Re: Public disclosure of discovered vulnerabilities

Del Cecchi wrote:

> Andrew Swallow wrote:
>
>> Hank Oredson wrote:
>>
>>> "Jan Vorbrüggen" <jvorbrueggen-not@mediasec.de> wrote in message
>>> news:3gt2l8Fe7r1tU3@individual.net...
>>>
>>>>> Automatic things may produce a genetic cure. You need a queue
>>>>> rather than an array.
>>>>>
>>>>> As for a strongly typed array, that normally turns buffer overflow
>>>>> from a malicious code runner to a denial of service attack.
>>>>
>>>>
>>>>
>>>> I understand the word but not the semantics of what you are saying.
>>>> Come again?
>>>
>>>
>>>
>>>
>>>
>>> The buffer will not overflow, an exception will be thrown
>>> and the code the attacker tried to put into the buffer will
>>> not run. The application might exit with a fault indication..
>>>
>>
>> Strong typing changes a major security problem into a
>> different major security problem.
>> Unfortunately you still have a major security problem.
>>
>> Basically the programmer has to treat the strongly typed
>> language as an untyped language and write similar recovery
>> code. The bug was the missing checks and missing recovery
>> action.
>>
>> Andrew Swallow
>
>
> Somehow setting up a crash as equivilent to silent subversion seems
> misguided to me, if that is what you are trying to say. DOS vrs theft
> of atomic secrets or my personal information..... Let me think....
>
> del cecchi

Not what I have been saying but it is what the advocates of
strongly typed languages have been doing.

Andrew Swallow
Received on Thu Sep 29 21:43:34 2005