TEAM-ADA Archives

Team Ada: Ada Programming Language Advocacy


Options: Use Classic View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Topic: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Michael Feldman <[log in to unmask]>
Fri, 5 Oct 2001 12:24:28 -0400
text/plain (54 lines)
Hi -
> > Interesting theory, but nobody is really exploiting language flaws to
> break
> >       into security systems.  If Ada has built in security measures that
> >       C++ doesn't (and Java does) then that is useful to sell, but
> security
> >       is much more than preventing overflow on an array
> Seems to me that many of the malicious hacks and viruses
> (but certainly far from all) DID depend on flaws in C,
> especially lack of bounds checking.

And an interesting paper a while back in CACM reported on a world-wide
survey of people's nastiest bugs, and more than 50% were memory-related,
things like array overrunning, trash pointers, etc.

BUT... any language or environment that allows arbitrary access to
memory or files can be used to do damage. Let's not oversell Ada on
"security" grounds - anyone smart enough to use pragma Suppress
can get around all our wonderful language features. I content that all
our checking was really designed to help us prevent _bugs_, not

One could envision a specific compiler and/or execution environment,
designed for safety, that prevented such arbitrary access, and ignored
(or rejected) Suppress, but that's a tool issue, not a language one.

> I have heard plenty
> about flaws in Java and/or JVM security, but I have never
> heard of an actual break-in using such a flaw.

Well, as long as there are flaws, someone will be smart and mischievous
enough to exploit them. Flaws and bugs can (should) be fixed.
> The original post hinted at cyber-terrorism. Perpetrators
> of such an act are concerned with causing damage, not with
> getting anything out of it.  Therefore, they do not have
> to be concerned with "doing things neatly."

Right. Some of the recent worms ("I Love You", etc.) exploited
"cool features" of Microsoft products, like the ability to run
VB scripts from an e-mail attachment. I've read some fairly scary
trade-press articles about M$'s seemingly contemptuous attitude
toward security. I'm actually quite surprised that we haven't seen
any multi-billion-dollar class-action suits about this. Where are
the lawyers when we need them? :-)
> --
> Wes Groleau
Mike Feldman