From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,5a942ffa7efa9386 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 1995-03-07 16:02:00 PST Path: bga.com!news.sprintlink.net!howland.reston.ans.net!gatech!udel!news.mathworks.com!newshost.marcam.com!uunet!intrepid.intrepid.com!usenet From: vladimir@speedy.intrepid.com (Vladimir Vukicevic) Newsgroups: comp.lang.ada Subject: Re: Should internet support software be written in Ada? Date: 07 Mar 1995 02:35:29 GMT Organization: Intrepid Technology, Inc. Message-ID: References: <2F5B780E@SMTPGATE2.STRATCOM.AF.MIL> NNTP-Posting-Host: speedy.intrepid.com In-reply-to: "Bennett, Chip's message of Mon, 6 Mar 1995 13:01:00 PST Date: 1995-03-07T02:35:29+00:00 List-Id: In article <2F5B780E@SMTPGATE2.STRATCOM.AF.MIL> "Bennett, Chip (KTR) ~U" writes: > I just read an interesting article in Federal Computer Week. The > article, titled "Energy group uncovers hole in Web software" is > rather old (Feb 20), so if this ground has already been covered, I > apologize for rehashing it. > > The article points out that the NCSA's httpd version 1.3 has a flaw > where a hacker might be able to overflow internal buffers and gain > root access. > > Point 1: Didn't we already go through this several years back with > a UNIX mail server that had a similar problem? Any history buffs > remember that one? I believe nearly every widely-used unix tool has had this problem. I know that finger had it, sendmail had it, and I'm sure many, many more had (or still have?) this same problem. > Point 2: I going to make a huge leap here and assume that httpd is > written in C. I'd bet that if the software had been written in a > constraint checking language like Ada, the problem would not have > occurred. Comments? Yes and no. It depends on where the overrun occurs. If it overruns while, say, reading from a socket (via a syscall), then it could not be prevented by using Ada or any other language because all the procedure which actually stuffs bytes into the buffer has is a System.Address (in Ada terms). If, however, the overrun occurs in user code, i.e. copying from one string to another (maybe they're actually reading in 256 bytes at a time, and then just appending them to another buffer until there's no more data), then Ada would have probably raised Constraint_Error on this operation. There is no reason why unix/internet tools shouldn't be written in Ada. Perhaps the most persuasive argument against doing so is that, sadly, the majority of unix systems do not have an Ada compiler, while they probably have a C compiler. Hopefully GNAT will change this; I've already convinced a few people who, according to them, have no intention of ever writing in Ada to install gnat on their systems just in case something "truly cool" is released in Ada95. I think they're still waiting to use the compiler. - Vladimir