How security holes happen
gheskett at wdtv.com
Wed Mar 5 05:27:13 CET 2014
On Tuesday 04 March 2014 23:17:40 Andrew Cooper did opine:
> On 03/03/2014 22:19, Cameron Simpson wrote:
> > On 03Mar2014 09:17, Neal Becker <ndbecker2 at gmail.com> wrote:
> >> Charles R Harris <charlesr.harris at gmail.com> Wrote in message:
> >> Imo the lesson here is never write in low level c. Use modern
> >> languages with well designed exception handling.
> > What, and rely on someone else's low level C?
> Why is C the lowest denominator?
> Even with correctly written C and assembly, how can you be sure that
> your processor is executing the SYSRET instruction safely?
> (CVE-2012-0217 for anyone interested)
If you do not have the system tools to determine that, the system is
seriously incomplete. Change os's, its that simple when you are down to
the bare metal.
If I wanted to determine that was correct on the TRS-80 Color Computer 3 in
the basement, running nitros9 right now, I would put 3 calls to F$RegDump
in the assembly code, one in the caller as the last thing done before the
call, one in the subroutine immediately in front of the return, and one as
the first operation done when the return register image has been pulled
from the stack.
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
NOTICE: Will pay 100 USD for an HP-4815A defective but
complete probe assembly.
More information about the Python-list