[7322] in bugtraq
Re: EMERGENCY: new remote root exploit in UW imapd
daemon@ATHENA.MIT.EDU (Alec Kosky)
Mon Jul 20 23:39:21 1998
Date: Thu, 16 Jul 1998 22:48:40 -0700
Reply-To: alec@dakotacom.net
From: Alec Kosky <alec@DAKOTACOM.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199807170035.RAA05041@bangkok.office.cdsnet.net>
On 17-Jul-98 Craig Spannring wrote:
>
> C should not be used for trusted programs. The lack of true arrays
> with array bounds checking alone makes it too hazardous. How many
> buffer overflow attacks would we hear about if the trusted server
> programs were written using a language with bounds checking like
> Modula-2 or Ada? Zero.
I like Ada's super-tight type, although at times it's trying, to say the
least. The only major complaint I have against it is the lack of widespread
support for it. I have only found one *nix-based compiler (GNAT), and I was not
too impressed with it. I haven't used it extensively, so I can't comment on too
much, but from what I remember it didn't have a large set of libraries. Perhaps
things have changed in the past year... On the DOS/Windows based side of
things, the situation is only slightly better (last I knew). The only two
decent (but commercial) compilers that I knew of were the Meridian Ada compiler
and the Janus Ada compiler, and the Meridian was by far the superior. This
brings me to the point: Yes, choosing a language like Ada for secure trusted
programs is to be preferred (although nothing can compensate for poor coding
technique), there is a definite need for more support. What is the current
state of Ada compiler technology looking like? Have things changed much?
--Alec--
