lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030813230629.C77480-100000@dekadens.ghettot.org>
Date: Wed, 13 Aug 2003 23:26:01 +0200 (CEST)
From: Michal Zalewski <lcamtuf@...edump.cx>
To: weigelt@...ux.de
Subject: Re: Buffer overflow prevention


On Wed, 13 Aug 2003 weigelt@...ux.de wrote:

> Some languages offer runtime range checking, which should bring much
> security, but often is really slow :(

In the times of Java and XML used for almost everything, it's not like we
strive for every single CPU cycle nowadays in common applications and are
willing to sacrifice everything else for that. There are exceptions,
particularly in the multimedia domain, but codecs and drivers aren't a
common attack vector anyway, so we don't need range checking there that
badly. For other code, extra CMPL or so is really not that expensive.

The reason why most programmers don't use neat languages with strong
typing, range control, exception handling, pointers kept away from the
programmer, etc - unless they have to, of course - is quite different...
in fascist and easily readable languages, you feel being controlled, not
in control. We prefer to be in control to being instructed by an overly
picky machine, even if we evidently can't handle the situation in a
competent manner.

Plus, the point when code compiles and "just works" is further away,
because you need to resolve issues you wouldn't be aware of in C.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-08-13 23:06 --



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ