人们为什么继续使用允许溢出的数据结构? [英] Why do people continue to use data structures that allow overflows?
问题描述
缓冲区溢出似乎是导致安全漏洞的最大原因之一。我很少使用C / C ++编程(仅用于某些课程),所以我可能会遗漏一些东西,但我不明白为什么人们继续使用允许溢出的数据结构。为什么所有数据结构都装满后不会引发异常?似乎这个简单的解决方案将大大提高软件的安全性。
Buffer overflows seem to be one of the biggest causes of security vulnerabilities. I rarely program in C/C++ (only for certain coursework), so I may be missing something, but I don't understand why people continue to use data structures that allow overflows. Why don't all data structures throw an exception when full? Seems like this simple solution would greatly enhance software security.
推荐答案
- 无知
- 懒惰
- 难度(感知或其他)
很大比例的程序员(在我看来可能是对世界的负面偏见中)根本不了解安全问题或根本不了解哪些数据他们使用的结构很脆弱。整个90年代,一大批程序员经历了其中每个人都使用 gets()的经历,甚至那里的每本C书都鼓励这样做。现在,您将被疯狂使用。但是并非所有人都收到了备忘录!
A large percentage of programmers (in my perhaps unfairly negative skewed view of the world) either don't understand security concerns at all or don't understand which data structures they use are vulnerable. A whole ton of programmers went through the 90s where everyone used gets() and even every C book out there encouraged it. Now, you'd be called crazy to use it. But not everyone received the memo!
子类别包括没有人会打扰我的应用程序,无论如何它只是一个原型和下周到期,我将在稍后修复
Subcategories include "nobody will bother attacking my app", "it's just a prototype anyway", and "it's due next week, I'll fix it later"
实际上,编写可移植,正确且安全的C语言确实很困难码。如果不是彻头彻尾的漏洞,几乎所有没有真正敏锐的眼光的非重要项目都可能存在漏洞。而且在像C这样的非托管语言中,许多错误都有可能成为安全问题。
It's actually really difficult to write portable, correct, and secure C code. Almost any nontrivial project that isn't written with a really keen eye likely has bugs if not outright vulnerabilities. And in an unmanaged language like C, many bugs have the potential to be security issues.
设计使既可用又安全的API也很困难。
It's also hard to make APIs that are both usable and secure "by design".
对于尸体中的最后一把刀,所有这些问题都会影响到整个项目中的所有开发人员。包括您使用的所有库,它们使用的所有库,直至您使用的操作系统内核。任何在此过程中陷入任何安全陷阱的程序员都在很大程度上损害了整个事情。
And for the final knife in the corpse, all of these issues affect all developers across the project. That includes any libraries you use, any libraries they use, all the way up to and including the operating system kernel you use. Any programmer who falls into any security trap along the way pretty much compromises the whole thing.
使用托管语言,其中许多问题都会变得更好-至少您不能乱写任意内存,但仍然存在不同类型的安全性问题。
A lot of these problems get better with managed languages - at least you can't scribble over arbitrary memory, but different classes of security problems still exist.
这篇关于人们为什么继续使用允许溢出的数据结构?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
