[VIM] How things change..

security curmudgeon jericho at attrition.org
Sat Feb 25 22:21:11 CST 2012

Reading a report from 2004 about Diebold election machine vulnerabilities. 
This was interesting:

   While the system is implemented in an unsafe language6(C++), the code
   reflects an awareness of avoiding such common hazards as buffer
   overflows. Most string operations already use their safe equivalents,
   and there are comments, e.g., should really use snprintf, reminding the
   developers to change oth- ers. While we are not prepared to claim that
   there are no exploitable buffer overflows in the current code, there are
   at the very least no glaringly obvious ones. Of course, a better
   solution would have been to write the entire system in a safe language,
   such as Java or Cyclone [15]. In such a language we would be able to
   prove that large classes of attacks, including buffer overflows and
   type-confusion attacks, are impossible assuming a correct implementation
   of the compiler and runtime system.

While I am not familiar with Cyclone at all, a quick search of "java 
overflow" on osvdb.org suggests things have really changed, or perhaps 
these researchers weren't naieve in their belief of the security 
of Java.

More information about the VIM mailing list