[PLUG-TALK] Exploitable Bug in a Programming Language?

[alan at clueserver.org]

> On Thu, 2 Jun 2016, Charles Sliger wrote:
>
>> It is certainly possible for a programming language to make writing
>> insecure code easier.  C does this by design.
>
> The other way a "programming language" can be insecure is by way of
> its runtime interpreter or libraries.
>
> True, it's not technically the language that's insecure, but telling
> the basic security story to management or the general public would
> probably involve a narrative in that direction.
>
> So if the Perl or Java runtime had an exploitable vulnerability, then
> Perl or Java would be "insecure." The same issue can arise with any
> interpreted language or even (shudder) in a widespread runtime library
> like libgcc_s.so.1.

Most of this sort of vulnerability is caused by incorrect use of the
language, not by an exploitable condition in the language itself. (For
example, dropping privilages of user and group needs to be done in the
correct order or else it will not work as expected. The language does not
cover this condition because it is not an error in the language, it is an
error in usage.)

There are a couple of good books from CERT on common issues with C and
Java bugs that cause security issues and how to correct them.

People also tend to confuse bugs in libraries used by languages and bugs
in the languages themselves.

There are also cases where the compiler has been compromised and designed
to insert malware code. (This goes back many years. In the previous
century it was shown that you could modify the compiler to insert
backdoors into code upon compilation.) Paranoid yet? It can get far worse
if you understand what is possible.