Binary data that is not executable can't execute anything on its own. If it leads to code execution, this is by exploiting some other code that reads said data and has a bug. (Or does so intentionally.)
So when using binary data for testing purposes, you basically have 2 cases:
- Known good outputs: the tests execute the tested code under various known conditions and its binary output is compared to the "binary blob" - usually with the simplest tool possible, such as 'diff', which has no exploit that I know of (but not claiming it has none, who knows, and I didn't fully check that). In the case of a compression library, for instance, you'd compare the output of the compression for known inputs to the expected binary output. End of the story.
- Inputs: similarly, you may need to test your code with known binary inputs. In the case of a compression library, again, that may be the input data that you want to compress as a test. Binary inputs *may* trigger an exploit in the tested code, if said code has any. But this would happen only while testing, and if it happens at this test stage, that would normally be good news (as long as you can detect it.)
"Unacceptable" uses of binary blobs include: executables, and third-party *code* that may extract nasty code from said blobs (which was the case in the xz affair). But either of these cases are, IMO, obvious issues. (Not saying that they are always obvious to see, although again in the xz case, just properly reviewing the build and test scripts would have shown it quickly.)
But not using any binary data, I don't know how you can if you're testing code that is meant to read or write binary data itself. At some point you need to test it with actual inputs and check that the outputs are what's expected. If you know how to properly test, say again as an example, a compression library without using any binary data, let me know.
Home
Help
Search
Login
Register
