From: vladimir@speedy.intrepid.com (Vladimir Vukicevic)
Subject: Re: Should internet support software be written in Ada?
Date: 07 Mar 1995 02:35:29 GMT
Date: 1995-03-07T02:35:29+00:00 [thread overview]
Message-ID: <VLADIMIR.95Mar6183529@speedy.intrepid.com> (raw)
In-Reply-To: "Bennett, Chip's message of Mon, 6 Mar 1995 13:01:00 PST
In article <2F5B780E@SMTPGATE2.STRATCOM.AF.MIL> "Bennett, Chip (KTR)
~U" <BennettC@J64.STRATCOM.AF.MIL> writes:
> I just read an interesting article in Federal Computer Week. The
> article, titled "Energy group uncovers hole in Web software" is
> rather old (Feb 20), so if this ground has already been covered, I
> apologize for rehashing it.
>
> The article points out that the NCSA's httpd version 1.3 has a flaw
> where a hacker might be able to overflow internal buffers and gain
> root access.
>
> Point 1: Didn't we already go through this several years back with
> a UNIX mail server that had a similar problem? Any history buffs
> remember that one?
I believe nearly every widely-used unix tool has had this problem. I
know that finger had it, sendmail had it, and I'm sure many, many more
had (or still have?) this same problem.
> Point 2: I going to make a huge leap here and assume that httpd is
> written in C. I'd bet that if the software had been written in a
> constraint checking language like Ada, the problem would not have
> occurred. Comments?
Yes and no. It depends on where the overrun occurs. If it overruns
while, say, reading from a socket (via a syscall), then it could not
be prevented by using Ada or any other language because all the
procedure which actually stuffs bytes into the buffer has is a
System.Address (in Ada terms). If, however, the overrun occurs in user
code, i.e. copying from one string to another (maybe they're actually
reading in 256 bytes at a time, and then just appending them to
another buffer until there's no more data), then Ada would have
probably raised Constraint_Error on this operation.
There is no reason why unix/internet tools shouldn't be written in
Ada. Perhaps the most persuasive argument against doing so is that,
sadly, the majority of unix systems do not have an Ada compiler, while
they probably have a C compiler. Hopefully GNAT will change this; I've
already convinced a few people who, according to them, have no
intention of ever writing in Ada to install gnat on their systems just
in case something "truly cool" is released in Ada95. I think they're
still waiting to use the compiler.
- Vladimir
next prev parent reply other threads:[~1995-03-07 2:35 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
1995-03-06 21:01 Should internet support software be written in Ada? Bennett, Chip (KTR) ~U
1995-03-07 2:35 ` Vladimir Vukicevic [this message]
-- strict thread matches above, loose matches on Subject: below --
1995-03-17 0:24 Bill Brooks
1995-03-17 8:47 ` Anthony Shipman
1995-03-19 22:06 ` David Weller
1995-03-23 15:05 ` Theodore Dennison
1995-03-24 10:26 ` Fred J. McCall
1995-03-27 9:50 ` Robb Nebbe
1995-03-27 14:24 ` Theodore Dennison
1995-03-28 0:00 ` Robert Dewar
1995-03-28 9:32 ` Fred J. McCall
1995-03-29 0:00 ` Theodore Dennison
1995-03-29 0:00 ` Robert I. Eachus
1995-03-31 0:00 ` Theodore Dennison
1995-04-05 0:00 ` Wes Groleau
1995-03-22 23:08 ` Keith Thompson
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox