Bugtraq mailing list archives
Re: Buffer overflow prevention
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 13 Aug 2003 23:26:01 +0200 (CEST)
On Wed, 13 Aug 2003 weigelt () metux de wrote:
Some languages offer runtime range checking, which should bring much security, but often is really slow :(
In the times of Java and XML used for almost everything, it's not like we strive for every single CPU cycle nowadays in common applications and are willing to sacrifice everything else for that. There are exceptions, particularly in the multimedia domain, but codecs and drivers aren't a common attack vector anyway, so we don't need range checking there that badly. For other code, extra CMPL or so is really not that expensive. The reason why most programmers don't use neat languages with strong typing, range control, exception handling, pointers kept away from the programmer, etc - unless they have to, of course - is quite different... in fascist and easily readable languages, you feel being controlled, not in control. We prefer to be in control to being instructed by an overly picky machine, even if we evidently can't handle the situation in a competent manner. Plus, the point when code compiles and "just works" is further away, because you need to resolve issues you wouldn't be aware of in C. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-08-13 23:06 --
Current thread:
- Buffer overflow prevention Eygene A. Ryabinkin (Aug 13)
- Re: Buffer overflow prevention Nicholas Weaver (Aug 13)
- Re: Buffer overflow prevention weigelt (Aug 13)
- Re: Buffer overflow prevention Michal Zalewski (Aug 13)
- Re: Buffer overflow prevention weigelt (Aug 13)
- Re: Buffer overflow prevention Crispin Cowan (Aug 13)
- Re: Buffer overflow prevention Michal Zalewski (Aug 13)
- Re: Buffer overflow prevention Sam Baskinger (Aug 14)
- Re: Buffer overflow prevention Crispin Cowan (Aug 15)
- Re: Buffer overflow prevention weigelt (Aug 15)
- Re: Buffer overflow prevention Sam Baskinger (Aug 14)
- Re: Buffer overflow prevention Jonathan A. Zdziarski (Aug 13)
- Re: Buffer overflow prevention Andreas Beck (Aug 14)
- Re: Buffer overflow prevention Jingmin (Jimmy) Zhou (Aug 13)
- Re: Buffer overflow prevention Craig Pratt (Aug 13)
- Re: Buffer overflow prevention Patrick Dolan (Aug 13)
(Thread continues...)
- Re: Buffer overflow prevention Nicholas Weaver (Aug 13)