Hacker Read

dboreham | karma 16160 | avg karma 2.32 · 2017-03-28 19:08:48+00:00

Memory safety is certainly a problem. But so is the ability to execute data. I'm scared by the use of any language that has that capability for security-critical applications.

asveikau | karma 11849 | avg karma 2.56 · 2017-03-28 21:09:39+00:00

In the last 15 or so years that awareness has increased of that issue, the defaults for stack and heap allocations are to mark pages as non-executable. It is therefore harder than it used to be to execute data - you need to jump through some hoops.

Not to mention if you could not execute data, your programs would not load.

reply

dboreham | karma 16160 | avg karma 2.32 · 2017-03-28 21:14:11

I was actually thinking of languages that allow (encourage, even) execution of data. For example : Ruby, Java.

Interesting exercise : take a large Java server application and figure out if somewhere, somehow, it can be made to execute a string sent by a client.

reply

makomk | karma 18695 | avg karma 2.94 · 2017-03-29 11:28:15+00:00

The moment you have any kind of interpreter or JIT compiler, you're effectively bypassing non-executable protection on memory by providing a way of executing code that looks just like accessing data from the CPU's perspective.