Uninformed article in CACM about buffer overflows

by Karel Thönissen

In comp.lang.ada a discussion ('Buffer overflow article') is taking placed that was triggered by an uninformed academic article that hit the Communications of the ACM. Security is a hot issue these days with people being harassed by viruses and spyware. Buffer overflows are one of the most well-known exploits that are used to infect computers. Being uninformed as they are, the authors of the article stipulate that checking in software is prohibitively expensive. Obviously, they missed the Ada programming language in their research. Ada has been developed since the late 70's and it solved a long time ago all the problems that these academics ponder about and many more, off the shelve, with a GPL-ed compiler and generally with an overhead of less than 10% of the unchecked equivalent.

The authors of the article, Kuperman, Brodley, Ozdoganoglu, Viuakumar, and Jalote claim that solutions in software have a 100% overhead. Pascal Obry rightfully asks what the problem is with that, even if it were true. Most software is not time critical (Ada is strong in the embedded domain!), debugging hours are for more expensive than CPU-hours, and finally:

• Running with a 100% overhead is equivalent to running with a computer 18 months old

Briljant! This is using More's Law to one's advantage.

Jeffrey Carter pushes this whole discussion to its logical conclusion:

Even in cases where it is critical, how fast does an incorrect program have to
be in order to be acceptable? If a really fast, incorrect program is better than
a slow, correct program, then I submit the following as the solution to all
problems (in Ada):

   procedure Solution is
   -- null;
   begin -- Solution
   null;
   end Solution;

Compile with all checks suppressed for maximum acceptability.