Bugtraq mailing list archives
Re: at the risk of another flamefest..
From: stagda () ncs com (David Stagner)
Date: Mon, 15 Jul 1996 14:49:03 -0500
If I may fan the flames further... I often wonder if we should blame our Language of Choice, rather than bad programming practice. It seems to me that the bulk of code-based security problems these days are buffer overflow-related. Is this characteristic of poor coding, or a misfeature of C? I'm hesitant to say that C is a bad language just because [] is just an overloading of *. To me, C is just a generalization of the Von Neumann architecture, and the array/pointer congruence reflects the reality of our hardware. But in the practical case, it is the source of most of our non-algorithmic bugs, particularly security bugs. Many, many well-proven languages handle array bounds checking for the programmer, and do so efficiently. It seems to me a Bad Thing, and bad programming practice, for the programmer to need to explicitly check for overflow on every single array operation. We should just be able to do the obvious and expect the language to fail gracefully when we do what should not be possible. Of course, there are SOME cases when we might want to be able to write off the normal end of an array. However, I submit that these cases are extremely rare for most unix utility and daemon programming. In other words, if you NEED the power of C, then by all means use it. But if not, perhaps you should consider using a more sophisticated language for security-sensitive coding, something that doesn't expect you to do ALL the work. What we need is a powerful, portable, widely used language that automagically handles bounds checking for us. Sounds like perl to me.:} -dave
Current thread:
- Re: CERT Advisory CA-96.13 - Vulnerability in the dip program, (continued)
- Re: CERT Advisory CA-96.13 - Vulnerability in the dip program Efrain Torres (Jul 09)
- FIRST Conference & Workshop Plans Ron Freund (Jul 09)
- rdist exploit [bsdi] Brian Mitchell (Jul 09)
- Re: rdist exploit [bsdi] Brian Tao (Jul 11)
- Re: rdist exploit [bsdi] Damien Sorder (Jul 11)
- Re: rdist exploit [bsdi] jaeger (Jul 12)
- Re: rdist exploit [bsdi] Andrew N. Edmond (Jul 13)
- Re: rdist exploit [bsdi] Andy Dills (Jul 13)
- Re: rdist exploit [bsdi] Brian Tao (Jul 14)
- at the risk of another flamefest.. *Hobbit* (Jul 14)
- Re: at the risk of another flamefest.. David Stagner (Jul 15)
- Re: at the risk of another flamefest.. Alan L. Wendt (Jul 15)
- hpux 10.0 remote administration Matthew G. Harrigan (Jul 15)
- Re: rdist exploit [bsdi] System Manager (Jul 13)
- Re: rdist exploit [bsdi] Tom Bowman (Jul 12)
- Re: rdist exploit [bsdi] Brian Tao (Jul 12)
- Re: rdist exploit [bsdi] Cosimo Leipold (Jul 13)
- Re: rdist exploit [bsdi] Jack Flory (Jul 13)
- Re: rdist exploit [bsdi] Chris Caputo (Jul 13)
- Re: rdist exploit [bsdi] Brian Mitchell (Jul 14)