It's Time to Abandon Insecure Languages
John S. Denker
jsd at monmouth.com
Mon Jul 22 11:59:00 EDT 2002
Victor.Duchovni at morganstanley.com wrote:
>
> Most security bugs reported these days are issues
> with application semantics (auth bypass, SQL injection, cross-site
> scripting, information disclosure, mobile code execution, ...), not buffer
> overflows.
Really? What's the evidence for that?
What definition of "most" are we using?
One out of 20 doesn't count as "most" in my book.
When I look at the reports for 2002 year-to-date, at
http://www.cert.org/advisories/ there are 20 advisories.
Depending on how you count multi-bug reports, it appears that
19 out of 20 involve buffer overflows and related issues --
things that could easily be prevented by using a language that
has a built-in string type and automatic object management.
Exotic languages are not required; C++ would make a huge
impact. And of course in any language a modicum of skill and
care is required; it's hard to make a language foolproof
because fools are so ingenious.
My evidence: http://www.cert.org/advisories/
20- multiple, including writing out-of-bounds
19 buffer overflow
18 multiple, including buffer overflow
17 stack overflow
16 multiple, including stack overflow
15= DoS: internal consistency check
14 buffer overflow
13 buffer overflow
12- format string
11 heap overflow
10- format string
9 multiple, including buffer overflow
8 multiple, including buffer overflow
7- double free
6 multiple, including buffer overflow
5 multiple, including heap overflow
4 buffer overflow
3 multiple, including buffer overflow
2 buffer overflow
1 buffer overflow
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list