Secure Coding mailing list archives
Re: Secure coding education
From: jnf <jnf () datakill org>
Date: Fri, 09 Apr 2004 21:45:22 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can completely agree, and i think this is a 2 sided sword kinda, this is one of my major problems with languages like c#, and to a lesser extent java and the likes where the programmer needs to know nothing or next to nothoing about memory management. I see that as a flaw because well, simply put as programmers i think you should have a concept of such things and then work in languages where it isnt necessary to understand the lower levels. Also, A few years back as a freshmen CSE student I gave a presentation to the local lug which included mostly upper class CS{,E} students and professors. My presentation was over secure programming and mostly covered stack/heap based overflows and then some race conditions and format strings focused mostly on c, but also including what exactly happened in the lower levels such as assembly, and some higher level languages like perl and php, and it literally blew their minds. They really had no idea what exactlky happened on alot of things and it surprised me that even though many of them had taken assembly classes, they had little to no idea how the 'ret' instruction worked, and how it was abused in your most basic stack based overflow- a malloc()/free() based overflow took me quite some time to explain. Really I think the perfect place for such a class would be just before the OS design type classes. j - -- It is only the great men who are truly obscene. If they had not dared to be obscene, they could never have dared to be great. -- Havelock Ellis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (OpenBSD) iD8DBQFAdupfsKAeTAhLiCERAmWkAJ9ckfVNw58ydQpTla5Db0blCbNn9QCeK9Y1 in0JIfvnseTi3CmPWyaeZmE= =yLOS -----END PGP SIGNATURE-----
Current thread:
- Secure coding education James Walden (Apr 09)
- Re: Secure coding education jnf (Apr 09)