Secure Coding mailing list archives

Compilers

From: gem at cigital.com (Gary McGraw)
Date: Thu, 21 Dec 2006 21:27:01 -0500

I have a better idead.  Stop using C++.  Jeeze.

gem



 -----Original Message-----
From:   Robert C. Seacord [mailto:rcs at cert.org]
Sent:   Thu Dec 21 20:40:35 2006
To:     McGovern, James F (HTSC, IT)
Cc:     Thomas Plum; Secure Coding
Subject:        Re: [SC-L] Compilers


James,

Response below.

I have been noodling the problem space of secure coding after
attending a wonderful class taught by Ken Van Wyk. I have been
casually checking out Fortify, Ounce Labs, etc and have a thought that
this stuff should really be part of the compiler and not a standalone
product. Understanding that folks do start companies to make up
deficiencies in what large vendors ignore, how far off base in my
thinking am I?

Tom Plum (from Plum Hall, Inc.) is developing a solution called
Safe/Secure C/C++ (SSCC) that might interest you
(http://www.plumhall.com/sscc.html).  SSCC incorporates static-analysis
methods into the compiler as well adding as run-time protections schemes
to eliminate buffer overflows as well as mitigate against other types of
vulnerabilities.  (I know that the claim seems exaggerated, but the
approach seems quite sound and I have yet to identify a case that SSCC
can not eliminate). 

Anyway, there is more information on his web site and I have cc'd Tom on
this message in case you would like to contact him directly.

rCs
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________




----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

Current thread:

Compilers Gary McGraw (Dec 21)
- Compilers Tim Hollebeek (Dec 27)
- <Possible follow-ups>
- Compilers David A. Wheeler (Dec 21)
- Compilers Gary McGraw (Dec 21)
  - Compilers mikeiscool (Dec 22)
  - Compilers James Walden (Dec 22)
- Compilers SC-L Subscriber Dave Aronson (Dec 27)
  - Compilers Leichter, Jerry (Dec 27)
- Compilers David A. Wheeler (Dec 28)
  - Compilers Leichter, Jerry (Dec 29)
    - temporary directories Robert C. Seacord (Dec 29)
    - temporary directories ljknews (Dec 29)
    - temporary directories Leichter, Jerry (Dec 29)
    - temporary directories ljknews (Dec 29)

(Thread continues...)