Re: Public disclosure of discovered vulnerabilities
From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 06/07/05
- Previous message: David Wagner: "Re: Public disclosure of discovered vulnerabilities"
- In reply to: Douglas A. Gwyn: "Re: Public disclosure of discovered vulnerabilities"
- Next in thread: Hank Oredson: "Re: Public disclosure of discovered vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Jun 2005 09:22:06 +0000 (UTC)
Douglas A. Gwyn wrote:
>Since there is ample evidence that "safe"
>programs can be (routinely) produced *even when the
>PL is completely "unsafe"*, the actual problem must
>not involve the PL at all, but must lie elsewhere.
1) It is *possible* to build a safe program in C.
2) In many cases, it is harder to build a safe program in C than
in other languages. For many programmers, using the C language
and libraries reduces the odds that the program will be secure.
3) Given that, the problem involves (at least partially) people who
choose the wrong tool for the job -- who choose C even though some
other language would be more appropriate. The problem involves (at
least partially) using C in places where C is not the best choice.
Is C always inappropriate for security programming? No, not always.
But often there are better choices.
- Previous message: David Wagner: "Re: Public disclosure of discovered vulnerabilities"
- In reply to: Douglas A. Gwyn: "Re: Public disclosure of discovered vulnerabilities"
- Next in thread: Hank Oredson: "Re: Public disclosure of discovered vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
