Nick Roberts wrote:

> "Thomas A. Panfil" <[log in to unmask]> wrote on Wednesday, February 06, 2002
> 4:01 AM:
>
>
>
>> Hi All,
>>
>> I'd like to be able to cite a good paper on why Buffer Overflow
>> susceptibility is common in software written in some popular
>> language(s), and rare or relatively easy to prevent when using
>> other languages.  Advice, anyone?

Buffer overflow is primarily limited to C, C++, and
assembly language programs; most other programming languages
used today normally protect themselves against it. See:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/buffer-overflow.html
(which is a chapter in my book; see
  http://www.dwheeler.com/secure-programs).
It's not _exactly_ what you're looking for, but maybe
it will help.

Ada95 normally does buffer overflow protection; there are
ways to disable it, or avoid it, but you have to perform
an extra step to do so.

>
>
> Some hopefully relevant points.
>
> For a buffer overflow vulnerability to be actually exploitable, it is
> necessary for:
>
> (a) the underlying operating system or execution environment to fail to
> provide or deploy protection against the execution of code that lies in an
> area of memory which is read-write [1];

It turns out that
there are reasons to NOT to simply forbid such writes
at the operating system level, including to support "trampolines"
that are needed by some Ada95 implementations
(e.g., it's needed by GNAT on Linux).

There are ways to restrict execution on the stack yet
permit GNAT etc.  E.G., for Linux, see the patches
by "Solar Designer".



--- David A. Wheeler
     [log in to unmask]