|
|
|
|
|
|
by rwmj
442 days ago
|
|
|
STL bounds checking isn't bounds checking. Your code (or other libraries you use) can still have simple pointer arithmetic that goes outside bounds. But the larger problem is that bounds checking (even ASAN) isn't as good as statically checking code. ie. Your code with bounds checking still crashes at run time, which can be a denial of service attack, whereas with static checking your code would never have compiled in the first place. Nevertheless if you don't want to rewrite the world, then using these mitigations is much better than not using them. I would also add fuzzing to the mix. |
|
|
But as you mention, unfortunately enabling bound checking in the STL wouldn't catch a lot of pointer manipulation.
It would still be better than the the status-quo.