Bugtraq mailing list archives
Re: Smashing the Stack: prevention?
From: merlyn () STONEHENGE COM (Randal Schwartz)
Date: Mon, 28 Apr 1997 06:31:39 -0700
"nate" == nate <nate () MILLCOMM COM> writes:
nate> 2. 'hmm. what if you change the compiler?' nate> C compilers could be modified to do bounds checking, and/or nate> problem functions could be made to complain to the user at compile time. Not surprisingly, as a next-gen language, Perl already had this stuff built in. Arrays and other data structures are dynamically scalable. And the "taint" dataflow checking (nothing *from* the outside world could influence actions *to* the outside world without explicit "cleansing") has been in there since Perl version 2 (1988). Perl 5 introduced the notion of running code in an arbitrary "Safe" box, providing interfaces that mimic system functions. You could write a setuid script that executes nearly everything insde the box, then calls controlled "through the box wall" functions to perform I/O or launch processes. Yes, there was the CERT-able hole two years ago because Larry got an #ifdef backwards on a platform he didn't have access to, and the recent one where a *libc* routine couldn't handle the arbitrary-sized data that Perl was handing it. We have efforts going on in the Perl developer groups to stamp the rest of those out. (And yes, there are apparently a few others. Durn libc. :-) So, if you want to write a secure toy, and you want to write it in 1/3 to 1/5 the number of lines of code of C, and you want it to be secure, just use Perl. -- Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095 Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying Email: <merlyn () stonehenge com> Snail: (Call) PGP-Key: (finger merlyn () ora com) Web: <A HREF="http://www.stonehenge.com/merlyn/">My Home Page!</A> Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
Current thread:
- Re: Smashing the Stack: prevention?, (continued)
- Re: Smashing the Stack: prevention? Tim Newsham (Apr 27)
- Re: Smashing the Stack: prevention? Joe Zbiciak (Apr 28)
- Re: Smashing the Stack: prevention? Daniel Ryde (Apr 28)
- xlock clarification.... David Hedley (Apr 28)
- Re: Smashing the Stack: prevention? Steve Coleman - SEWP (Apr 28)
- Re: Smashing the Stack: prevention? Alexander Snarskii (Apr 28)
- Re: Smashing the Stack: prevention? Michael Shields (Apr 28)
- Re: Smashing the Stack: prevention? Theo de Raadt (Apr 28)
- Re: Smashing the Stack: prevention? Shawn Instenes (Apr 29)
- Re: Smashing the Stack: prevention? J.R.Valverde (Apr 28)
- Re: Smashing the Stack: prevention? Randal Schwartz (Apr 28)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 29)
- Re: Smashing the Stack: prevention? J.R.Valverde (Apr 29)
- Re: Smashing the Stack: prevention? J.R.Valverde (Apr 29)