![securecoding logo](/images/securecoding-logo.png)
Secure Coding mailing list archives
BSIMM: Confessions of a Software SecurityAlchemist(informIT)
From: steingra at gmail.com (Andy Steingruebl)
Date: Tue, 24 Mar 2009 11:50:03 -0700
On Mon, Mar 23, 2009 at 7:22 AM, Gary McGraw <gem at cigital.com> wrote:
hi guys, I think there is a bit of confusion here WRT "root" problems. In C, the main problem is not simply strings and string representation, but rather that the "sea of bits" can be recast to represent most anything. The technical term for the problem is the problem of type safety. C is not type safe.
Really? It isn't that the standard von Neumann architecture doesn't differentiate between data and code? We've gone over this ground before with stack-machines like the Burroughs B5500 series which were not susceptible to buffer overflows that changed control flow because code and data were truly distinct chunks of memory. Sure its a different programming/hardware model, but if you want to fix the root cause you'll have to go deeper than language choice right? You might have other tradeoffs but the core problem here isn't just type safety. Just like in the HTML example. The core problem is that the language/format mixes code and data with no way to differentiate between them. Or is my brain working too slowly today? -- Andy Steingruebl steingra at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20090324/9f5dd68c/attachment.html
Current thread:
- BSIMM: Confessions of a Software SecurityAlchemist(informIT), (continued)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 21)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Steven M. Christey (Mar 22)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 23)
- The Importance of Type Safety Brad Andrews (Mar 23)
- The Importance of Type Safety Carl Alphonce (Mar 23)
- The Importance of Type Safety AF (Mar 23)
- The Importance of Type Safety Brad Andrews (Mar 23)
- The Importance of Type Safety Jeremy Epstein (Mar 23)
- The Importance of Type Safety AF (Mar 26)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 24)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 25)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 25)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 25)
- Message not available
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 25)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 25)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Jim Manico (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Gary McGraw (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist (informIT) John Steven (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Tom Brennan - OWASP (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Jim Manico (Mar 21)