>> [...] the majority of computer security holes are buffer overruns.
>> These would be minor irritations but for the world's addiction to
>> the weakly typed programming languages C and its derivative C++.

Well, actually, but for the world's addiction to sloppy coding.

It's entirely possible to avoid buffer overflows in C; it just requires
a little care in coding.  C's major failing in this regard - and I
don't actually consider it all that major - is that it doesn't provide
any tools to help.  It assumes that you the programmer know what you're
doing, and the mismatch between that and the common reality is where
the problem actually comes from.

All that a "better" language will bring you in this regard is that it
will (a) push the sloppiness into places the compiler can't check and
(b) change the ways things break when confronted with input beyond the
design underlying their code.

Now, admittedly, (b) may be worth doing, other things being equal
(which of course they never really are).  But the basic problem is
sloppy code, not the language in which it's written.  (Well, most of
it.  People do make mistakes - but while some buffer overflows are due
to someone trying to do it right and making a mistake, most of them
come from not even trying.  Limit it to exploitable overflows and the
proportion is even higher.)

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               [EMAIL PROTECTED]
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Reply via email to