Re: Buffer overflow Article - CACM

[Christopher Browne <cbbrowne@acm.org>]

> Pascal Obry wrote:
>
>> And then even if there was 100% overhead, what the problem ? For most
>> applications this is not critical and at least for debugging the
>> application this is invaluable. Running with a 100% overhead is
>> equivalent to running with a computer 18 months old. Not that bad :)
>> Again I understand that in some domains we are counting the CPU cycles,
>> but this is not the majority of applications.
>
> Even in cases where it is critical, how fast does an incorrect program
> have to be in order to be acceptable? If a really fast, incorrect
> program is better than a slow, correct program, then I submit the
> following as the solution to all problems:
>
> procedure Solution is
>     -- null;
> begin -- Solution
>     null;
> end Solution;
>
> Compile with all checks suppressed for maximum acceptability.

Reality does *NOT* lie there.

Something that is only approximately correct but that is super-fast
may, in cases where time or computational effort *are* at a premium,
be preferable to a slower "correct all the time" program.

The trouble with formal verification methods is that they consume time
(for the analysis work) when you may well discover that the problem
wasn't specified well enough in the first place for formal
verification to actually do any material good.

Having super-well-specified problems is extremely necessary when doing
"rocket science;" if it costs $1B to fire off a rocket, and you don't
get a second chance, it's necessary to do whatever up-front effort is
required to make sure the problem is super-well-specified.

But there are a lot of cases where that level of effort is not
warranted, and it's NOT worth getting "super-detailed, super-correct"
specifications, and it's NOT worth various of the efforts.

Where the CACM article has some things *right* is that there are
plenty of systems where it would be way too costly to reimplement them
in a buffer-overflow-immune language.  People are not going to redo
everything in PL/1 or Ada just because they have better specified
string types.  They don't have time.
-- 
(format nil "~S@~S" "cbbrowne" "ntlug.org")
http://cbbrowne.com/info/linuxdistributions.html
Rules of the Evil Overlord  #220. "Whatever my one vulnerability is, I
will fake a  different one. For example, ordering  all mirrors removed
from the palace, screaming and flinching whenever someone accidentally
holds up a mirror, etc. In the climax when the hero whips out a mirror
and thrusts it at my face,  my reaction will be ``Hmm...I think I need
a shave.''"  <http://www.eviloverlord.com/>