|
|
An interesting thought: The top three types of computer security failings
all come from having violating an abstract Harvard architecture abstraction
implemented on top of a Von Neumann machine. That is, buffer overrun,
cross-site scriping, and SQL injection all happen on systems where the
underlying implementation language treats code and data as if they're in
separate address spaces and yet allows that abstraction to be broken in
order to execute data as code. The work-arounds for all these problems
consist of ensuring one does not break the Harvard abstraction's implementation.
For example, consider how much safer SQL would be if it was configured to
only run prepared statements invoking stored procedures. And I daresay that
buffer overruns were much less damaging in the days when the code was
addressed via the code segment and the stack was addressed via the stack
segment. (Not entirely safe from buffer overruns, mind, but much safer.)
The whole thing of DEP and base address randomization is a lame attempt to
enforce the Harvard architecture to a greater degree without having to fix
the unsafe languages.
--
Darren New, San Diego CA, USA (PST)
"How did he die?" "He got shot in the hand."
"That was fatal?"
"He was holding a live grenade at the time."
Post a reply to this message
|
|