Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: at the risk of another flamefest..

From: jeremyp () gsms01 alcatel com au (Peter Jeremy)
Date: Tue, 16 Jul 1996 07:09:34 +1000

On Mon, 15 Jul 1996, David Stagner <stagda () ncs com> wrote:

Many, many well-proven languages handle array bounds checking for the
programmer, and do so efficiently.

It might be worth noting that Richard W.M. Jones <rwmj () doc ic ac uk>
has written some patches to gcc which add fine-grained bounds checking
to C.  Sources are in: ftp://dse.doc.ic.ac.uk/pub/misc/bcc
Additional information at:
        http://www-dse.doc.ic.ac.uk/~rj3/bounds-checking.html
        http://www-ala.doc.ic.ac.uk/~phjk/BoundsChecking.html

Unfortunately, the resultant code is substantially slower and is therefore
really only suitable for testing - this seems primarily due to the
requirement for bounds-checked code to fully interwork with non bounds-
checked code.


What we need is a powerful, portable, widely used language that
automagically handles bounds checking for us.  Sounds like perl to
me.:}

I disagree.  Whilst perl at the script level hides array-bounds problems
from the user, it is not a panacea.  Firstly, the interpreter itself is
written in C - thus it is possible that the interpreter itself may suffer
from an array-bounds problem.  Secondly, it is _very_ large (several times
the size of sendmail) thus violating the KISS principle - which is
particularly important for security tools.
----
Peter Jeremy (VK2PJ)                    peter.jeremy () alcatel com au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 690 5247
PGP fingerprint: 2A C6 47 D1 BF 56 5A 10  CC 02 2D 89 EA 10 AA 40
Previous By Date Next
Previous By Thread Next

Current thread: