[2922] in bugtraq
Re: at the risk of another flamefest..
daemon@ATHENA.MIT.EDU (Peter Jeremy)
Mon Jul 15 17:50:33 1996
Date: Tue, 16 Jul 1996 07:09:34 +1000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Peter Jeremy <jeremyp@gsms01.alcatel.com.au>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
On Mon, 15 Jul 1996, David Stagner <stagda@ncs.com> wrote:
>Many, many well-proven languages handle array bounds checking for the
>programmer, and do so efficiently.
It might be worth noting that Richard W.M. Jones <rwmj@doc.ic.ac.uk>
has written some patches to gcc which add fine-grained bounds checking
to C. Sources are in: ftp://dse.doc.ic.ac.uk/pub/misc/bcc
Additional information at:
http://www-dse.doc.ic.ac.uk/~rj3/bounds-checking.html
http://www-ala.doc.ic.ac.uk/~phjk/BoundsChecking.html
Unfortunately, the resultant code is substantially slower and is therefore
really only suitable for testing - this seems primarily due to the
requirement for bounds-checked code to fully interwork with non bounds-
checked code.
>What we need is a powerful, portable, widely used language that
>automagically handles bounds checking for us. Sounds like perl to
>me. :}
I disagree. Whilst perl at the script level hides array-bounds problems
from the user, it is not a panacea. Firstly, the interpreter itself is
written in C - thus it is possible that the interpreter itself may suffer
from an array-bounds problem. Secondly, it is _very_ large (several times
the size of sendmail) thus violating the KISS principle - which is
particularly important for security tools.
----
Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St Phone: +61 2 690 5019
ALEXANDRIA NSW 2015 Fax: +61 2 690 5247
PGP fingerprint: 2A C6 47 D1 BF 56 5A 10 CC 02 2D 89 EA 10 AA 40
