Bugtraq mailing list archives

Re: EMERGENCY: new remote root exploit in UW imapd

From: Bill_Royds () PCH GC CA (Bill Royds)
Date: Wed, 29 Jul 1998 15:02:14 -0400

      "D. J. Bernstein" <djb () CR YP TO> wrote

     To:   BUGTRAQ () NETSPACE ORG
     Subject:  Re: EMERGENCY: new remote root exploit in UW imapd

     Here's an example of the Dijkstra phenomenon.

     <snip>

     der Mouse writes:
     > modular code usually ends up being slower

     There are three misconceptions here.

     Misconception #1 is that modularization means moving common code into
     subroutines. In fact, modularization need not have any effect on the
     compiled program, thanks to macros, inline code, etc. Subroutines are
     convenient but not required.

     Misconception #2 is that moving common code into subroutines imposes a
     speed penalty. In fact, procedure-call overhead is wiped out by cache
     effects in any subroutine that does more than a little bit of work.

     Misconception #3 is that speed is something programmers should
     consider
     along with security, verifiability, etc. In fact, the computer spends
     almost all of its time executing an amazingly small amount of code.
     For
     most programmers, speed simply doesn't matter.

Actually modular code (even subroutine calls) often is much faster because
most compilers and most harware architectures take advantage of locality of
reference. An optimizing compiler can only eliminate common sub-expressions
that can be shown to have no intervening branches. a modular subroutine is
less likely to have thes.

I once toaught a computer science course where the question of speed as a
design crterion arose. When  the class discusssed it we came to the
conculsion that a program that gave a wrong answer was never fast.
Correctness, maintainability, security, flexibility are all more important
than flat out speed.

Speed is important when it is part of correctness, that is a response is
needed fast enough to avoid time outs to not delay the humans using the
computer etc. But this is a consequence of the other criteria, not one in
itself.

Current thread:

Security Bulletins Digest, (continued)
- - Security Bulletins Digest vtmue () HEAVEN RUF UNI-FREIBURG DE (Jul 23)
  - Apache 1.3.1 Released! Aleph One (Jul 23)
- Re: EMERGENCY: new remote root exploit in UW imapd Alex Le Heux (Jul 22)
- Re: EMERGENCY: new remote root exploit in UW imapd D. J. Bernstein (Jul 28)
- Re: EMERGENCY: new remote root exploit in UW imapd der Mouse (Jul 28)
  - Object tag crashes Internet Explorer 4.0 Georgi Guninski (Jul 28)
    - Re: Object tag crashes Internet Explorer 4.0 Matt Rose (Jul 29)
  - Re: EMERGENCY: new remote root exploit in UW imapd David Schwartz (Jul 28)
  - Re: EMERGENCY: new remote root exploit in UW imapd Kragen (Jul 29)
- Re: EMERGENCY: new remote root exploit in UW imapd D. J. Bernstein (Jul 29)
- Re: EMERGENCY: new remote root exploit in UW imapd Bill Royds (Jul 29)