Craig Spannring writes:
>Anonymous writes:
> > In some ways, it is depressing to find this new hole. Programmers are
> > still making the same mistakes they have made for years. Doesn't anyone
> > learn from the past? [...]
>
>C should not be used for trusted programs. The lack of true arrays
>with array bounds checking alone makes it too hazardous. How many
>buffer overflow attacks would we hear about if the trusted server
>programs were written using a language with bounds checking like
>Modula-2 or Ada? Zero.
How many file races and symlink-following errors (for example) would
we hear about if programs were written in such a language? Lots. You
don't get secure programs by relying on the language to secure your program
for you--you get it by PROGRAMMING SMARTLY. I won't deny that C lets you
do lots of things that can be dangerous; but so does any other (useful)
language. Does it let you open a file for writing? That's dangerous--
suppose the file is /etc/passwd. Does it let you use pointers? That's
dangerous for obvious reasons. (And if not, imagine the performance hit
when every array access has to be bounds-checked. Security is good, but if
it drops performance into a tar pit you'll still have plenty of problems--
especially when your competitor is using a faster C program.)
I have to say that I've never programmed in Ada or Modula-2 myself
(and it's been years since I've touched Pascal, which I recall as being
similar to Modula-2), so I can't comment on just how appropriate they'd be
to server programs or deny that using such a language could improve
security. But we won't get _truly_ secure programs until people can
program securely; and people that can program securely can write secure
programs in _any_ language.
--Andy Church | If Bell Atlantic really is the heart
achurchat_private | of communication, then it desperately
www.dragonfire.net/~achurch/ | needs a quadruple bypass.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:06:28 PDT