Link: Twice the bits, twice the trouble: vulnerabilities induced by migrating to 64-bit platforms
Adrian Colyer's Twice the bits, twice the trouble: vulnerabilities induced by migrating to 64-bit platforms (via) is a very readable and very interesting summary of an ultimately depressing academic paper on the security vulnerabilities that get induced in C code simply by migrating from 32-bit platforms to 64-bit platforms.
In theory I sort of knew about all of this, but it's one thing to vaguely have heard about it and another thing to see handy comparison charts and examples and so on of how relatively innocent C code introduces real vulnerabilities simply when you rebuild it on 64-bit machines and then expose it to attackers.
Here's a depressing quote from the academic paper to finish up with and motivate reading at least Colyer's summary of the whole thing:
Finally, we make use of this systematization and the experience thus gained to uncover 6 previously unknown vulnerabilities in popular software projects, such as the Linux kernel, Chromium, the Boost C++ Libraries and the compression libraries libarchive and zlibāall of which have emerged from the migration from 32-bit to 64-bit platforms.
That's, well, unfortunate. But not unexpected, I suppose. Maybe all future languages should not have any limited-range numeric types that can have different sizes on different platforms, even if it's theoretically an attractive idea for 'optimization'.
(I don't know what Rust does here, but Go does have int
and uint
,
which are either 32 or 64 bits depending on the platform.)
Comments on this page:
|
|