[EMAIL PROTECTED] wrote: > > Most security bugs reported these days are issues > with application semantics (auth bypass, SQL injection, cross-site > scripting, information disclosure, mobile code execution, ...), not buffer > overflows.
Really? What's the evidence for that? What definition of "most" are we using? One out of 20 doesn't count as "most" in my book. When I look at the reports for 2002 year-to-date, at http://www.cert.org/advisories/ there are 20 advisories. Depending on how you count multi-bug reports, it appears that 19 out of 20 involve buffer overflows and related issues -- things that could easily be prevented by using a language that has a built-in string type and automatic object management. Exotic languages are not required; C++ would make a huge impact. And of course in any language a modicum of skill and care is required; it's hard to make a language foolproof because fools are so ingenious. My evidence: http://www.cert.org/advisories/ 20- multiple, including writing out-of-bounds 19 buffer overflow 18 multiple, including buffer overflow 17 stack overflow 16 multiple, including stack overflow 15= DoS: internal consistency check 14 buffer overflow 13 buffer overflow 12- format string 11 heap overflow 10- format string 9 multiple, including buffer overflow 8 multiple, including buffer overflow 7- double free 6 multiple, including buffer overflow 5 multiple, including heap overflow 4 buffer overflow 3 multiple, including buffer overflow 2 buffer overflow 1 buffer overflow --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]