Secure Coding mailing list archives
Managed Code and Runtime Environments - Another layer of added security?
From: mouse at Rodents.Montreal.QC.CA (der Mouse)
Date: Wed, 29 Mar 2006 13:41:35 -0500 (EST)
Der Mouse is barking up the right rathole.
:-) That's a lovely mangled metaphor. And, thanks for the kind words; I'm glad to see I'm not totally out to lunch. (I haven't been at this for as long as you have - you write "from 1965 to 1969", during which time I was at most five years old - and it's good to get confirmation of some of what I think I've learnt.)
No software was written until there was an approved specification, with well defined interfaces and exception conditions
And here you come close, I believe, to one of the reasons this kind of security architecture is not more done. This kind of coding - heck, even just writing good specifications - is hard work, work that comparatively few people are competent to do. In all my years at this, I can count the number of times I've seen a really well-defined specification on the fingers of one hand. (The case I usually cite is the VAX Architecture Reference Manual, which is carful to call out all the cases where the behaviour is UNDEFINED or UNPREDICTABLE, those being technical terms defined early in the document, and to cover every possibility with defined behaviour or one of those.) Almost everything has holes, cases where the spec is silent; this is not the way to produce solid designs. In many cases a shaky design is no big problem (so your solitaire game crashes now and then, so what?). But in other cases it can be quite disastrous, with the kind of consequences everyone here surely knows far too much about. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Managed Code and Runtime Environments - Another layer of added security? Peter G. Neumann (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? der Mouse (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? Olin Sibert (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? der Mouse (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? Steven M. Bellovin (Mar 30)