On Mon, 14 Oct 2002 18:06:51 +0200, "Sverre H. Huseby" said: > * Automatically providing tamper control (eg. message digests) to > data that are not supposed to be tampered with. And you verify that the digest isn't changed *how*? (Hint - how do you keep your attacker from handing you a piece of data along with a digest that matches? > * Automatically checking the length of input where possible. In general, not doable outside of a strongly typed language - how does the API "know" that the maximum allowed length of a string is 37? Note that this is particularly tricky if (for instance) you're writing in Perl, which doesn't have an inherent maximum length, but you're eventually passing it to an Oracle database that has '37' as the length.. > To make everything even more automatic, the system could start with a > high level definition of all objects (and possibly all web pages). Hmm.. and the LDAP schemas, and the Oracle table definitions, and..... It's a lot harder to do than it looks, and usually just having good programming standards will do 95% of what's needed.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 10:49:06 PDT