|
|
BugTraq
Buffer overflow prevention Aug 13 2003 10:28AM Eygene A. Ryabinkin (rea rea mbslab kiae ru) (7 replies) Re: Buffer overflow prevention Aug 13 2003 07:28PM Michal Zalewski (lcamtuf coredump cx) (1 replies) Re: Buffer overflow prevention Aug 13 2003 07:13PM Nicholas Weaver (nweaver CS berkeley edu) (1 replies) Re: Buffer overflow prevention Aug 13 2003 06:26PM Jonathan A. Zdziarski (jonathan networkdweebs com) (1 replies) Re: Buffer overflow prevention Aug 13 2003 06:20PM Patrick Dolan (dolan cc admin unt edu) (2 replies) |
|
Privacy Statement |
> Some languages offer runtime range checking, which should bring much
> security, but often is really slow :(
In the times of Java and XML used for almost everything, it's not like we
strive for every single CPU cycle nowadays in common applications and are
willing to sacrifice everything else for that. There are exceptions,
particularly in the multimedia domain, but codecs and drivers aren't a
common attack vector anyway, so we don't need range checking there that
badly. For other code, extra CMPL or so is really not that expensive.
The reason why most programmers don't use neat languages with strong
typing, range control, exception handling, pointers kept away from the
programmer, etc - unless they have to, of course - is quite different...
in fascist and easily readable languages, you feel being controlled, not
in control. We prefer to be in control to being instructed by an overly
picky machine, even if we evidently can't handle the situation in a
competent manner.
Plus, the point when code compiles and "just works" is further away,
because you need to resolve issues you wouldn't be aware of in C.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2003-08-13 23:06 --
[ reply ]