Re: "Perfect" or "Provable" security both crypto and non-crypto?

From: Valery Pryamikov (Valery_at_nospam.harper.no)
Date: 09/18/04 

Date: Sat, 18 Sep 2004 01:21:07 +0200

"David Wagner" <daw@taverner.cs.berkeley.edu> wrote in message
news:cifofo$99e$1@agate.berkeley.edu...
> Valery Pryamikov wrote:
>>It's quite off topic for this group, but you when it concerns modern
>>programming languages and managed execution environment (like Java, .Net
>>or
>>some others), then you are totally wrong.
>
> I think you missed Roger's point. Re-read his post.
>
> If I allocate a 16-byte array, whose first 8 bytes are intended to be
> used for a username and last 8 bytes for a flag indicating whether the
> user has been authenticated, then a too-long username (say, 16 bytes
> long) combined with lack of extra checks in the program source code
> could lead to a security compromise. This is true even in a type-safe
> and bounds-checked language like Java.

ops, you were talking about buggy program that put data in a blob instead of
separate fields... In that case runtime only ensures that no data would be
written outside the blob. (sorry for my prev. post)

-Valery.

Quantcast