Secure Coding mailing list archives
Compilers
From: rcs at cert.org (Robert C. Seacord)
Date: Thu, 21 Dec 2006 13:57:28 -0500
James, Response below.
I have been noodling the problem space of secure coding after attending a wonderful class taught by Ken Van Wyk. I have been casually checking out Fortify, Ounce Labs, etc and have a thought that this stuff should really be part of the compiler and not a standalone product. Understanding that folks do start companies to make up deficiencies in what large vendors ignore, how far off base in my thinking am I?
Tom Plum (from Plum Hall, Inc.) is developing a solution called Safe/Secure C/C++ (SSCC) that might interest you (http://www.plumhall.com/sscc.html). SSCC incorporates static-analysis methods into the compiler as well adding as run-time protections schemes to eliminate buffer overflows as well as mitigate against other types of vulnerabilities. (I know that the claim seems exaggerated, but the approach seems quite sound and I have yet to identify a case that SSCC can not eliminate). Anyway, there is more information on his web site and I have cc'd Tom on this message in case you would like to contact him directly. rCs
Current thread:
- Compilers, (continued)