Secure Coding mailing list archives

Compilers

From: rcs at cert.org (Robert C. Seacord)
Date: Thu, 21 Dec 2006 13:57:28 -0500


James,

Response below.

I have been noodling the problem space of secure coding after
attending a wonderful class taught by Ken Van Wyk. I have been
casually checking out Fortify, Ounce Labs, etc and have a thought that
this stuff should really be part of the compiler and not a standalone
product. Understanding that folks do start companies to make up
deficiencies in what large vendors ignore, how far off base in my
thinking am I?

Tom Plum (from Plum Hall, Inc.) is developing a solution called
Safe/Secure C/C++ (SSCC) that might interest you
(http://www.plumhall.com/sscc.html).  SSCC incorporates static-analysis
methods into the compiler as well adding as run-time protections schemes
to eliminate buffer overflows as well as mitigate against other types of
vulnerabilities.  (I know that the claim seems exaggerated, but the
approach seems quite sound and I have yet to identify a case that SSCC
can not eliminate). 

Anyway, there is more information on his web site and I have cc'd Tom on
this message in case you would like to contact him directly.

rCs

Current thread:

Compilers, (continued)
- - Compilers Gunnar Peterson (Dec 21)
    - Compilers McGovern, James F (HTSC, IT) (Dec 21)
    - Compilers J. M. Seitz (Dec 21)
    - Compilers ljknews (Dec 21)
  - Compilers ljknews (Dec 21)
    - Compilers Stephen de Vries (Dec 21)
    - Compilers James Walden (Dec 22)
    - Compilers Crispin Cowan (Dec 25)
    - Compilers Florian Weimer (Dec 29)
  - Compilers Temin, Aaron L. (Dec 21)
  - Compilers Robert C. Seacord (Dec 21)