[PLUG-TALK] Exploitable Bug in a Programming Language?

[Charles Sliger]

It is certainly possible for a programming language to make writing
insecure code easier.  C does this by design.

It is also possible for a language, through its compiler or interpreter,
to generate/execute code that is insecure. Think 'buffer overflows' or
'heap management'.  The higher-order the language, the more hidden code
there is, and the more you are subject to the level of rigor used by the
implementor.

It is also, of course, possible for the creator of a compiler to make it
insert malicious code in programs it compiles. This was famously laid
out by Ken Thompson in his Turing Award speech "Trusting Trust".

-- 
-chaz
Charles Sliger
"No matter where you go... There you are... Buckaroo Banzai"



On Tue, 2016-05-31 at 11:54 -0700, Rich Shepard wrote:
>    In today's post on krebsonsecurity.com, Brian discusses the availability
> for sale (for $90,000) of a Windows 0-day bug effective on all versions from
> win2000 through win10. In this post he writes,
> 
> 'So-called “zero-day” vulnerabilities are flaws in software and hardware
> that even the makers of the product in question do not know about. Zero-days
> can be used by attackers to remotely and completely compromise a target —
> such as with a zero-day vulnerability in a browser plugin component like
> Adobe Flash or Oracle’s Java.'
> 
>    My question is how a programming language could have an exploitable flaw?
> Not applications written in that language, but the language or its compiler
> itself, and not be known by developers writing code in that language.
> 
> Curious mind wants to know,
> 
> Rich
> 
> _______________________________________________
> PLUG-talk mailing list
> PLUG-talk at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug-talk