Vulnerability Development mailing list archives
Re: BitchX /ignore bug
From: Erich.Meier () INFORMATIK UNI-ERLANGEN DE (Erich Meier)
Date: Tue, 11 Jul 2000 17:40:11 +0200
Cornell's undergraduate CS courses are taught in java. This is a growing trend in academia. There is never any focus on secure code. In fact, there is never any emphasis on code at all-- to avoid any accusations of technical instruction, Cornell leaves all programming study to the student on their own time. This could be why the Masters are not passing on this instructional wisdom-- they're not present when the student is learning. We all know that classes are too large for code to be examined in detail. Even in the 500-level security course (which i thought was very well taught if my prof is listening in =) there was not emphasis on the code itself, but on the underlying protocols and concepts. Again, it was taught in java. A thorough examination of what constitutes a stack overflow exploit in C, and writing secure code in general, are concepts that might best be taught to beginning programmers by the security / programming community itself, by making instructional docs available online (if they aren't now), because they're not going to show up on an academic curriculum any time soon. You've got to take care of your own.
Our "System Programming" course which involves practical system-level programming uses the C language. Other courses use Java, but most of the system-level apps are still written in C. We explicitely focus on secure programming (banning gets(), sprintf(), strcpy() and friends), show how a buffer overflow works in theory and in practice (I hack an insecure workstation live during the lecture). This impresses students a lot (together with the fact that they get bad marks when programming overflowable applications in their assignments :-). I thought this would be normal in other universities as well. Erich -- Erich Meier Erich.Meier () informatik uni-erlangen de http://www4.informatik.uni-erlangen.de/~meier/ "People are starving to death in this world and somebody had time for this..." http://webpages.mr.net/bobz/ttyquake/
Current thread:
- Re: The AOL Spyware, (continued)
- Re: The AOL Spyware info (Jul 13)
- Re: BitchX /ignore bug Bluefish (Jul 07)
- Re: BitchX /ignore bug Slawek (Jul 07)
- Re: BitchX /ignore bug Arturo Busleiman (Jul 07)
- Re: BitchX /ignore bug Crispin Cowan (Jul 07)
- Re: BitchX /ignore bug Hogenberg, Richard (Jul 07)
- Re: BitchX /ignore bug Bluefish (Jul 07)
- Re: BitchX /ignore bug Schlachter, Jake (Jul 07)
- Re: BitchX /ignore bug Bluefish (Jul 08)
- Re: BitchX /ignore bug Christofer C. Bell (Jul 08)
- Re: BitchX /ignore bug Erich Meier (Jul 11)
- Re: BitchX /ignore bug Ron DuFresne (Jul 07)
- Re: BitchX /ignore bug Juan M. Courcoul (Jul 07)
- remote exploit Jim Stickley (Jul 07)
- Re: remote exploit Bluefish (Jul 08)
- Re: remote exploit Gerardo Richarte (Jul 10)
- Re: BitchX /ignore bug Matthew S. Hallacy (Jul 06)
- Updated Default Account Database Eric Knight (Jul 06)
- Re: Updated Default Account Database Jesus D. Muz@oz Largo (Jul 12)
- Re: Updated Default Account Database Nathan Einwechter (Jul 12)
- some things to play with Firstname Lastname (Jul 13)