OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: RE: Buffer Overruns

RE: Buffer Overruns

Subject: RE: Buffer Overruns
From: sean.kellylanston.com
Date: Tue Dec 21 1999 - 13:18:59 CST

On Saturday, December 18, 1999 5:45 PM, Vin McLellan
<vinshore.net> wrote:

> It there something in the emergence of a popular
> Internet, or some
> other timely aspect in the industry's evolution, that has
> brought to light
> the vulnerabilities associated with buffer overruns in
recent years?
>
> Maybe some shift in program design or programming
engineering
> practice? What left so many of these vulnerabilities
> unexposed and their
> risks unappreciated for so many years?

Buffer overruns are traditionally one of the most common programmer errors.
They're also one of the most common to slip through testing. I think the
issue recently has been that they've been exposed as one of the first things
to try if you're going to try to break a system, and with the explosion of
hacking it's inevitable that the problems will be discovered. It's also the
case that in the past few years companies have placed more emphasis on
shipping a product than shipping a priduct that works. Programmers, on the
average, are probably less skilled than 5 or 10 years ago and they're
spending less time testing their code, because of deadlines.

I would think that as time goes on these issues will become less and less
common, because so much code is being done at a high-level now. C is the
largest culprit for overruns, many other languages use dynamic data
structures to store things like strings which makes the likelihod of even
being able to write code with an overrun much smaller or entirely
impossible.

Sean

This archive was generated by hypermail 2b27 : Wed Dec 22 1999 - 20:59:15 CST