Thursday, June 09, 2005

code or data?

I am thinking the two most common security problems - buffer overflow for binary program and cross site scripting for website - share the same nature: instead of treating user's input as pure data, the system/runtime may execute them as code, which in turn grant the user the ability to 'customize' some of the behavior of the program.

Even though the modern compilers(like java and C#) fight hard to make buffer overrun disappear, those "executable data" will not go away (sql injection for example), and the restriction of sandbox can not help too much.

In , researches start to add build-in support for data access and concurrency. Security may be on the list somedays, although now I have no idea how it fit in.


Post a Comment

<< Home