RE: Buffer Overruns

[sean.kelly () lanston com]

On Saturday, December 18, 1999 5:45 PM, Vin McLellan 
<vin () shore net> wrote:

>         It there something in the emergence of a popular 
> Internet, or some
> other timely aspect in the industry's evolution, that has 
> brought to light
> the vulnerabilities associated with buffer overruns in 
recent years? 
>         Maybe some shift in program design or programming 
engineering
> practice?  What left so many of these vulnerabilities 
> unexposed and their
> risks unappreciated for so many years?

Buffer overruns are traditionally one of the most common programmer errors.
They're also one of the most common to slip through testing.  I think the
issue recently has been that they've been exposed as one of the first things
to try if you're going to try to break a system, and with the explosion of
hacking it's inevitable that the problems will be discovered.  It's also the
case that in the past few years companies have placed more emphasis on
shipping a product than shipping a priduct that works.  Programmers, on the
average, are probably less skilled than 5 or 10 years ago and they're
spending less time testing their code, because of deadlines.

I would think that as time goes on these issues will become less and less
common, because so much code is being done at a high-level now.  C is the
largest culprit for overruns, many other languages use dynamic data
structures to store things like strings which makes the likelihod of even
being able to write code with an overrun much smaller or entirely
impossible.


Sean