Secure Coding mailing list archives
bumper sticker slogan for secure software
From: fw at deneb.enyo.de (Florian Weimer)
Date: Thu, 20 Jul 2006 21:46:22 +0200
* Pascal Meunier:
But it's true for stupid bugs like buffer overflows and format string vulnerabilities, in which we're still swimming, and the proof is the fact that those aren't possible in some languages.
Could you name a few such language implementations? 8-) In most cases, the components that enforces the absence of buffer overflows are written in C. In other cases, languages have the reputation of being free from buffer overflows although it's just not true: You can create a fully conforming Common Lisp implementation where code injection through buffer overflows is possible. On the other hand, it's possible to construct an ISO C implementation where accessing memory beyond the end of a buffer is equivalent to calling abort. (Such CL implementations are very common, but the C implementatins aren't because they would feature a very unusual ABI or suffer from poor performance.) And you need to keep in mind that even with C, we are close to turning buffer overflows into completely reproducible crashes. This is not so much different from supposedly safer programming languages where an exception is raised in such cases. The exception can be handled, sure, but if it is truly unexpected, your system will fail.
For design/requirements bugs, I'm reading:
Safety-critical software is a very different beast. You can make much stronger assumptions about the environment. It's not clear if the results apply to software security in open system. I'm not saying that formal methods have no value. But I doubt that comparisons with projects at completely different dollars-per-line-of-code levels give immediate insights.
Current thread:
- bumper sticker slogan for secure software, (continued)
- bumper sticker slogan for secure software Florian Weimer (Jul 20)
- bumper sticker slogan for secure software Pascal Meunier (Jul 20)
- bumper sticker slogan for secure software ljknews (Jul 20)
- bumper sticker slogan for secure software Dana Epp (Jul 20)
- bumper sticker slogan for secure software Gary McGraw (Jul 20)
- bumper sticker slogan for secure software Blue Boar (Jul 20)
- bumper sticker slogan for secure software der Mouse (Jul 20)
- bumper sticker slogan for secure software Blue Boar (Jul 20)
- bumper sticker slogan for secure software Wall, Kevin (Jul 20)
- bumper sticker slogan for secure software Gary McGraw (Jul 20)
- bumper sticker slogan for secure software Pascal Meunier (Jul 20)
- bumper sticker slogan for secure software Florian Weimer (Jul 20)
- bumper sticker slogan for secure software Pascal Meunier (Jul 20)
- bumper sticker slogan for secure software der Mouse (Jul 20)
- bumper sticker slogan for secure software ljknews (Jul 20)
- bumper sticker slogan for secure software John Wilander (Jul 21)
- bumper sticker slogan for secure software Pascal Meunier (Jul 20)
- bumper sticker slogan for secure software Crispin Cowan (Jul 21)
- Cost of provably-correct code (was: bumper sticker slogan for secure software) David Crocker (Jul 21)
- Cost of provably-correct code (was: bumper sticker slogan for secure software) der Mouse (Jul 22)