From: "Randy Brukardt" <randy@rrsoftware.com>
Subject: Re: Web Development Using Ada?
Date: Sat, 27 Jul 2013 22:03:51 -0500
Date: 2013-07-27T22:03:51-05:00 [thread overview]
Message-ID: <kt21mn$osm$1@loke.gir.dk> (raw)
In-Reply-To: kt119m$hln$2@dont-email.me
"Jeffrey Carter" <spam.jrcarter.not@spam.not.acm.org> wrote in message
news:kt119m$hln$2@dont-email.me...
> On 07/27/2013 03:35 AM, Aay Jay Chan wrote:
>>
>> What are the pros an cons of using Ada in web development? Is it feasible
>> /
>> practical? What would be your recommendation?
>
> There are a number of sites out there with "Ada inside". One advantage of
> using Ada is that many of the common vulnerabilities don't occur with Ada.
> Brukardt discussed the Ada behind archive.adaic.com here in c.l.a several
> years ago. In addition to obvious things such as no buffer overflows, he
> mentioned that an attacker can get a server such as Apache to run a shell,
> which the attacker can exploit, while the Ada equivalent uses a
> non-exploitable Ada task to accomplish the same end. (I'm writing from
> memory here.)
I'd be hesitant to call anything "non-exploitable", but there is much less
attack surface with Ada. The vast majority of things that can go wrong raise
an exception, which is logged in the normal web logs (and thus can be
investigated at some future date) with the request being failed. Nothing bad
will happen in this case, because it's all normal Ada semantics.
OTOH, if you execute a shell, if an attacker can find a way to pass
information to that shell, they might be able to do anything. Apache has
fixed many such bugs. It's better if there are no shell outs. It's even
better if the capability to do shell outs isn't even in the code (since some
attacks require executing existing code in unusual ways - if the process
doesn't have any code that can shell out, such attacks can't shell out
either).
Of course, you're still vulerable to problems from the host OS and from any
interfacing that you have to do. And of course, from any compiler bugs.
(Which is why I never claim that Ada is "non-exploitable".)
Randy.
next prev parent reply other threads:[~2013-07-28 3:03 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-27 10:35 Web Development Using Ada? Aay Jay Chan
2013-07-27 12:49 ` Dmitry A. Kazakov
2013-07-27 15:49 ` Shark8
2013-07-27 16:26 ` Dmitry A. Kazakov
2013-07-27 17:19 ` Shark8
2013-07-27 17:26 ` Yannick Duchêne (Hibou57)
2013-07-27 19:05 ` Dmitry A. Kazakov
2013-07-27 17:11 ` Yannick Duchêne (Hibou57)
2013-07-27 17:19 ` Shark8
2013-07-27 17:57 ` Jeffrey Carter
2013-07-28 3:03 ` Randy Brukardt [this message]
2013-07-28 5:10 ` Yannick Duchêne (Hibou57)
2013-08-06 4:43 ` Randy Brukardt
2013-08-06 5:04 ` Paul Rubin
2013-08-06 19:06 ` Randy Brukardt
2013-07-28 9:30 ` Luke A. Guest
2013-07-31 8:30 ` Michael Erdmann
2013-07-31 10:15 ` Aay Jay Chan
2013-07-31 12:09 ` Michael Erdmann
2013-07-31 17:20 ` J-P. Rosen
2013-08-01 13:12 ` Jacob Sparre Andersen
2014-01-13 10:12 ` Marius Amado-Alves
2013-07-31 11:30 ` G.B.
2013-07-31 11:44 ` Yannick Duchêne (Hibou57)
2013-07-31 14:33 ` G.B.
2014-01-13 10:08 ` Marius Amado-Alves
2013-07-31 15:07 ` Pascal Obry
2013-07-31 18:53 ` Michael Erdmann
2013-07-31 21:03 ` Pascal Obry
2013-08-01 4:45 ` Michael Erdmann
2013-08-01 13:31 ` Jacob Sparre Andersen
2013-08-01 20:32 ` Michael Erdmann
2013-08-05 8:47 ` Jacob Sparre Andersen
2013-08-05 11:41 ` Thomas Løcke
2013-08-01 21:15 ` Maciej Sobczak
2013-08-02 17:24 ` Michael Erdmann
2013-08-02 20:54 ` Maciej Sobczak
2013-08-03 6:51 ` Michael Erdmann
2013-08-03 9:58 ` Pascal Obry
2013-08-03 14:50 ` Maciej Sobczak
2013-08-01 15:54 ` leonid.dulman
2014-01-09 9:31 ` arifhussain.33
2014-01-09 12:36 ` Jacob Sparre Andersen
2014-01-10 13:47 ` Mike H
2014-01-14 12:23 ` Vadim Godunko
2014-01-19 23:23 ` Joseph Montanez
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox