At 03:39 PM 6/10/03 -0700, Bill Frantz wrote:
At 5:12 PM -0700 6/8/03, Anne & Lynn Wheeler wrote:
somebody (else) commented (in the thread) that anybody that currently (still) writes code resulting in buffer overflow exploit maybe should be thrown in jail.
Not a very friendly bug-submission mechanism :-)
IMHO, the problem is that the C language is just too error prone to be used for most software. In "Thirty Years Later: Lessons from the Multics Security Evaluation", Paul A. Karger and Roger R. Schell <www.acsac.org/2002/papers/classic-multics.pdf> credit the use of PL/I for the lack of buffer overruns in Multics. However, in the Unix/Linux/PC/Mac world, a successor language has not yet appeared.
What about Java? Apart from implementation bugs, its secure by design. --- "and then you go to jail" is a bad error-handler for a protocol.