Re: X68-64 buffer overflow exploits and the borrowed code chunks exploitation technique

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 10/08/05


Date: Fri, 07 Oct 2005 16:15:27 -0600

tomstdenis@gmail.com writes:
> Such a language exists?
>
> Tom

note that this periodically gets repeated ... some collected posts
from a year ago ... and prior years
http://www.garlic.com/~lynn/subpubkey.html#overflow

however there are languages and environments where the frequency of
such things happening are drastically smaller (possibly two orders of
magnitude smaller) for this class of mistakes.

i was involved in a tcp/ip stack implementation in the 80s that was
done in pascal ... and was not known to have any of the overflow
vulnerabilities that seem to be so common. in part, because a lot of
the buffer-to-buffer type operations didn't depend on the programmer
having to manage the bounds of the target ... it was built into the
operations. as a result, there were significantly fewer situations
where the opportunity for making target length related mistakes.

I've also been involved in purely assembler-based implementations
where the underlying environmental bounds semantics existing for all
buffers ... and it was standard programming convention to always
utilize the target bounds/lengths.

In one case, the target bounds/lengths were built into the programming
language ... and in the assembler case, the related environment
(libraries, standard system features, etc) established programming
convention that encouraged the use of bounds paradigm on all
operations. In both situations, while the environment didn't
absolutely prevent bounds violations ... the frequency of bounds
violations were something like two-orders of magnitude less.

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/


Relevant Pages

  • Re: FORTH levels
    ... case a particular programming language is good enough for the job. ... the computing environment has changed, ... but Unix gaining popularity over ...
    (comp.lang.forth)
  • Re: introduction to programming
    ... Let's get back the topic of JS as an introductory language for programming. ... programming is the lack of control over the environment in which it is ... The whole topic is whether JS is a good language to teach the basics of programming or not, ... Perhaps you should endeavor to understand why ECMAScript is even still in the FAQ based on my personal beliefs and why my personal beliefs do not get in the way of how and why I edit the FAQ. ...
    (comp.lang.javascript)
  • Re: FORTH levels
    ... case a particular programming language is good enough for the job. ... the computing environment has changed, ... Ask them if they really want it "UNIX way". ...
    (comp.lang.forth)
  • Re: General question to other developers...
    ... like Generics and now Linq and anonymous types ... Frankly, I think that someone first getting into programming, especially at a young age, should probably not even start out with an OOP language. ... properly managed I think one could use a VB-based environment to introduce someone to programming. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: object system...
    ... for that you need machine language. ... isn't even as fast as other systems programming languages. ... Stroustrup's stated design goal was to enable ... all manner of elegance or abstraction can be sacrificed for speed, ...
    (comp.object)