How security holes happen

[Gene Heskett]

On Tuesday 04 March 2014 23:17:40 Andrew Cooper did opine:

> On 03/03/2014 22:19, Cameron Simpson wrote:
> > On 03Mar2014 09:17, Neal Becker <ndbecker2 at gmail.com> wrote:
> >>  Charles R Harris <charlesr.harris at gmail.com> Wrote in message:
> >> Imo the lesson here is never write in low level c. Use modern
> >> 
> >>  languages with well designed exception handling.
> > 
> > What, and rely on someone else's low level C?
> 
> Why is C the lowest denominator?
> 
> Even with correctly written C and assembly, how can you be sure that
> your processor is executing the SYSRET instruction safely?
> (CVE-2012-0217 for anyone interested)
> 
If you do not have the system tools to determine that, the system is 
seriously incomplete.  Change os's, its that simple when you are down to 
the bare metal.

If I wanted to determine that was correct on the TRS-80 Color Computer 3 in 
the basement, running nitros9 right now, I would put 3 calls to F$RegDump 
in the assembly code, one in the caller as the last thing done before the 
call, one in the subroutine immediately in front of the return, and one as 
the first operation done when the return register image has been pulled 
from the stack.

> ~Andrew


Cheers, Gene
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

NOTICE: Will pay 100 USD for an HP-4815A defective but
complete probe assembly.