Re: Secure coding education

[jnf <jnf () datakill org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can completely agree, and i think this is a 2 sided sword kinda, this is 
one of my major problems with languages like c#, and to a lesser extent 
java and the likes where the programmer needs to know nothing or next to 
nothoing about memory management. I see that as a flaw because well, 
simply put as programmers i think you should have a concept of such things 
and then work in languages where it isnt necessary to understand the lower 
levels. Also, A few years back as a freshmen CSE student I gave a 
presentation to the local lug which included mostly upper class CS{,E} 
students and professors. My presentation was over secure programming and 
mostly covered stack/heap based overflows and then some race conditions 
and format strings focused mostly on c, but also including what exactly 
happened in the lower levels such as assembly, and some higher level 
languages like perl and php, and it literally blew their minds. They 
really had no idea what exactlky happened on alot of things and it 
surprised me that even though many of them had taken assembly classes, 
they had little to no idea how the 'ret' instruction worked, and how it 
was abused in your most basic stack based overflow- a malloc()/free() 
based overflow took me quite some time to explain.

Really I think the perfect place for such a class would be just before the 
OS design type classes.

j


- -- 

It is only the great men who are truly obscene.  If they had not dared to 
be obscene, they could never have dared to be great.
                -- Havelock Ellis
 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFAdupfsKAeTAhLiCERAmWkAJ9ckfVNw58ydQpTla5Db0blCbNn9QCeK9Y1
in0JIfvnseTi3CmPWyaeZmE=
=yLOS
-----END PGP SIGNATURE-----