[E-Lang] defense in depth

David Wagner daw@mozart.cs.berkeley.edu
25 Jan 2001 08:22:31 GMT


Jonathan S. Shapiro wrote:
>I share with you the hope that this is true, and also the expectation/belief
>that it will prove to be true, but it is important to take note of which
>beliefs we need to come back and test later. That is: this is an assertion,
>not a fact.

I find it reassuring that you take this stance.

>A bit of good news: several studies have suggested that over 50% of security
>bugs prove on examination to be buffer overrun bugs, and another large
>percentage are fencepost errors. Both of these types of bugs should be
>impossible in E.

But you don't need capabilities for this.  Buffer overruns really
come from a poorly-defined strings API in the standard library,
so it natural to expect any modern language (capability-based or
not) to largely eliminate buffer overruns.  For example, Java seems
to be fairly resistant to buffer overrun attacks, even though it
is not a capability system (in the sense that people on this list
seem to use the term).