Secure Coding mailing list archives
Re: The right tool for the right job, quit beating on the C language
From: ljknews <ljknews () mac com>
Date: Mon, 15 Dec 2003 03:27:25 +0000
At 3:40 PM -0800 12/14/03, Dana Epp wrote:
Indeed, avoiding C* as a programming language seems the simplest defense.
I do not believe we can use the argument to "avoid" any particular language, just because it is not as safe as some of the newer lanugauge that obscure the complexity of the underlying system (which are typically written in C anyways).
I don't think "newer" or "older" are relevant to any tool decisions, but entering into a discussion of "secure coding" and refusing to admit that tool choice might be a factor is really putting on blinders.
As someone who writes a lot of kernelmode code, I HAVE to write in C and ASM. You are not going to see ring0 level code being written in Java or C# anytime soon. You have to use the right tool for the right job.
The fact that one language has problems is not ameliorated by the fact that other languages have problems, particularly not languages proposed as strawmen (Java and C# above). Certainly PL/I has successfully been used in highly secure Ring0/Kernelmode code, and I believe Ada has as well.
What is the C language downfall is also its best strength. It is a double edged sword that really SHOULD be mastered,
There is no reason it _should_ be mastered unless it has been chosen as the best language for a particular project. If there are programmers who do not know how to program Ada, there is no reason there should not be programmers who do not know how to program in C. The same goes for Java and Jovial (to cover the "J's" :-).
Current thread:
- [SC-L] Jeffrey W. Baker (Dec 12)
- Re: [SC-L] Crispin Cowan (Dec 12)
- Re: (Shellcode Injection) ljknews (Dec 13)
- Re: (Shellcode Injection) Crispin Cowan (Dec 13)
- Re: (Shellcode Injection) ljknews (Dec 14)
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Re: (Shellcode Injection) Crispin Cowan (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 13)
- The right tool for the right job, quit beating on the C language Dana Epp (Dec 14)
- Re: The right tool for the right job, quit beating on the C language ljknews (Dec 14)
- Re: [SC-L] Crispin Cowan (Dec 12)
- Re: (Shellcode Injection) Louis Solomon [SteelBytes] (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Message not available
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)
- <Possible follow-ups>
- RE: [SC-L] Lewis, Todd (Dec 15)