9jn (subscriber, #4459)
In reply to: Testing by eru
Parent article: Open Source Security Report 

Right, it can be done but the outcome of adding such a test may be worse than without a test.

All serious RNG implementations use some kind of hash function before returning the random
bytes, thus you can't run statistical tests on the output. To run tests you need to instrument
the code.  That very instrumentation is a source of bugs and thus it should be avoided. In
fact, OpenSSL was recently trapped by such a bug due to extra code added for the FIPS
validation of OpenSSL.

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds