Secure Coding mailing list archives
Managed Code and Runtime Environments - Another layer of added security?
From: mouse at Rodents.Montreal.QC.CA (der Mouse)
Date: Wed, 29 Mar 2006 17:19:22 -0500 (EST)
Multics code was not immune to buffer overflows, but in most cases the effect was blunted because the out-of-range index values could only affect data beyond the current activation record--in contrast with most linear addressing systems where an overflow is almost always able to reach important values like the return address.
This is only because the libraries used store later characters in a string at higher addresses (as compared to earlier characters). If the string libraries stored strings the other way around (with the earlier characters at the higher addresses), downward-growing stacks would have exactly this kind of buffer overrun protection. Hmm, I wonder if there's something useful lurking there. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Managed Code and Runtime Environments - Another layer of added security? Peter G. Neumann (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? der Mouse (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? Olin Sibert (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? der Mouse (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? Steven M. Bellovin (Mar 30)