Comment by bluGill

While I do not have data comparing them, I have a few remarks:

1. Scammer Payback and others are documenting on-going attacks that involve social engineering that are not getting the attention that they deserve.

2. You did not provide any actual data on the degree to which bounds checks are “large”. You simply said they were because they are a subset of a large group. There are diseases that only affect less than 100 people in the world that do not get much attention. You could point out that the people affected are humans, which is a group that consists of all people in the world. Thus, you can say that one of these rare diseases affects a large number of people and thus should be a priority. At least, that is what you just did with bounds checks. I doubt that they are as rare as my analogy would suggest, but the point is that the percentage is somewhere between 0 and 70% and without any real data, your claim that it is large is unsubstantiated. That being said, most C software I have touched barely uses arrays for bound checks to be relevant, and when it does use arrays, it is for strings. There are safe string functions available for use like strlcpy() and strlcat() that largely solve the string issues by doing bounds checks. Unfortunately, people keep using the unsafe functions like strcpy() and strcat(). You would have better luck if you suggested people use safe string handling functions rather than suggest compilers insert bounds checks.

3. Your link mentions CHERI, which a hardware solution for this problem. It is a shame that AMD/Intel and ARM do not modify their ISAs to incorporate the extension. I do not mean the Morello processor, which is a proof of concept. I mean the ISA specifications used in all future processors. You might have more luck if you lobby for CHERI adoption by those companies.

CVEs are never written for social attacks. Which is fair what they are trying to do. However attacking the right humans and not software is easier.