Craig Spannring writes: >Anonymous writes: > > In some ways, it is depressing to find this new hole. Programmers are > > still making the same mistakes they have made for years. Doesn't anyone > > learn from the past? [...] > >C should not be used for trusted programs. The lack of true arrays >with array bounds checking alone makes it too hazardous. How many >buffer overflow attacks would we hear about if the trusted server >programs were written using a language with bounds checking like >Modula-2 or Ada? Zero. How many file races and symlink-following errors (for example) would we hear about if programs were written in such a language? Lots. You don't get secure programs by relying on the language to secure your program for you--you get it by PROGRAMMING SMARTLY. I won't deny that C lets you do lots of things that can be dangerous; but so does any other (useful) language. Does it let you open a file for writing? That's dangerous-- suppose the file is /etc/passwd. Does it let you use pointers? That's dangerous for obvious reasons. (And if not, imagine the performance hit when every array access has to be bounds-checked. Security is good, but if it drops performance into a tar pit you'll still have plenty of problems-- especially when your competitor is using a faster C program.) I have to say that I've never programmed in Ada or Modula-2 myself (and it's been years since I've touched Pascal, which I recall as being similar to Modula-2), so I can't comment on just how appropriate they'd be to server programs or deny that using such a language could improve security. But we won't get _truly_ secure programs until people can program securely; and people that can program securely can write secure programs in _any_ language. --Andy Church | If Bell Atlantic really is the heart achurchat_private | of communication, then it desperately www.dragonfire.net/~achurch/ | needs a quadruple bypass.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:06:28 PDT