NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 2000-q3

Subject: Re: BitchX /ignore bug
From: Erich Meier (Erich.MeierINFORMATIK.UNI-ERLANGEN.DE)
Date: Tue Jul 11 2000 - 10:40:11 CDT

Next message: Scott Alexander: "Re: FW: The AOL Spyware"
Previous message: Gabe Kostolny: "CASL & IP Options"
In reply to: Schlachter, Jake: "Re: BitchX /ignore bug"
Next in thread: Matthew S. Hallacy: "Re: BitchX /ignore bug"
Reply: Erich Meier: "Re: BitchX /ignore bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Cornell's undergraduate CS courses are taught in java. This is a growing
> trend in academia. There is never any focus on secure code. In fact,
> there is never any emphasis on code at all-- to avoid any accusations of
> technical instruction, Cornell leaves all programming study to the
> student on their own time. This could be why the Masters are not passing
> on this instructional wisdom-- they're not present when the student is
> learning. We all know that classes are too large for code to be examined
> in detail. Even in the 500-level security course (which i thought was
> very well taught if my prof is listening in =) there was not emphasis on
> the code itself, but on the underlying protocols and concepts. Again, it
> was taught in java. A thorough examination of what constitutes a stack
> overflow exploit in C, and writing secure code in general, are concepts
> that might best be taught to beginning programmers by the security /
> programming community itself, by making instructional docs available
> online (if they aren't now), because they're not going to show up on an
> academic curriculum any time soon. You've got to take care of your own.

Our "System Programming" course which involves practical system-level
programming uses the C language. Other courses use Java, but most of the
system-level apps are still written in C.

We explicitely focus on secure programming (banning gets(), sprintf(), strcpy()
and friends), show how a buffer overflow works in theory and in practice
(I hack an insecure workstation live during the lecture).

This impresses students a lot (together with the fact that they get bad marks
when programming overflowable applications in their assignments :-).

I thought this would be normal in other universities as well.

Erich

--
Erich Meier                              Erich.Meierinformatik.uni-erlangen.de
                                 http://www4.informatik.uni-erlangen.de/~meier/
 "People are starving to death in this world and somebody had time for this..."
                                      http://webpages.mr.net/bobz/ttyquake/

Next message: Scott Alexander: "Re: FW: The AOL Spyware"
Previous message: Gabe Kostolny: "CASL & IP Options"
In reply to: Schlachter, Jake: "Re: BitchX /ignore bug"
Next in thread: Matthew S. Hallacy: "Re: BitchX /ignore bug"
Reply: Erich Meier: "Re: BitchX /ignore bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]