Secure Coding mailing list archives
bumper sticker slogan for secure software
From: fw at deneb.enyo.de (Florian Weimer)
Date: Thu, 20 Jul 2006 21:11:29 +0200
* Pascal Meunier:
Also, writing it twice with different languages, especially at different levels of abstraction, makes it less likely that the same bugs will appear in both.
Algorithmic issues such as denial of service attacks through unbalanced binary trees or hash table collisions are pretty independent of the programming language and have been observed in many incarnations. If you implement the same protocol, it's likely that you end up with similar bugs. The DNS compression loop bug was reinvented many times. The fundamental mismatch in OpenPGP between key certification (key plus user ID) and key usage (just the key alone) affected many independently developed implementations. Chrome spoofing is ubiquitous in web browsers. Most things in this list are implemented in C or C++, but the problems are at such a high level that it's unlikely that a different choice of wildly different programming language would make a huge difference. If you look at lower-level bugs, such as buffer overflows, I hope that nobody still thinks that multiple code versions help -- just look at the long list (even after discounting direct code copies) of botched ASN.1 decoders. Some protocols are extremly hard to implement correctly, I'm afraid. (And not all protocols are unnecessarily complex.)
Current thread:
- bumper sticker slogan for secure software, (continued)
- bumper sticker slogan for secure software Andrew van der Stock (Jul 18)
- bumper sticker slogan for secure software Wietse Venema (Jul 18)
- bumper sticker slogan for secure software mikeiscool (Jul 18)
- bumper sticker slogan for secure software Andrew van der Stock (Jul 19)
- bumper sticker slogan for secure software mikeiscool (Jul 19)
- code review tools for tcl? j eric townsend (Jul 20)
- bumper sticker slogan for secure software Pascal Meunier (Jul 19)
- bumper sticker slogan for secure software der Mouse (Jul 19)
- bumper sticker slogan for secure software Florian Weimer (Jul 20)
- bumper sticker slogan for secure software Pascal Meunier (Jul 20)
- bumper sticker slogan for secure software Florian Weimer (Jul 20)
- bumper sticker slogan for secure software Pascal Meunier (Jul 20)
- bumper sticker slogan for secure software ljknews (Jul 20)
- bumper sticker slogan for secure software Blue Boar (Jul 20)
- bumper sticker slogan for secure software der Mouse (Jul 20)
- bumper sticker slogan for secure software Pascal Meunier (Jul 20)
- bumper sticker slogan for secure software Florian Weimer (Jul 20)