On 02/18/2016 10:47 AM, Ruben Safir wrote:
On 02/17/2016 11:12 AM, Stevens wrote:
Yeah. Read another interesting article on the underlying problem last night and, having done some application development in a previous life, I agree wholeheartedly with the "C is the cause for most security vulnerabilities" thread.
No. Actually, it is not so easy to overrun a buffer on a modern OS, but putting that aside, there are many times the checking for a memory size is detrimental to the softwares function, especially in video and games.
The evidence is otherwise. SANS surveys software bugs and security problems and "buffer overrun" and "SQL injection" have been the 31 and #2 issues, changing place at the top of the list, for well over a decade. The whole issue of not checking things for the sake of speed is all to often a mis-placed excuse. In all my years of programming and auditing programming and maintaining programs, I keep finding this weak excuse to justify even things like ignoring the return values of system calls. I recall one instance with a backup program supplied by a TLA company that was quite repeatable and verified by other users, but the people at support refused to admit that it was "writing" past the end of the media. We could back up a 10G drive onto a 360K floppy disk with no errors being reported.
You can't blame the programming language for the stupidity of the programmer. the reason C is the goto language for all things important is because it is powerful. It is. And that power is felt in the hands of the coder.
Right, so lets hand out powerful weapons like thermonuclear devices willy-nilly. As I've pointed out, too many schools teach C syntax and grammar but not good programming habits, correctness, or maintainability. Being in denial over these matters does not contribute to solving the problems we are facing. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org