Secure Coding mailing list archives

Managed Code and Runtime Environments - Another layer of added security?

From: mouse at Rodents.Montreal.QC.CA (der Mouse)
Date: Wed, 29 Mar 2006 17:19:22 -0500 (EST)

Multics code was not immune to buffer overflows, but in most cases
the effect was blunted because the out-of-range index values could
only affect data beyond the current activation record--in contrast
with most linear addressing systems where an overflow is almost
always able to reach important values like the return address.


This is only because the libraries used store later characters in a
string at higher addresses (as compared to earlier characters).  If the
string libraries stored strings the other way around (with the earlier
characters at the higher addresses), downward-growing stacks would have
exactly this kind of buffer overrun protection.

Hmm, I wonder if there's something useful lurking there.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse at rodents.montreal.qc.ca
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Current thread:

Managed Code and Runtime Environments - Another layer of added security? Peter G. Neumann (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? der Mouse (Mar 29)
- Managed Code and Runtime Environments - Another layer of added security? Olin Sibert (Mar 29)
  - Managed Code and Runtime Environments - Another layer of added security? der Mouse (Mar 29)
  - Managed Code and Runtime Environments - Another layer of added security? Steven M. Bellovin (Mar 30)