Date: Fri, 17 Jul 1998 10:25:54 -0600 (MDT) From: Wes Peters <wes@softweyr.com> To: freebsd-security@FreeBSD.ORG, cts@internetcds.com Subject: Re: EMERGENCY: new remote root exploit in UW imapd Message-ID: <199807171625.KAA19389@obie.softweyr.com> In-Reply-To: <199807170035.RAA05041@bangkok.office.cdsnet.net> References: <199807170035.RAA05041@bangkok.office.cdsnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
My hidden microphone recorded Craig Spannring (cts@internetcds.com) saying: % C should not be used for trusted programs. The lack of true arrays % with array bounds checking alone makes it too hazardous. How many % buffer overflow attacks would we hear about if the trusted server % programs were written using a language with bounds checking like % Modula-2 or Ada? Zero. And thus we hear from another Luddite. The use of Modula-2 or Ada doesn't guarantee the programmers will take the time to design their programs, does it? These languages don't require you to enter the requirements document and the design document and compile them, nor do they eliminate coding mistakes from the program. They supply some tools, which are also available to C and C++ programmers, in the form of strncpy, snprintf, etc. The ONLY sure way to security is to carefully monitor the performance of your system, and to make sure the developers and maintainers of your system are responsive to the inevitable attacks and compromises. These episodes are the best argument for Open Source systems I can think of. How long would it take Microsoft or Sun to distribute a patched server to their installed base? I'll bet {Free,Open,Net}BSD and Linux get them out much faster. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807171625.KAA19389>