Re: Privilege-escalation attacks on NT-based Windows are unfixable

From: Edward Elliott (nobody@
Date: 08/27/02

From: Edward Elliott <nobody@>
Date: Mon, 26 Aug 2002 23:30:29 GMT

David Wagner wrote:
> Edward Elliott wrote:
>>I'm glad you agree we should at
>>least do something more than chastise application programmers.
> Absolutely! For instance, we should insist on better languages
> and libraries.

Another good tactic. I see two ways to go about this. One is to design
new languages and libraries with security in mind. This problem with
this approach is convincing even a small fraction of the programming
community to use the new language or library over what's standard.

The other approach is to work from within. All the major languages out
there have committees that determine the standards. Most (if not all)
of these committees take input from the user community in one form or
another. A well-respected group of security experts that evaluates
current language/library features as well as extensions should carry a
lot of weight with the committee. Yet I've never heard of anyone even
trying this tactic within say the C++ community. Is this merely a
consequence of my own ignorance, or are there really no concerted
security efforts working with the major language committees?

Edward Elliott