Values not permitted by the specification but allowed to pass
the implementation are used to cause abnormal results. Examples include
negative dates producing negative interest which accrues to the benefit of
the attacker, cash withdrawal values which overflow signed integers in
balance adjustment causing large withdrawals to appear as large deposits, and
pointer values sent to system calls that point to areas outside of
authorized address space for the calling party.
Complexity: Most such
attacks are easily carried out once discovered, but systematically
discovering such attacks is, in general, similar to the complexity of gray
box testing until the first fault is found.
fc@red.a.net