[VIM] How things change..
security curmudgeon
jericho at attrition.org
Sat Feb 25 22:21:11 CST 2012
Reading a report from 2004 about Diebold election machine vulnerabilities.
This was interesting:
While the system is implemented in an unsafe language6(C++), the code
reflects an awareness of avoiding such common hazards as buffer
overflows. Most string operations already use their safe equivalents,
and there are comments, e.g., should really use snprintf, reminding the
developers to change oth- ers. While we are not prepared to claim that
there are no exploitable buffer overflows in the current code, there are
at the very least no glaringly obvious ones. Of course, a better
solution would have been to write the entire system in a safe language,
such as Java or Cyclone [15]. In such a language we would be able to
prove that large classes of attacks, including buffer overflows and
type-confusion attacks, are impossible assuming a correct implementation
of the compiler and runtime system.
While I am not familiar with Cyclone at all, a quick search of "java
overflow" on osvdb.org suggests things have really changed, or perhaps
these researchers weren't naieve in their belief of the security
of Java.
More information about the VIM
mailing list