* Michal Zalewski wrote on Tue, Jan 28, 2003 at 02:09 -0800: > On Tue, 28 Jan 2003, Ed Carp wrote: > > > I wasn't able to find such a function - do you have an example? > > I'm pretty convinced I've seen at least a discussion about such an > implementation, quite unfortunately, I can't find any references right > now. Perhaps other readers could help. There was a thread on secprog, yep. For instance, I wrote a mail about "the own text buffer type" in: http://online.securityfocus.com/archive/98/300536/2002-12-01/2002-12-07/2 > - Use a range checking compiler that emits and tracks this additional > information (and generates a slower code; plus, not all platforms > would have a compiler with such an option, I imagine), BTW, I know the gcc bounds patch and I used it once, it was a nice thing! Is there something similar available for C++? I've played around with efence and mpatrol, both may help to find overflows and such. Maybe worth a look? > - Implement manual passing of the information by adding a length > parameter to all functions that operate on buffers (and rewrite > most of your code), Isn't this strncpy and strlcpy? > - ...or, per Crispin's suggestion, use a runtime checker like > StackGuard. Is StackGuard only protecting the stack? Then mpatrol may be more helpful I think, please correct me if I'm wrong. Well, the question was about language... I think, C is "optimized" for speed and is nice for small embedded systems :) "Higher level" languages, such as C++, Java or even Ada and heaps others support much more language features to protect against such issues. Maybe C is not designed for safety... With C++ you can add some comfortable, with Java you should get always run time exceptions. Ada isn't widely used in practice (outside government and medical projects and such) I think. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 16:13:20 PST