Is OpenSSH the new Microsoft?

Kevin D. Clark kclark at CetaceanNetworks.com
Fri Sep 19 12:12:28 EDT 2003


sconce at in-spec-inc.com (Bill Sconce) writes:

> There are very few ways to get buffer overflows.
> 1.  Use assembly language.
> 2.  Use C.

Obviously, in many circles, "C" is referred to as "high-level assembly
language"...

> What's depressing is that we keep doing the same thing over
> again ("we'll still use C, but we'll be really careful this
> time, or we'll use Purify, or...") and expecting a different
> result.  I've read that this is one definition of insanity.

If somebody were to wave a magic wand and magically add bounds
checking to all C implementations, I'd still feel more comfortable if
people were to attack these problems by adjusting their development
and testing methodologies.

> Writing correct, secure software isn't easy.  Writing software
> which doesn't overrun buffers IS easy.

I wouldn't say that the latter case is easy either.  Writing such code
requires a lot of attention to detail.

Regards,

--kevin
-- 
If you want to program in C, program in C. It's a nice language. I use
it occasionally... :-)
 --Larry Wall in <7577 at jpl-devvax.JPL.NASA.GOV>




More information about the gnhlug-discuss mailing list