[Previous:What If Microsoft Built Cars]
[Next:[alt.sysadmin.recovery] Re: Why I don't get on with them...]
[Main Index]
*chortle*
04/29/1997
>From the BugTraq list:
> From: Randal Schwartz <zreyla@FGBARURATR.PBZ>
> Subject: Re: Smashing the Stack: prevention?
> To: OHTGEND@ARGFCNPR.BET
> >>>>> "nate" == nate <angr@ZVYYPBZZ.PBZ> writes:
> nate> 2. 'hmm. what if you change the compiler?'
> nate> C compilers could be modified to do bounds checking, and/or
> nate> problem functions could be made to complain to the user at compile time.
> Not surprisingly, as a next-gen language, Perl already had this stuff
> built in. Arrays and other data structures are dynamically scalable.
> And the "taint" dataflow checking (nothing *from* the outside world
> could influence actions *to* the outside world without explicit
> "cleansing") has been in there since Perl version 2 (1988). Perl 5
> introduced the notion of running code in an arbitrary "Safe" box,
> providing interfaces that mimic system functions. You could write a
> setuid script that executes nearly everything insde the box, then
> calls controlled "through the box wall" functions to perform I/O or
> launch processes.
> Yes, there was the CERT-able hole two years ago because Larry got an
> #ifdef backwards on a platform he didn't have access to, and the
> recent one where a *libc* routine couldn't handle the arbitrary-sized
> data that Perl was handing it. We have efforts going on in the Perl
> developer groups to stamp the rest of those out. (And yes, there are
> apparently a few others. Durn libc. :-)
> So, if you want to write a secure toy, and you want to write it in 1/3
> to 1/5 the number of lines of code of C, and you want it to be secure,
> just use Perl.
> --
> Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095
> Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying
> Email: <zreyla@fgbaruratr.pbz> Snail: (Call) PGP-Key: (finger zreyla@ben.pbz)
> Web: <A HREF="http://www.stonehenge.com/merlyn/">My Home Page!</A>
> Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
--Nathan J. Mehl, The Left Bank Operation
pictures |
bookmarks |
people |
-er jokes |
pgp key |
writings |
band |
resumé |
.sigs |
otp calculators |
reference |
dvorak |
old
Mail converted by MHonArc
2.3.3