re: http://www.garlic.com/~lynn/2013.html#27 Java Security?
for a long time the majority of exploits used buffer length related vulnerabilities that have been epidemic in C-language implemented applications & systems. Note that the previously mentioned mainframe Pascal was eventually released as product and was used to implement IBM's original mainframe tcp/ip product. There were some performance issues with the base product ... however there was *never* any buffer length related vulnerabilties. As to the performance issues, I did the changes to support RFC1044 and in some tests at cray research between cray and 4341 got channel speed sustained throughput using only modest amount of 4341 processor time (aka possibly a factor of 500 times improvement in bytes moved per instruction executed over the base product). I then had to do both detailed failure mode and detailed vulnerability analaysis when we were doing IBM's ha/cmp product ... some past posts http://www.garlic.com/~lynn/subtopic.html#hacmp C-language related buffer length problems continued to be the major source of exploits up through the late 90s. By 2004 that had shifted to approx. 1/3rd buffer length, 1/3rd client-side downloaded executable code, and 1/3rd social engineering. I did some work on the mitre exploit database trying to further work on my merged security taxonomy & glossory ... post attempting to characterize all exploits: http://wwwg.garlic.com/~lynn/2004e.html#43 security taxonomy and CVE part of the issue was (at the time) exploit reports were free text ... I talked to mitre about possibly introducing a little more structure and categories ... but they said that it was hard enough to get the reports as free text w/o trying to enforce structure. lots of past posts pontificating about the buffer length vulnerability issue http://www.garlic.com/~lynn/subintegrity.html#buffer trivia ... relationship between ha/cmp, supercomputers and electronic commerce ... old reference to early jan92 meeting in ellison's conference room on ha/cmp cluster scaleup http://www.garlic.com/~lynn/95.html#13 at the end of jan, the scaleup work was transferred and a couple weeks later announced as supercomputer (and we were told we couldn't work on anything with more than four processors). this contributed to our decision to leave. not long later, two of the other people in the ellison meeting also leave and show up at a small client/server start responsible for something called the "commerce server". as mentioned in previous post, we are brought in as consultants because they want to do payment transactions on their server. -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
