| |||||||||||||
Are they using the right technology?Are they using the right technology?Posted May 23, 2012 14:35 UTC (Wed) by renox (subscriber, #23785)In reply to: Are they using the right technology? by NAR Parent article: A Tale of Two Pwnies (Part 1)
> It's 2012. Why is a security critical application written in a language that tolerates integer overflow/underflow?
Even *new langages* such as D (and it isn't the only one) doesn't treat correctly integer overflow/underflow..
> Is performance so critical on today's hardware that we can't afford a runtime environment that checks for these kind of stuff?
Probably not: remember that we also use very slow langages..
I blame "mind" inertia: C did it this way, so we should also do it like this, nevermind that nowadays most of the time the bottleneck is the memory's access time not the CPU..
(Log in to post comments)
Are they using the right technology? Posted May 23, 2012 17:17 UTC (Wed) by JoeBuck (subscriber, #2330) [Link] Besides, only one of the six bugs was a classic C/C++ bug with integer overflow allowing writing beyond the end of the array. The others were either timing attacks or failures to properly check input, and such bugs are language-independent.Switching to a "safe" language would eliminate one out of the six bugs, but then the expert cracker could look for flaws in the language implementation (bugs in the VM or the JIT) that might allow for an out-of-bounds write.
Are they using the right technology? Posted May 23, 2012 17:20 UTC (Wed) by lopgok (guest, #43164) [Link]
How is D a new language? It is 11 years old.
Writting a complex thing like a web browser in C/C++ is idiotic.
Are they using the right technology? Posted May 23, 2012 19:09 UTC (Wed) by renox (subscriber, #23785) [Link]
D is 11 year old, but D2 (which had many change) is younger and anyway it is much more young that Ada which has a sane way to handle integers..
|
|||||||||||||