18 Aug
2006
18 Aug
'06
11:39 a.m.
Chuck Guzis wrote:
On 8/18/2006 at 5:59 PM Jules Richardson wrote:
*MY* concern is how do you let FOREIGN code into your world
AND still protect things? I.e. I can do my best to keep
*my* code bug-free... but, I can't keep "your" code bug-free!
Yet, I need to keep my *system* invulnerable to bugs that you
let creep in. :-( (writing good OS's requires considerably more
forethought than writing good *apps*! :< )
As an aside: I've never quite understood
these OS image vunerabilities.
Doesn't any modern OS provide sufficient protection such that a process
can't just stomp all over memory at random? Unless the problem is just a
Windows
thing...
Sloppy programming (really, there's no excuse for not including
bounds-checking when decoding)is a big part of the picture. In Windows'
case, a lot of the vulnerabilities seem to be a combination of sloppy
coding and including "features" that have vulnerabilities inherent. (e.g.
OLE in browser applets, executables in email attachments...) Of course, if
a set of object libraries with inherent vulnerabilities in them is used,
bugs get re-used too.