I think this is quite a vaild question with vast implications....
I'm no "security professional", but here is what I think on the non-technical aspects (because I don't feel knowledgeable enough to make claims about future Buffer overflow tactics.)
From looking at other fields, technical and non... I think that if we stop education and awareness of BAD programming... Security/other problems will continue to plauge us all. Overflows or other new ones....

If we let people say 'i'll leave it to the compiler' or 'this server is just going to be running <insert ken. patch here>, so it'll be ok'....
We'll have more problems because of a lack of security awareness. They will just take the shape of other abuse. (Its also the problem of bloatware.)
More security or bug testing isn't really the solution, nor is a bandage like stackguard or others. (And don't blame it all on C...)
Even by education and advocacy of teachers, security is a mindset, not a checklist.
Maybe software must also go through a long security test phase?
People could be held accountable for bad software?

But its a never ending problem, as im sure many of us know. It only takes one domino to knock them all down, but if we arrange them right.... it does nothing.
(Until someone thinks of something we (or a team even) havn't... which is always a possibilty) Like just blowing the dominos down with a leaf blower :-P. Or blowing up the rackspace with a tru.ckb_om_b.

Yep. I am worried that if there is a 100% solution to protecting a system from running arbitrary code [over the short term] through buffer overrun and execution of stack code, we'll see what happened when "firewalls" were added to businesses-- employees just used simple password and claimed, "I don't have to use strong password, because we have a firewall."

Security in software seems to be an issue mostly because of media spotlight tarnishing name recognition, and/or as a result of ethical sales/R&D/customer-satisfaction/coding.

If a business does not see an advantage to paying attention to checking buffers/tainted data, will emphasis to avoid these problems decrease? (Sure, stability issues may eventually be resolved, but they seem to get resolved later than security fixes.)

Good point. Look at the increase in attacks based on invalid trust models (not bugs in syntax) in comparison to buffer overrun attacks in how e-mail worms have been spreading. Even a combination of malware code and social attacks in the form of early e-mai worms, that ask the user to examine the attachment don't need buffer overruns to be successful..

I have a good idea for a thread topic on this, so I'll have to save that for later. :-)

Good idea for stability and security, but bad for "being first to a ground of contention," and for market share is a big deal. (The Art of War)

This has been proposed, but some businesses might just pass the buck. Maybe they would hire coders as "independent contractors" and if legal accountability was theirs, the company would just end the contract and get another contractor. Maybe they would just add it to the shrinkwrap EULA for customers to waive that right. Also, there have been good discussions on how this would impact OpenSource.

I think it is *alot* better to redirect security from into the hands of incompetent coders (we are human after all) into compilers and the operating system.

On another note I have noticed that in the newer versions of SUSE (not running SELinux), that buffer overflows using strcpy didn't work. :)

Hmm, deja vu... (Ed: bleh, beaten to it! Guess all those conversations were with CotMan anyway)

Yep. I tried to offer references to the discussions we had (and this is why I cited your thread in the original), but wanted to take the discussion in a different direction... If we assume a solution is found that is 100% (even for a limited time) will that lead to even worse coding practices and even worse support for applications in the market with slower releases on bug fixes.

I really liked the discussion we had on this last year, but did not want to bring back the 1.5 year old thread or the 1 year old thread only to move with the similar topic (buffer overrun elimination) but in a different direction; this discussion does not need to be technical-- only opinion and future prediction.

[Heh. I notice many of the technical discussions on compiler, OS, and system tend to not be as popular as the social ones.]

Yes, overflows will be replaced by application-level attacks

Spoonm (of Metasploit fame) and I were just having this conversation a few weeks ago, and we both think that there will be pretty wide-spread use of technologies to defeat buffer overflows over the next few years. The will be replaced by application-level attacks, which we are already seeing with SQL injection etc. That is at least the opinion of this "security professional" and Spoonm (a hardcore shellcoder).