Re: Privilege-escalation attacks on NT-based Windows are unfixable

From: Edward Elliott (nobody@
Date: 08/27/02

From: Edward Elliott <nobody@>
Date: Mon, 26 Aug 2002 23:30:29 GMT

David Wagner wrote:
> Edward Elliott wrote:
>>I'm glad you agree we should at
>>least do something more than chastise application programmers.
> Absolutely! For instance, we should insist on better languages
> and libraries.

Another good tactic. I see two ways to go about this. One is to design
new languages and libraries with security in mind. This problem with
this approach is convincing even a small fraction of the programming
community to use the new language or library over what's standard.

The other approach is to work from within. All the major languages out
there have committees that determine the standards. Most (if not all)
of these committees take input from the user community in one form or
another. A well-respected group of security experts that evaluates
current language/library features as well as extensions should carry a
lot of weight with the committee. Yet I've never heard of anyone even
trying this tactic within say the C++ community. Is this merely a
consequence of my own ignorance, or are there really no concerted
security efforts working with the major language committees?

Edward Elliott

Relevant Pages

  • Re: Java or C++?
    ... With other languages the libraries that come with them are ... With Java, you have to find ... The downside of that is that you run into a higher percentage of Java programmers who get lost if they need to do something complicated that isn't covered by one of the libraries that came with their Java environment. ... While all languages can do this, Java for some reason seems to lead to the most programmers who can only handle things if there is a library for them, a design pattern to fit them into, and an IDE to handle the boilerplate. ...
  • Re: Forth is broken by culture?
    ... command names can take more than a handful of lines of code. ...  In Python (and similar languages, ... Here, your argument is based on making use of existing libraries, ... existing libraries as some of the popular languages. ...
  • Re: Vista and .NET (Win32 life may be limted)
    ... just libraries), and doesn't represent "OS" functionality as such at all. ... .NET lives mostly on the server, ... libraries for different languages usually use ... Delphi's forte is Win32 client applications. ...
  • Re: GoTo in Java
    ... >> the fact that the standard library is very small and primitive. ... > There were many languages avilable that had adherents, ... there have long been many free libraries and code snippets ... but I see C programmers time and again implementing ...
  • Re: "STL from the Ground Up"
    ... wasted reinventing the wheel. ... plus thousands of third party libraries are all not enough to avoid ... C++ is very slow at dispatch compared to other languages. ... When you want to collect arbitrary data structures you either try to reuse ...