At 11:01 AM -0700 6/11/03, Major Variola (ret) wrote: >At 03:39 PM 6/10/03 -0700, Bill Frantz wrote: >>IMHO, the problem is that the C language is just too error prone to be >used >>for most software. In "Thirty Years Later: Lessons from the Multics >>Security Evaluation", Paul A. Karger and Roger R. Schell >><www.acsac.org/2002/papers/classic-multics.pdf> credit the use of PL/I >for >>the lack of buffer overruns in Multics. However, in the >Unix/Linux/PC/Mac >>world, a successor language has not yet appeared. > >What about Java? Apart from implementation bugs, its secure by design.
Java is certainly an improvement for buffer overruns. (The last estimate I heard was that 1/3 of the penetrations were due to buffer overruns.) Java is still semi-intrepreted, so it is probably too slow for some applications. However Java is being used for server-side scripting with web servers, where the safety of the language is a definite advantage. Of course, when you cover one hole, people move on to others. Server-side Java is succeptable to SQL injection attacks for example. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | Due process for all | Periwinkle -- Consulting (408)356-8506 | used to be the | 16345 Englewood Ave. [EMAIL PROTECTED] | American way. | Los Gatos, CA 95032, USA