Buffer overflow?

walt wa1ter at myrealbox.com
Thu Jul 31 20:57:05 PDT 2003


First, congratulations to Matt on attracting lots of talented people to
this new project.  Looks like it's off to a great start already.
I've seen hundreds, maybe thousands, of remotely exploitable buffer
overflow bugs reported for many different operating systems -- even
those outside of Redmond.
Speaking (as I do) with the confidence which only ignorance can
engender, I'd like to propose that the single most important thing
this project could accomplish is to move the responsibility for
secure applications programming AWAY from the application programmer
and putting it squarely on the shoulders of the operating system
where it belongs.  So there!   :o)
I've read enough about .NET to know that a programmer needs to be
an expert in arcana to write even a trivial application.  This just
seems WRONG!  It's a giant step backwards in operating system security,
and I say that with confidence even when I know I know almost nothing
about security.  But I know when I'm right, anyway!
Seriously, if anyone could explain to me (a non-professional programmer)
how it came to pass that buffer overflow is a non-trivial problem I would
be truly grateful, since I've asked this before in several forums and I
never got a real answer (that I could understand).
Since this project seems primarily concerned with kernel design, are
there any thoughts on how security could be designed into the kernel
and isolated as much as possible from userland?
This is a big topic, but the beginning of a project seems like a better
place to consider security than at the other end.





More information about the Kernel mailing list