On 2006.01.08 14:01, Gregory Brown wrote:
> On 1/7/06, Gregory Seidman <gsslist+ruby / anthropohedron.net> wrote:
> 
> > I'm not clear on what openness we're talking about. Do you mean one or more
> > of the following:
> 
> > 3) duck typing allows unintended objects to be used in unintended ways
> >
> > 4) the ability to add/replace methods in existing classes allows library
> >    internals to be inspected or modified
> 
> These two.
> 
> Which are considered as features by most, but often as vulnerabilities
> by outsiders :)

You might perhaps point out that professional Smalltalk, Lisp and other
dynamic-language programs have much fewer occurrences of exploits and
ordinary bugs than their static counterparts (this is also relatively
speaking). You can probably find supporting studies if you really want.

I do not have anything in particular to offer for ruby except that above
two are fairly easily and mostly thwarted by proper unit and functional
testing (which one should be doing anyway). 

If one were inclined to actually argue a point, one might mention  some
of C++'s vulnerabilities: buffer overflows, pointers, memory handling
and so on. 

It is, by the way, possible to override C++ methods, access modifiers
and such at runtime as well. These attacks are much more insidious there
as the programmers will not be prepared for them. Google for details.


E