From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!reality.xs3.de!news.jacob-sparre.dk!loke.jacob-sparre.dk!pnx.dk!.POSTED!not-for-mail From: "Randy Brukardt" Newsgroups: comp.lang.ada Subject: Re: Web Development Using Ada? Date: Sat, 27 Jul 2013 22:03:51 -0500 Organization: Jacob Sparre Andersen Research & Innovation Message-ID: References: <874bf843-8212-44a4-b0c6-e20d831325bc@googlegroups.com> NNTP-Posting-Host: static-69-95-181-76.mad.choiceone.net X-Trace: loke.gir.dk 1374980632 25494 69.95.181.76 (28 Jul 2013 03:03:52 GMT) X-Complaints-To: news@jacob-sparre.dk NNTP-Posting-Date: Sun, 28 Jul 2013 03:03:52 +0000 (UTC) X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2900.5931 X-RFC2646: Format=Flowed; Response X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Xref: news.eternal-september.org comp.lang.ada:16567 Date: 2013-07-27T22:03:51-05:00 List-Id: "Jeffrey Carter" wrote in message news:kt119m$hln$2@dont-email.me... > On 07/27/2013 03:35 AM, Aay Jay Chan wrote: >> >> What are the pros an cons of using Ada in web development? Is it feasible >> / >> practical? What would be your recommendation? > > There are a number of sites out there with "Ada inside". One advantage of > using Ada is that many of the common vulnerabilities don't occur with Ada. > Brukardt discussed the Ada behind archive.adaic.com here in c.l.a several > years ago. In addition to obvious things such as no buffer overflows, he > mentioned that an attacker can get a server such as Apache to run a shell, > which the attacker can exploit, while the Ada equivalent uses a > non-exploitable Ada task to accomplish the same end. (I'm writing from > memory here.) I'd be hesitant to call anything "non-exploitable", but there is much less attack surface with Ada. The vast majority of things that can go wrong raise an exception, which is logged in the normal web logs (and thus can be investigated at some future date) with the request being failed. Nothing bad will happen in this case, because it's all normal Ada semantics. OTOH, if you execute a shell, if an attacker can find a way to pass information to that shell, they might be able to do anything. Apache has fixed many such bugs. It's better if there are no shell outs. It's even better if the capability to do shell outs isn't even in the code (since some attacks require executing existing code in unusual ways - if the process doesn't have any code that can shell out, such attacks can't shell out either). Of course, you're still vulerable to problems from the host OS and from any interfacing that you have to do. And of course, from any compiler bugs. (Which is why I never claim that Ada is "non-exploitable".) Randy.