Python secure?

Terry Reedy tjreedy at udel.edu
Mon Aug 16 05:10:30 CEST 2004


"M. Clift" <noone at here.com> wrote in message
news:cforh6$qiv$1 at newsg3.svr.pol.co.uk...
> One thing has come up and that is when I spoke of secure
> I presumed that compiled  C source code software was secure
> and I was asking how did python compare to this.

I understand that you mean 'secure' in a personal sense of 'protecting my
source code'.  But I do want to mention that in a social sense of 'not
taking down the Internet', compiled C can be terribly insecure relative to
Python.  C has dangerous functions like strcpy() which, if used with
external input, can make a program subject to buffer overrun exploits that
can do explosive damage.  Hence the Blaster worm of Feb (?) 2003.  If
Microsoft had written SQL Server in Python (or employed better programmers
and/or security checks), I believe it could not have happened.

One lesson is that understanding the actual behavior of a C program may
require knowing and understanding the exact run time memory layout of code
and data, including 'hidden' items like each call frame's return address
pointer, added by the compiler rather than the programmer.  Virus and worm
writers understand this; many C programmers seem not to.  Python programs
are much easier to understand.

So your choice of language may partly depend on which kind of security is
most important to you -- which is what I believe others said in the
beginning.

Terry J. Reedy






More information about the Python-list mailing list