From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_00,TO_NO_BRKTS_FROM_MSSP autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 107f24,582dff0b3f065a52 X-Google-Attributes: gid107f24,public X-Google-Thread: 109fba,582dff0b3f065a52 X-Google-Attributes: gid109fba,public X-Google-Thread: 1014db,582dff0b3f065a52 X-Google-Attributes: gid1014db,public X-Google-Thread: 103376,bc1361a952ec75ca X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2001-08-01 11:11:15 PST Path: archiver1.google.com!newsfeed.google.com!newsfeed.stanford.edu!feed.textport.net!newsranger.com!www.newsranger.com!not-for-mail Newsgroups: comp.lang.ada,comp.lang.c,comp.lang.c++,comp.lang.functional From: Ted Dennison References: <3B6555ED.9B0B0420@sneakemail.com> <87n15lxzzv.fsf@deneb.enyo.de> <3B672322.B5EA1B66@home.com> <5ee5b646.0108010949.5abab7fe@posting.google.com> Subject: Re: How Ada could have prevented the Red Code distributed denial of service attack. Message-ID: <%CX97.14134$ar1.47393@www.newsranger.com> X-Abuse-Info: When contacting newsranger.com regarding abuse please X-Abuse-Info: forward the entire news article including headers or X-Abuse-Info: else we will not be able to process your request X-Complaints-To: abuse@newsranger.com NNTP-Posting-Date: Wed, 01 Aug 2001 14:11:07 EDT Organization: http://www.newsranger.com Date: Wed, 01 Aug 2001 18:11:07 GMT Xref: archiver1.google.com comp.lang.ada:10970 comp.lang.c:71326 comp.lang.c++:79119 comp.lang.functional:7091 Date: 2001-08-01T18:11:07+00:00 List-Id: In article <5ee5b646.0108010949.5abab7fe@posting.google.com>, Robert Dewar says... > >"Mike Smith" wrote in message news:... >> The buffer overflow occurs because of a bug in the *Microsoft* C library. >> This is not endemic to C or C++ in general. And, what, no one has ever >> found a bug in Ada? > > >Sounds like Mike is not familiar with Ada. Of course Ada does not >guarantee freedom from bugs, but for many reasons it does tend to >eliminate obvious goofs like buffer overruns, which are indeed >"endemic" to C and C++ in that these languages do not provide any >help for avoiding such bugs, and as we know these buffer overrun >bugs have time and time again proved weak spots in code written >in C/C++. Raj pretty much had the right of it. Exploitable buffer overflows are a known *class* of bugs that are pretty much endemic with C (and C++ that uses C) code. On the other hand, you actually have to go fairly far out of your way to get an exploitable buffer overflow out of Ada code. You'd have to disable array range checks (and possibly constraint checks too) with either a pragma or a compiler flag when the sources are built. It can be done when you need to (sometimes the extra speed is important), but most folks use the default, which is immune. If you don't think this is a big problem, check out this cracker website, which is dedicated to teaching young script kiddies how to exploit Windows Buffer Overflows: http://www.cultdeadcow.com/cDc_files/cDc-351/ My own company blocks it, but I understand it is titled: "The Tao of Windows Buffer Overflow". :-) --- T.E.D. homepage - http://www.telepath.com/dennison/Ted/TED.html home email - mailto:dennison@telepath.com