code or data?
I am thinking the two most common security problems - buffer overflow for binary program and cross site scripting for website - share the same nature: instead of treating user's input as pure data, the system/runtime may execute them as code, which in turn grant the user the ability to 'customize' some of the behavior of the program.
Even though the modern compilers(like java and C#) fight hard to make buffer overrun disappear, those "executable data" will not go away (sql injection for example), and the restriction of sandbox can not help too much.
In Cω, researches start to add build-in support for data access and concurrency. Security may be on the list somedays, although now I have no idea how it fit in.
Even though the modern compilers(like java and C#) fight hard to make buffer overrun disappear, those "executable data" will not go away (sql injection for example), and the restriction of sandbox can not help too much.
In Cω, researches start to add build-in support for data access and concurrency. Security may be on the list somedays, although now I have no idea how it fit in.
posted by xue.yong.zhi at 12:06 PM
0 Comments:
Post a Comment
<< Home