From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00, PP_MIME_FAKE_ASCII_TEXT autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,c23311c4d57b937e X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII Path: g2news1.google.com!news1.google.com!news.glorb.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local1.nntp.dca.giganews.com!nntp.megapath.net!news.megapath.net.POSTED!not-for-mail NNTP-Posting-Date: Thu, 23 Sep 2004 17:17:54 -0500 From: "Randy Brukardt" Newsgroups: comp.lang.ada References: <414B6E62.9070402@acm.org> <0hL2d.762$QB1.501@trndny02> <414E2306.6030404@acm.org> <8%q3d.1820$kn2.1441@trndny07> <414EE3A0.9080106@acm.org> <97de285c.0409211234.596b663a@posting.google.com> <97de285c.0409212220.4fba573f@posting.google.com> Subject: Re: Embedded Keynote Speaker Mentions Ada Date: Thu, 23 Sep 2004 17:19:04 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Message-ID: <5uqdnVWez_8P1s7cRVn-sw@megapath.net> NNTP-Posting-Host: 64.32.209.38 X-Trace: sv3-BkxQG7aBqGXOsWCFX/jfPwhI7n6aF0o53wiqnxOaSfg7cg88tZ2Xf/jjzuJUIv4CrkmImJTTnr/tLxo!HGtuy8Adnjvcv5a+fm1IxM2aago6zhSBfewko6pCw+hNT+4KGczdJT1uDMrDfeOu67ByUFPYkS+O X-Complaints-To: abuse@megapath.net X-DMCA-Complaints-To: abuse@megapath.net X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.13 Xref: g2news1.google.com comp.lang.ada:4054 Date: 2004-09-23T17:19:04-05:00 List-Id: "Bj�rn Persson" wrote in message news:eIn4d.3914$d5.30556@newsb.telia.net... Jeffrey Carter wrote: >> www.AdaIC.com and archive.AdaIC.com run on a server with the web server >> software written in Ada. According to Randy B, everything that goes >> around on the internet has attacked the server, but nothing has >> succeeded in over 3 years. >Well, it's hardly surprising that a worm written for a certain >vulnerability in Microsoft Internet Information Server can't hurt a >totally different server. True enough, but that's part of the point. Servers like IIS and Apache try to be all things to all people by supporting various plugins and dynamic configurations. These same features are often hijacked for malicious uses. By doing the configuration at compile-time, and by avoiding support for plugins and other dangerous options, the server is necessarily much more secure. For instance, it isn't possible to cause the server to run a shell, because there is no code in the server that can run any other program. Thus, it is simply impossible to hijack it that way. Of course, that's not specific to Ada. What has helped about Ada is that errors can be trapped, logged, and then the task can continue to operate. That's kept the server running even when it has had fairly significant bugs (especially in handling malicious input). Those bugs could very well have turned into a vulnerability in another programming language, but Ada's checks caught the problems and raised exceptions before any real damage could occur. Of course, Ada is no silver bullet here. It's still necessary to pay close attention to things like file traversal errors, and its certainly possible that the server contains some sort of vulnerability. I would never say it was impossible to crack, because that only encourages people to try (ask Oracle about their vulnerability-free database...). Randy.