If you had a programming language that checked at runtime that all buffer accesses were valid, how could you get a buffer overflow? There are lots of langauges like this (e.g., Java).

A more practical question is, are there any web services which are implemented entirely (bottom to top) this way? I doubt it; most are built on top of an OS, usually written in C, and there’s the weakness. You have no practical gaurantee that the machinery underlying your OS (or your Java runtime, for that matter) doesn’t have a hidden buffer overflow in it.

One thing you can do is to convert your “no buffer access check” programming language into a “checked” one that can’t make a mistake without reporting it. See our CheckPointer for a tool that does exactly this for the C programming language. At the moment, this tool isn’t practical for use in a production environment because it adds rather a lot of overhead. There is hope, however; there are research projects which produce programs that can’t access outside its own memory, but trade functional correctness/accurate reporting for performance, and these have pretty low overhead. Eventually these methods are likely to get used in those lower layers of software, to ensure they can’t cause a problem, either.