Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EMERGENCY: new remote root exploit in UW imapd

From: alec () dakotacom net (Alec Kosky)
Date: Thu, 16 Jul 1998 22:48:40 -0700

On 17-Jul-98 Craig Spannring wrote:


C should not be used for trusted programs.  The lack of true arrays
with array bounds checking alone makes it too hazardous.  How many
buffer overflow attacks would we hear about if the trusted server
programs were written using a language with bounds checking like
Modula-2 or Ada?  Zero.


   I like Ada's super-tight type, although at times it's trying, to say the
least. The only major complaint I have against it is the lack of widespread
support for it. I have only found one *nix-based compiler (GNAT), and I was not
too impressed with it. I haven't used it extensively, so I can't comment on too
much, but from what I remember it didn't have a large set of libraries. Perhaps
things have changed in the past year... On the DOS/Windows based side of
things, the situation is only slightly better (last I knew). The only two
decent (but commercial) compilers that I knew of were the Meridian Ada compiler
and the Janus Ada compiler, and the Meridian was by far the superior. This
brings me to the point: Yes, choosing a language like Ada for secure trusted
programs is to be preferred (although nothing can compensate for poor coding
technique), there is a definite need for more support. What is the current
state of Ada compiler technology looking like? Have things changed much?

--Alec--
Previous By Date Next
Previous By Thread Next

Current thread: