On 02/17/2016 08:12 AM, Stevens wrote:
On 02/17/2016 08:50 AM, Anton Aylward wrote:
On 02/17/2016 02:50 AM, Marcus Meissner wrote: This http://cafbit.com/entry/reinventing_software_for_security attributes many of the problems we have with 'memory' wrt secuyrity to the use of C and C++.
Yeah. Read another interesting article on the underlying problem last night and, having done some application development in a previous life, I agree wholeheartedly with the "C is the cause for most security vulnerabilities" thread. C (and its cousins) has (had?) no function length parameters built in. You have a 1024 byte buffer area and a C function that takes data up until it gets a null (or something) with nothing to tell it that there should only be no more than 1024? Buffer overflow guaranteed, every time.
True, the lack of built in reference (size) checking in the normal course of code is a fundamental flaw. And one that is taken care of in other languages. In some languages if you want to reference areas beyond your defined buffer length you have to contrive to do so, the code will crash if you don't. That being said, if such range checking were suddenly added to C, the entire world would come crashing down, because programming practices of the past will take total re-writes to overcome.
Linux is created with C. Can you say potentially worse than Windows ever thought of being, security wise?
Windows is mostly written in C and C++ as well, so you can't lay that baby at Linux's door.
IMHO, the only thing that has given Linux the perception of being so secure is the fact that with such a small installed desktop base it just hasn't been worth the effort to develop malicious code when attacking Windows is so much more lucrative. But those days are past. Android is (sorta) Linux and look at how it is attacked because it is #1 OS on the planet. But, I digress ... C is the problem.
Ah, the Bill Gates argument. Windows is only attacked because its popular, not because its easy. Sorry. Not buying it. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org