On Thu, 7 May 2009, ljknews wrote: > At 5:49 PM -0500 5/6/09, Brad Andrews wrote: > > > Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. > > They can be really hard to figure out, > > And yet people keep choosing those programming languages.
Yeah. Like the developers of the compilers/interpreters for Java, Perl, PHP, Ruby, Python, and probably whatever else the kids are raving about these days. ;-) And of course these languages never use C/C++ libraries. I imagine that at some point, even things like Ada boil down to some assembly code somewhere. More seriously, at one point or another you're building on top of something else that's insecure, and while that might mostly remove you from the bugs that occur at the lower level, all it really means is the vulnerabilities shift to a higher level and are much more powerful. C programmers would rarely bother to take untrusted input, insert it into a program, compile the program, and execute that program. But PHP programmers like to do that all the time by implementing config files as PHP programs and inserting untrusted data into them. Or how about all those web worms compromising gazillions of LAMP installations because of PHP's little remote file inclusion feature? I'm not saying that later-generation languages don't have important features that are useful for security, but I personally wouldn't want to implement some real-time high-throughput packet analyzer in Java, nor would I want to implement a blogging system in C. Compiler features like canary-based protection are making significant improvements for C-based security, just like Java performance is improving. Can't wait for the flames. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
