Vulnerability Development mailing list archives

Re: BitchX /ignore bug

From: Erich.Meier () INFORMATIK UNI-ERLANGEN DE (Erich Meier)
Date: Tue, 11 Jul 2000 17:40:11 +0200

Cornell's undergraduate CS courses are taught in java. This is a growing
trend in academia.  There is never any focus on secure code.  In fact,
there is never any emphasis on code at all-- to avoid any accusations of
technical instruction, Cornell leaves all programming study to the
student on their own time. This could be why the Masters are not passing
on this instructional wisdom-- they're not present when the student is
learning. We all know that classes are too large for code to be examined
in detail.  Even in the 500-level security course (which i thought was
very well taught if my prof is listening in =) there was not emphasis on
the code itself, but on the underlying protocols and concepts. Again, it
was taught in java.  A thorough examination of what constitutes a stack
overflow exploit in C, and writing secure code in general, are concepts
that might best be taught to beginning programmers by the security /
programming community itself, by making instructional docs available
online (if they aren't now), because they're not going to show up on an
academic curriculum any time soon.  You've got to take care of your own.


Our "System Programming" course which involves practical system-level
programming uses the C language. Other courses use Java, but most of the
system-level apps are still written in C.

We explicitely focus on secure programming (banning gets(), sprintf(), strcpy()
and friends), show how a buffer overflow works in theory and in practice
(I hack an insecure workstation live during the lecture).

This impresses students a lot (together with the fact that they get bad marks
when programming overflowable applications in their assignments :-).

I thought this would be normal in other universities as well.

Erich

--
Erich Meier                              Erich.Meier () informatik uni-erlangen de
                                 http://www4.informatik.uni-erlangen.de/~meier/
 "People are starving to death in this world and somebody had time for this..."
                                      http://webpages.mr.net/bobz/ttyquake/

Current thread:

Re: The AOL Spyware, (continued)
- - - Re: The AOL Spyware info (Jul 13)
    - Re: BitchX /ignore bug Bluefish (Jul 07)
    - Re: BitchX /ignore bug Slawek (Jul 07)
    - Re: BitchX /ignore bug Arturo Busleiman (Jul 07)
    - Re: BitchX /ignore bug Crispin Cowan (Jul 07)
    - Re: BitchX /ignore bug Hogenberg, Richard (Jul 07)
    - Re: BitchX /ignore bug Bluefish (Jul 07)
    - Re: BitchX /ignore bug Schlachter, Jake (Jul 07)
    - Re: BitchX /ignore bug Bluefish (Jul 08)
    - Re: BitchX /ignore bug Christofer C. Bell (Jul 08)
    - Re: BitchX /ignore bug Erich Meier (Jul 11)
    - Re: BitchX /ignore bug Ron DuFresne (Jul 07)
    - Re: BitchX /ignore bug Juan M. Courcoul (Jul 07)
    - remote exploit Jim Stickley (Jul 07)
    - Re: remote exploit Bluefish (Jul 08)
    - Re: remote exploit Gerardo Richarte (Jul 10)
    - Re: BitchX /ignore bug Matthew S. Hallacy (Jul 06)
    - Updated Default Account Database Eric Knight (Jul 06)
    - Re: Updated Default Account Database Jesus D. Muz@oz Largo (Jul 12)
    - Re: Updated Default Account Database Nathan Einwechter (Jul 12)
    - some things to play with Firstname Lastname (Jul 13)

(Thread continues...)