[CSS_ACM_General_List] a question

Isaias Sifuentes isaias.sifuentes at gmail.com
Tue May 24 14:57:08 CDT 2011


Not to thread ninja away from the topic of buffer overflow, but speed can be
a critical factor as well. From my understanding and what I hear coming
through the grapevine, a place like, say, the Chicago Mercantile Exchange,
is probably going to want "fast" code, considering that their profits
(trading stocks) revolve around the speed with which transactions can take
place.

I had a friend once tell me that they will try pretty hard to shave
milliseconds off of a trade, I believe it. If I'm not mistaken, all of that
bounds checking and whatnot is overhead which you trade for speed, granted
there are bottlenecks outside of the software as well.

I would think in certain kinds of critical operations like that, higher
level languages become unacceptable because of their overhead.

I agree with Anthony in that C/C++ might be a bit overkill for a web
application, and to consider a clients needs, if you need to push something
out fast versus if you need something that runs fast, for example.

Isaias

On Tue, May 24, 2011 at 1:48 PM, Zoko, Anthony <azoko at cdm.depaul.edu> wrote:

>  > I'm finding that the ease of python gets old after a while.
>
>
>
> It’s important to use the right tool, for the write job…. For the right
> reasons.
>
> C maybe more entertaining for you to write a web app but you’ll spend much
> more time writing needless code and leaving your applications open to
> attack.
>
> Last thing you want is someone pwning your server…
>
> It’s one thing if you’re just experimenting with the technology.  If you’re
> actually building something for a client or at your work place, you have to
> look beyond what is entertaining to what gets the job done in the most
> reasonable manner.
>
>
>
> Anthony Zoko
>
> Software Development Manager/ Architect
>
> DePaul University
>
> College of Computing and Digital Media (CDM) http://www.cdm.depaul.edu
>
>
>
> *From:* css_acm_general_list-bounces at mailman.depaul.edu [mailto:
> css_acm_general_list-bounces at mailman.depaul.edu] *On Behalf Of *Sean
> Neilan
> *Sent:* Tuesday, May 24, 2011 1:40 PM
> *To:* Kristoff, John
> *Cc:* css_acm_general_list at mailman.depaul.edu
> *Subject:* Re: [CSS_ACM_General_List] a question
>
>
>
> That's what I'm curious about is how python manages the mallocs and frees.
> There's some kind of machine that does that. I understand that buffer
> overflows can be prevented by not going over array indexes, but, what if you
> want to store everything that goes into a server?
>
>
>
> Python appears to manage large amounts of data extraordinarily well.
> http://docs.python.org/c-api/memory.html
>
>
>
> I would like to write web software in C but still have the memory
> management capabilities of python so I don't run into buffer overflows.
>
>
>
> I'm finding that the ease of python gets old after a while.
>
>
>
> On Tue, May 24, 2011 at 1:29 PM, John Kristoff <jtk at depaul.edu> wrote:
>
> On Tue, May 24, 2011 at 11:54:29AM -0500, Sean Neilan wrote:
> > What happens in Python that generally doesn't happen in a server in C to
> > prevent buffer overflows? Why should Python have an advantage over the
> > language it was written in?
>
> Python and other languages like it generally make it much harder for
> you to mess up in this way.  In C, your variables, most notoriously
> strings, require you to allocate and properly use the memory set aside
> for them.  For instance,
>
>  char foo[80];
>
> Sets up 80 bytes for a string named 'foo'.  What happens when you
> try to put 81 bytes into that variable?  Well, if you code safely
> that won't happen, but say you did something like this:
>
>  gets(foo);
>
> It is trivial to give more than 80 bytes via gets and, voila, buffer
> overflow.
>
> In Python, and others, memory is managed automatically for you as
> needed.  In Python, you don't even need to allocate memory for foo.
> It could be a string of arbritrary size, Python will figure out and
> handle all the memory management for you.  Even if foo changes
> drastically throughout your running program, it's not something you
> have to manage directly.  Memory management is all handled under the
> covers for you.  I don't know Python well, but I imagine under the
> covers is essentially mallocs and frees that do this for you.
>
> Of course, you might be able to stuff foo full of data exceeding the
> resources of the running system, but that is a slightly separate issue.
>
> Note, even with Python's memory management doing all the work for
> you, you may not entirely be rid of buffer overflows if the underlying
> language implementation has a bug.  For example:
>
>  <http://www.securityfocus.com/bid/30491>
>
> John
>
>
>
> _______________________________________________
> CSS_ACM_General_List mailing list
> CSS_ACM_General_List at mailman.depaul.edu
> http://mailman.depaul.edu/mailman/listinfo/css_acm_general_list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.depaul.edu/pipermail/css_acm_general_list/attachments/20110524/fcd61b7e/attachment-0001.html 


More information about the CSS_ACM_General_List mailing list