Vulnerability Development mailing list archives

Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh)

From: Jonathan James <Jonathan () SECURITO SE>
Date: Mon, 25 Sep 2000 09:25:50 +0200

Erm. Yes, in theory. But they still make misstakes in C. Or do you think
Linux, BSD, Windows, Solaris etc etc programmers are idiots? C is too
dangerous and many faults are made at implementation level. C do require
more security audits than other languages, IMHO.


One is not an idiot because one makes a mistake. Although one should not
release software that is not thoroughly tested for unexpected input and
buffer overflow errors.
C does not require more security audits than other languages do if the
people who use the language are educated enough and know about the side
effects of certain functions and operations. You can't really compare C and
Perl, Perl is a High Level Language while C would be categorized as a more
Low Level Language.

Also, I fail to see how most buffer overflows could be a design fault,
perhaps you use the word in another sense than the one they've teach in
the design courses I've taken.


Software Design in Swedish would be called "Mjukvaruteknisk Planering". The
purpose of planning your software architecture is to prevent the birth of
security holes that are caused by insufficient software planning.

As to compared to "you don't know if there is any flaw in the compiler or
libraries your c-program use" ? The dependency problem is not really
script specific.

A compiler does not change your software design while a "third party"
executor might, and you would be a fool to use untrusted and not fully
tested libraries.

Jonathan James
http://www.securito.se

Current thread:

Serv-U FTP deals makes connections with www.cat-soft.com, (continued)
- - - Serv-U FTP deals makes connections with www.cat-soft.com [ KoSaK ] (Sep 22)
    - Re: Serv-U FTP deals makes connections with www.cat-soft.com Dimitry Andric (Sep 22)
    - Re: CGI scripts in sh Crispin Cowan (Sep 21)
    - Re: CGI scripts in sh Gordon Messmer (Sep 21)
    - Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
    - Re: CGI scripts in sh Crispin Cowan (Sep 23)
    - Re: CGI scripts in sh -jf- (Sep 22)
    - C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
    - Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
    - Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Jonathan James (Sep 27)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Bluefish (P.Magnusson) (Sep 27)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 28)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Reid Nichol (Sep 29)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Adam Clarke (Sep 28)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Ben Galehouse (Sep 30)
    - Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Ben Galehouse (Sep 27)
    - Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 27)
    - Re: C versus other languages,round 538 or so (Re: CGI scripts in sh) Crispin Cowan (Sep 28)

(Thread continues...)