Is OpenSSH the new Microsoft?
Kevin D. Clark
kclark at CetaceanNetworks.com
Fri Sep 19 12:12:28 EDT 2003
sconce at in-spec-inc.com (Bill Sconce) writes:
> There are very few ways to get buffer overflows.
> 1. Use assembly language.
> 2. Use C.
Obviously, in many circles, "C" is referred to as "high-level assembly
language"...
> What's depressing is that we keep doing the same thing over
> again ("we'll still use C, but we'll be really careful this
> time, or we'll use Purify, or...") and expecting a different
> result. I've read that this is one definition of insanity.
If somebody were to wave a magic wand and magically add bounds
checking to all C implementations, I'd still feel more comfortable if
people were to attack these problems by adjusting their development
and testing methodologies.
> Writing correct, secure software isn't easy. Writing software
> which doesn't overrun buffers IS easy.
I wouldn't say that the latter case is easy either. Writing such code
requires a lot of attention to detail.
Regards,
--kevin
--
If you want to program in C, program in C. It's a nice language. I use
it occasionally... :-)
--Larry Wall in <7577 at jpl-devvax.JPL.NASA.GOV>
More information about the gnhlug-discuss
mailing list