If I remember rightly Pascal does bounds checking. Pascal was one of the languages I did at college - and the highest-level one. A bit of a shock to me to discover - in an IBM Systems Engineer training homework assignment - that COBOL didn't. (This was in 1986.) The result was me stomping over the code by assigning values to array elements using only slightly excessive subscript values. :-) I think I learnt something from that. :-)
I mention this because the bounds checking in Pascal is probably what prevented buffer overrun issues (and nowadays with C etc actual exploits). Cheers, Martin Martin Packer, zChampion, Principal Systems Investigator, Worldwide Banking Center of Excellence, IBM +44-7802-245-584 email: martin_pac...@uk.ibm.com Twitter / Facebook IDs: MartinPacker Blog: https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker From: Anne & Lynn Wheeler <l...@garlic.com> To: IBM-MAIN@listserv.ua.edu, Date: 01/16/2013 05:14 PM Subject: Re: Java Security? Sent by: IBM Mainframe Discussion List <IBM-MAIN@listserv.ua.edu> re: http://www.garlic.com/~lynn/2013.html#27 Java Security? for a long time the majority of exploits used buffer length related vulnerabilities that have been epidemic in C-language implemented applications & systems. Note that the previously mentioned mainframe Pascal was eventually released as product and was used to implement IBM's original mainframe tcp/ip product. There were some performance issues with the base product ... however there was *never* any buffer length related vulnerabilties. As to the performance issues, I did the changes to support RFC1044 and in some tests at cray research between cray and 4341 got channel speed sustained throughput using only modest amount of 4341 processor time (aka possibly a factor of 500 times improvement in bytes moved per instruction executed over the base product). I then had to do both detailed failure mode and detailed vulnerability analaysis when we were doing IBM's ha/cmp product ... some past posts http://www.garlic.com/~lynn/subtopic.html#hacmp C-language related buffer length problems continued to be the major source of exploits up through the late 90s. By 2004 that had shifted to approx. 1/3rd buffer length, 1/3rd client-side downloaded executable code, and 1/3rd social engineering. I did some work on the mitre exploit database trying to further work on my merged security taxonomy & glossory ... post attempting to characterize all exploits: http://wwwg.garlic.com/~lynn/2004e.html#43 security taxonomy and CVE part of the issue was (at the time) exploit reports were free text ... I talked to mitre about possibly introducing a little more structure and categories ... but they said that it was hard enough to get the reports as free text w/o trying to enforce structure. lots of past posts pontificating about the buffer length vulnerability issue http://www.garlic.com/~lynn/subintegrity.html#buffer trivia ... relationship between ha/cmp, supercomputers and electronic commerce ... old reference to early jan92 meeting in ellison's conference room on ha/cmp cluster scaleup http://www.garlic.com/~lynn/95.html#13 at the end of jan, the scaleup work was transferred and a couple weeks later announced as supercomputer (and we were told we couldn't work on anything with more than four processors). this contributed to our decision to leave. not long later, two of the other people in the ellison meeting also leave and show up at a small client/server start responsible for something called the "commerce server". as mentioned in previous post, we are brought in as consultants because they want to do payment transactions on their server. -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN