sci.crypt archive
Re: Public disclosure of discovered vulnerabilities
Date: Fri Jun 10 2005 - 18:03:35 CEST
Hank Oredson wrote:
> "Jan Vorbrüggen" <jvorbrueggen-not@mediasec.de> wrote in message
> news:3gt2l8Fe7r1tU3@individual.net...
>
>>>Automatic things may produce a genetic cure. You need a queue rather
>>>than an array.
>>>
>>>As for a strongly typed array, that normally turns buffer overflow from a
>>>malicious code runner to a denial of service attack.
>>
>>I understand the word but not the semantics of what you are saying.
>>Come again?
>
>
>
> The buffer will not overflow, an exception will be thrown
> and the code the attacker tried to put into the buffer will
> not run. The application might exit with a fault indication..
>
Strong typing changes a major security problem into a
different major security problem.
Unfortunately you still have a major security problem.
Basically the programmer has to treat the strongly typed
language as an untyped language and write similar recovery
code. The bug was the missing checks and missing recovery
action.
Andrew Swallow
Received on Thu Sep 29 21:42:50 2005