lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <002001c39d0e$3c238690$6101a8c0@fosi>
From: steve.wray at paradise.net.nz (Steve Wray)
Subject: Coding securely, was Linux (in)security

Sure they could possibly find other ways to write insecure code,
but the issue is not whether its possible; of course its possible.

The issue is the relative difficulty of writing insecure code.

In C, to write secure code, one might have to re-implement a huge array
of data types and so forth.
(as was mentioned in the previous post;
"You then need to invent your own data types as you just did with your
subroutine, which still risks a buffer overflow because strlen itself
still
looks for the null byte at end of string and so can overflow
its internal counters.")

Is it beyond all possibility that there exist languages in which
the very reverse is true? ie Languages in which one would have to
reimplement data types and so forth in order to be able to write
insecure code?

Can there exist such a language?? I reckon so.

[huge snip losing all attributions and context]
> So which makes more sense to you?  To convert the world's 
> programmers to a new language?  Or to teach them to code securely?
Surely, if 
> we were to replace C today, they would just find other ways to write 
> insecure code?
[snipped out all the rest]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ