Re: Buffer overflow Article - CACM

["Jeffrey R. Carter" <spam@spam.com>]

adaworks@sbcglobal.net wrote:
> There is an interesting article in the current issue of the Communications
> of the ACM (Vol 48, No 11, page 50) about preventing stack
> buffer overflow attacks.   The authors, Kuperman, Brodley, Ozdoganoglu,
> Viuakumar, and Jalote, write as if they have never heard of Ada.

I found the article quite amusing.

> In one paragraph, they criticize C as being vulnerable to such attacks
> and then dismiss Pascal as being unable to address low-level issues.
> As I read their solution, it became clear that simply choosing Ada for
> their development language would solve the vast majority of their
> concerns.

This was also the ONLY paragraph that addressed language choice in the entire 
article. Considering that language choice is the cause of buffer overflow 
vulnerabilities, you'll understand why I found the article amusing.

1st, they say languages such as Java and Pascal may not be low level enough. 
That's certainly not true of Ada, nor of most versions of Modula-2 and Pascal. 
So this is simply hand waving to justify their decision to use a C derivative.

Then they say that bounds checking adds 100% overhead. This may be true of 
trying to patch C, but it's certainly not true of all the checks Ada does, which 
is much more than simply bounds checking. In practice I have never found a case 
in which leaving checks in was too slow, nor where turning them off saved more 
than 10%.

-- 
Jeff Carter
"C++ is like giving an AK-47 to a monk, shooting him
full of crack and letting him loose in a mall and
expecting him to balance your checking account
'when he has the time.'"
Drew Olbrich
52