Bugtraq mailing list archives

Re: at the risk of another flamefest..

From: ebradley () andromeda rutgers edu (Eugene Bradley)
Date: Mon, 15 Jul 1996 19:09:52 -0400


-----BEGIN PGP SIGNED MESSAGE-----

on Jul 16, Peter Jeremy <jeremyp () gsms01 alcatel com au> writes:

# It might be worth noting that Richard W.M. Jones <rwmj () doc ic ac uk>
# has written some patches to gcc which add fine-grained bounds checking
# to C.  Sources are in: ftp://dse.doc.ic.ac.uk/pub/misc/bcc
# Additional information at:
#         http://www-dse.doc.ic.ac.uk/~rj3/bounds-checking.html
#         http://www-ala.doc.ic.ac.uk/~phjk/BoundsChecking.html
#
# Unfortunately, the resultant code is substantially slower and is therefore
# really only suitable for testing - this seems primarily due to the
# requirement for bounds-checked code to fully interwork with non bounds-
# checked code.

[deletia]

# I disagree.  Whilst perl at the script level hides array-bounds problems
# from the user, it is not a panacea.  Firstly, the interpreter itself is
# written in C - thus it is possible that the interpreter itself may suffer
# from an array-bounds problem.  Secondly, it is _very_ large (several times
# the size of sendmail) thus violating the KISS principle - which is
# particularly important for security tools.

If this is is the case, couldn't Larry Wall et al. recompile
perl 5 using the above gcc patches?  Granted the newly-patched perl
interpreter would be a bit slower to compile code, but personally
I'd rather take the slowness than to have tons of array bounds problems
in my code.

If anything, if and when I release such code, I'd personally recommend
that code code be tested on single-user workstations before being used
on multi-user networks.  This would avoid any load problems such code
could potentially present on such multi-user systems.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMerPpxskmjHS+zH1AQFt4QP9FDd3BCVHEndOxIbYPCkq2KTf0Ec00K2W
PjAgfCkxj5HTMCqBJIKvFRq+w7guCxFyxHntQN3qprO2WOPZp9orbd7NTLGZuIFu
+nZMh1gW2A8DdyEdjg7AxNStEmDJ+/ES9z7DFrOUukPuXEgqXS1cGBOgFYNSHKv9
e0/YMkpYk+Y=
=rIYH
-----END PGP SIGNATURE-----

--
              Eugene Bradley | finger me for my PGP public key
                       webmaster of misery.winter.org
    PGP Fingerprint = 55 70 DE 84 FE E1 3D 50  7F C2 88 22 30 8C 81 9E
   <a href="http://www.armory.com/~ebradley";> Eugene's W^3 Duckpond </a>

Current thread:

Re: at the risk of another flamefest.. Peter Jeremy (Jul 15)
- Re: at the risk of another flamefest.. David Stagner (Jul 15)
- identd hole? Brett L. Hawn (Jul 15)
  - Re: identd hole? Rob Quinn (Jul 16)
- <Possible follow-ups>
- Re: at the risk of another flamefest.. Eugene Bradley (Jul 15)
- Re: at the risk of another flamefest.. Eugene Bradley (Jul 15)
- Re: at the risk of another flamefest.. Mike Neuman (Jul 15)
  - Re: at the risk of another flamefest.. Brian Clapper (Jul 16)
  - Re: at the risk of another flamefest.. David Miller (Jul 16)
  - Re: at the risk of another flamefest.. David Stagner (Jul 16)
    - [linux-security] sliplogin David Holland (Jul 16)
    - Re: at the risk of another flamefest.. Steve \ (Jul 16)
- Re: at the risk of another flamefest.. Eugene Bradley (Jul 16)