Re: Using the C programming language
Rico Secada wrote: On Sun, 23 Dec 2007 01:06:39 -0600 David Higgs [EMAIL PROTECTED] wrote: On Dec 22, 2007 5:53 PM, Rico Secada [EMAIL PROTECTED] wrote: It is my understanding that C is the hackers tool while Ada is the tool of the engineer. I think it is mostly because of tradition. Your understanding is wrong. I suspect that many professional engineers using C (and/or other languages) would strongly disagree with your offhand characterization. Doesn't matter what language is used, you can still shoot yourself in the foot: http://www.ima.umn.edu/~arnold/disasters/ariane.html http://www.cas.mcmaster.ca/~baber/TechnicalReports/Ariane5/Ariane5.htm http://www.ima.umn.edu/~arnold/disasters/ariane5rep.html The internal SRI software exception was caused during execution of a data conversion from 64-bit floating point to 16-bit signed integer value. The floating point number which was converted had a value greater than what could be represented by a 16-bit signed integer. This resulted in an Operand Error. The data conversion instructions (in Ada code) were not protected from causing an Operand Error, although other conversions of comparable variables in the same place in the code were protected. -- Sincerely, Kirk Ismay System Administrator -- Net Idea 201-625 Front Street Nelson, BC V1L 4B6 P:250-352-3512 | F:250-352-9780 | TF:1-888-352-3512 Check out our brand new website! www.netidea.com
Re: Using the C programming language
On Thu, 27 Dec 2007 12:27:15 -0800 Kirk Ismay [EMAIL PROTECTED] wrote: Rico Secada wrote: On Sun, 23 Dec 2007 01:06:39 -0600 David Higgs [EMAIL PROTECTED] wrote: On Dec 22, 2007 5:53 PM, Rico Secada [EMAIL PROTECTED] wrote: It is my understanding that C is the hackers tool while Ada is the tool of the engineer. I think it is mostly because of tradition. Your understanding is wrong. I suspect that many professional engineers using C (and/or other languages) would strongly disagree with your offhand characterization. Doesn't matter what language is used, you can still shoot yourself in the foot: Nobody has argued against that :-) http://www.ima.umn.edu/~arnold/disasters/ariane.html http://www.cas.mcmaster.ca/~baber/TechnicalReports/Ariane5/Ariane5.htm http://www.ima.umn.edu/~arnold/disasters/ariane5rep.html The internal SRI software exception was caused during execution of a data conversion from 64-bit floating point to 16-bit signed integer value. The floating point number which was converted had a value greater than what could be represented by a 16-bit signed integer. This resulted in an Operand Error. The data conversion instructions (in Ada code) were not protected from causing an Operand Error, although other conversions of comparable variables in the same place in the code were protected. -- Sincerely, Kirk Ismay System Administrator -- Net Idea 201-625 Front Street Nelson, BC V1L 4B6 P:250-352-3512 | F:250-352-9780 | TF:1-888-352-3512 Check out our brand new website! www.netidea.com
Re: Using the C programming language
Girish Venkatachalam wrote: Can someone give me a list of useful links on Ada so I can start learning the language? I did read the wikipedia entry though. A short introduction to some of Ada's features in comparison to C/C++ and Java can be found here: http://www.uni-weimar.de/cms/fileadmin/medien/medsicherheit/Teaching/SS07/SEfSVS07/00b.pdf The best resource for learning Ada (95) online might be the book from John English: http://www.it.bton.ac.uk/staff/je/adacraft/ Other Ada related resources: http://www.adacore.com/home/ https://libre.adacore.com/ http://www.adaic.org/ http://adaworld.com/ http://adapower.com/ Regards, Freddy
Re: Using the C programming language
Marco Peereboom wrote: So lets get the story straight. Ada is great but the compiler sucks. Winning combination for an open source os. As a matter of fact, gnat/gcc uses the same code generation back end for Ada as for any other supported language. Regards, Freddy
Re: Using the C programming language
Marco, talking about strlcpy: And now if the userspace people in linux would also adopt it the world would be a better place. Can anyone say glibc? Ulrich Drepper at the least appears busy elsewhere: http://people.redhat.com/drepper/cpumemory.pdf What Every Programmer Should Know About Memory (Nov. 21, 2007) He is telling people they should manually partially unwrap for loops written C in in order to optimize level 1 data cache access: Ulrich Drepper wrote: #define SM (CLS / sizeof (double)) for (i = 0; i N; i += SM) for (j = 0; j N; j += SM) for (k = 0; k N; k += SM) for (i2 = 0, rres = res[i][j], rmul1 = mul1[i][k]; i2 SM; ++i2, rres += N, rmul1 += N) for (k2 = 0, rmul2 = mul2[k][j]; k2 SM; ++k2, rmul2 += N) for (j2 = 0; j2 SM; ++j2) rres[j2] += rmul1[k2] * rmul2[j2]; That's giving him an 83% speed improvement on 1000x1000 by 1000x1000 double precision matrix multiplication - on his particular hardware, linux and gcc version, that is (as an aside, i failed to find a single word concerning numerical stability in that context). In that respect, he is not cheating, he clearly states in the introduction that the paper is limited to commodity hardware and further limited to a subset of that hardware and that the text exclusively describes Linux. Besides, he is advertising posix_memalign, __attribute((aligned(64)), -mpreferred-stack-boundary, __builtin_expect, -freorder-blocks and -falign-jumps. Sure, the title of that 114 page paper reads What Every Programmer Should Know About Memory. Did you? $ wc /tmp/cpumemory.* 4879 23252 934051 /tmp/cpumemory.pdf 2375 91431 516772 /tmp/cpumemory.txt $ perl -ne '/(strl\w+)/i print $1\n;' /tmp/cpumemory.txt strlen strlen Well, probably strlcpy is simply just unrelated to anything we ought to know about memory access.
Re: Using the C programming language
Citing Marco again, concerning strlcpy, because this is even more relevant: And now if the userspace people in linux would also adopt it the world would be a better place. Can anyone say glibc? Actually, there is one additional paper on that web site: http://people.redhat.com/drepper/defprogramming.pdf Ulrich Drepper: Defensive Programming (May 3, 2006) The first main chapter, Safe Programming, starts out like this: Ulrich Drepper writes: The main problem with programming in C, C++, and similar languages is the memory handling. Memory for most interfaces has to be allocated explicitly and this means possibilities for bugs. These memory handling problems are pervasive and in the last few years have become the main reason for exploits. A large array of techniques has been developed by the black hat groups to exploit memory handling bugs. These bugs mainly include buffer overruns, double free() calls, and invalid pointer value usage. In later sections we will discuss how to detect these kind of bugs. Here we concentrate on ways to avoid them altogether. That does sound promising, doesn't it? In the following, i did find warnings that gets(3) will overflow buffers (surprise, surprise). The function strcpy(3) is are also mentioned: In one example, it is used to correctly copy a string literal into a fixed-size buffer of sufficient size. At that point, i could not find any hint that other uses of this function might be dangerous. But later on, strcpy(3) is used as an example to illustrate the _FORTIFY_SOURCE compiler macro implementing the following check in gcc version 4 (sic): Functions operating on memory blocks are checked if the size of the memory blocks is known. Not all calls to these functions are checked. This is not possible since in general there is no information about the buffers available. When the new macro is switched on, that is; as far as i understand, in gcc 4, it will be off by default. That's really a tremendous step forward, isn't it? Apart from that, i couldn't find references to strncpy(3) or strncat(3). In particular, i could not find any hint that those two might be used in order to avoid any dangers resulting from strcpy(3) or strcat(3), or that they might even introduce new dangers. I failed to find any evidence that Drepper was aware of the existence of strlcpy(3) or strlcat(3) when he last revised his paper on Defensive Programming on May 3, 2006. Sadly, strlcpy(3) states: The strlcpy() and strlcat() functions first appeared in OpenBSD 2.4. By the way, they do have strndup, strdupa and strndupa besides strdup in glibc. Drepper spends more than half a column discussing those four functions. That alone looks rather bizarre - Dowd/McDonald/Schuh, by contrast, elaborate on strcpy, strcat, strlcpy, strlcat filling more than four pages, but apparently don't feel the need to even mention strdup. Drepper does not mention which of the str*dup*s, if any, are portable. He does not mention that alloca(3) is machine dependent, he does not mention that its implementation might be buggy on some systems, he does not mention that use of alloca(3) might fail inside the argument list of a function call, he does not mention that alloca(3) might overflow the stack. He doesn't warn against using strdupa on huge buffers. He only says that alloca(3) is bound to the stack frame, is faster than malloc(3) and releasing the memory could sometimes cause problems when variable size arrays are in use in the same function. So, that appears to be part of the current state of Defensive Programming for Red Hat Enterprise Linux, straight from glibc horse's mouth...
Re: Using the C programming language
Language Wars! This thread was discussing C vs Ada vs Java etc. Even Borland VCL was brought up. Yes the VCL was written in Delphi/Pascal and the borland C++ compilers can link to modern pascal code. Why? Because modern pascal and C languages are actually quite similar today with regards to the power they offer... and they are very compatible with each other. Modern pascal is an alternative or complement to ADA and C. Those looking for an alternative REAL WORLD language to Modern C, could look into Modern Pascal. The popular modern pascal compiler is called FPC. Some benchmarks showing FPC performance: http://z505.com/images/fpc-better-than-gcc.png http://z505.com/cgi-bin/qkcont/qkcont.cgi?p=Benchmarks-Show-FPC-is-Better-than-GCC (disclaimer: benchmarks are just a point of reference.. not to be taken too seriously) I have freepascal working under linux emulation on OpenBSD.. soon I'll try it natively. It works on FreeBSD. This thread was also talking about safety checks of C programming language and such. Well, some of the safety checks you can use in freepascal/fpc: begin {$R+} // turns range checking on {$I+} // turns I/O checking on {$CHECKPOINTER ON} // turns pointer checks on writeln('blah blah blah'); end. More info if you are interested in modern pascal: http://z505.com/cgi-bin/qkcont/qkcont.cgi?p=Modern-Pascal-For-Newbies Sorry for the FPC advocacy, but I had to bring it up because you folks were involved in a language flamewar between ada, c, pascal, java, etc. etc. etc. Regards, L505
Re: Using the C programming language
And now if the userspace people in linux would also adopt it the world would be a better place. Can anyone say glibc? On Mon, Dec 24, 2007 at 04:40:27AM +0100, Rico Secada wrote: On Sun, 23 Dec 2007 09:11:55 -0600 Marco Peereboom [EMAIL PROTECTED] wrote: Here is a constant: your code is a bad as the developer. I agree :-), and here is another constant: #define strlcpy Theo de Raadt From lwn.net in 2003: Years of buffer overflow problems have made it clear that the classic C string functions - strcpy() and friends - are unsafe. Functions like strncpy(), which take a length argument, have been presented as the safe alternatives. But strncpy() has always been poorly suited to the task; it wastes time by zero-filling the destination string, and, if the string to be copied must be truncated, the result is no longer NULL-terminated. A non-terminated string can lead to overflows and bugs in its own right. So Linus finally got fed up and put together a new copy_string() function which does what most strncpy() users really wanted in the first place. As is often the case with this sort of security-related improvement, OpenBSD got there first. In fact, back in 1996, the OpenBSD team came up with a new string API which avoids the problems of both strcpy() and strncpy(). The resulting functions, with names like strlcpy(), have been spreading beyond OpenBSD. The basic function is simple: size_t strlcpy(char *dest, const char *src, size_t size); The source string is copied to the destination and properly terminated; the return value is the length of the source. If that length is greater than the destination string, the caller knows that the string has been truncated. Linus agreed that following OpenBSD's lead was the right way forward, and strlcpy() is in his BitKeeper repository, waiting for 2.5.71. There has also been a flurry of activity to convert kernel code over to the new function. By the time 2.6.0 comes out, strncpy() may no longer have a place in the Linux kernel.
Re: Using the C programming language
On Dec 24, 2007 4:40 AM, Rico Secada [EMAIL PROTECTED] wrote: Linus agreed that following OpenBSD's lead was the right way forward, and strlcpy() is in his BitKeeper repository, waiting for 2.5.71. There has also been a flurry of activity to convert kernel code over to the new function. By the time 2.6.0 comes out, strncpy() may no longer have a place in the Linux kernel. We are nearly in 2008, 2.6.24 is on its way to the release, and strncpy bugs still appear in the Linux kernel. I just stumbled upon this, it's a commit from yesterday in Linus' tree: From: Eric Sandeen [EMAIL PROTECTED] Date: Sat, 22 Dec 2007 22:03:24 + (-0800) Subject: ecryptfs: fix string overflow on long cipher names X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=b88629060b03adc58639f818fe0968bf5fe81b5d ecryptfs: fix string overflow on long cipher names Passing a cipher name 32 chars on mount results in an overflow when the cipher name is printed, because the last character in the struct ecryptfs_key_tfm's cipher_name string was never zeroed. Signed-off-by: Eric Sandeen [EMAIL PROTECTED] Acked-by: Michael Halcrow [EMAIL PROTECTED] Signed-off-by: Andrew Morton [EMAIL PROTECTED] Signed-off-by: Linus Torvalds [EMAIL PROTECTED] --- diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c index bbed2fd..67e8b16 100644 --- a/fs/ecryptfs/crypto.c +++ b/fs/ecryptfs/crypto.c @@ -1847,6 +1847,7 @@ ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, mutex_init(tmp_tfm-key_tfm_mutex); strncpy(tmp_tfm-cipher_name, cipher_name, ECRYPTFS_MAX_CIPHER_NAME_SIZE); + tmp_tfm-cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE] = '\0'; tmp_tfm-key_size = key_size; rc = ecryptfs_process_key_cipher(tmp_tfm-key_tfm, tmp_tfm-cipher_name, -- Pierre Riteau
Re: Using the C programming language
Rico Secada wrote: Again lets ask Boing. I'm fully aware that spelling flames are terribly tasteless, but the image of planes loaded with Ada code going boing, boing, boing down the runway just won't leave my mind. It's Boeing. --Jon Radel [EMAIL PROTECTED] P.S. Sorry. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Using the C programming language
On Dec 24, 2007 4:35 AM, scott [EMAIL PROTECTED] wrote: off misc@ http://www.urbandictionary.com/define.php?term=ROTFLMAO See #3. Silly boy. OK, so I didn't roll on the floor laughing my ass off, but I certainly did burst out in fits of giggles. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: Using the C programming language
On Mon, 24 Dec 2007 17:01:54 -0500 Jon Radel [EMAIL PROTECTED] wrote: Rico Secada wrote: Again lets ask Boing. I'm fully aware that spelling flames are terribly tasteless, but the image of planes loaded with Ada code going boing, boing, boing down the runway just won't leave my mind. Quite funny actually - lol :-) It's Boeing. Thanks! :-) --Jon Radel [EMAIL PROTECTED] P.S. Sorry. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Using the C programming language
On Mon, 24 Dec 2007, Jon Radel wrote: Rico Secada wrote: Again lets ask Boing. I'm fully aware that spelling flames are terribly tasteless, but the image of planes loaded with Ada code going boing, boing, boing down the runway just won't leave my mind. It's Boeing. Ada was just coming onto the scene when I quit that sort of work many years ago, but we were considering it for some projects. Ada seemed to me like an excuse to include management in the development process and double the programming staff for the same project. Never could do anything for simplification or good coding. In addition, VERY few outside the defense industry have ever played with it (much less been productive and written good code), so that 'market' of experienced programmers is WAY too small to be useful for an international development environment. Happy Holidays to all! Lee
Re: Using the C programming language
On Sun, 23 Dec 2007 01:06:39 -0600 David Higgs [EMAIL PROTECTED] wrote: On Dec 22, 2007 5:53 PM, Rico Secada [EMAIL PROTECTED] wrote: It is my understanding that C is the hackers tool while Ada is the tool of the engineer. I think it is mostly because of tradition. Your understanding is wrong. I suspect that many professional engineers using C (and/or other languages) would strongly disagree with your offhand characterization. Any yet many would agree. You find Ada in almost all of Boings airplanes, and in most industry critical systems. Ada was written with compile time protection against bugs such as buffer-overflows and so on. Didn't I read a Slashdot article about the NYSE going to Linux? What language is medical software written in? What about the competing companies that aren't using Ada? How does their track record of software faults compare? Lets address your question here: http://www.adacore.com/home/ada_answers/lookwho Compile time protection isn't worth the time it takes to run them if your specification has flaws, your code doesn't match the spec, or the compiler has errors. There are MANY other types of errors that can never be caught at compile-time. Just because these errors SHOULD be accounted for in the program's spec doesn't mean that they WILL be. No but it sure makes a big difference, or maybe Airbus, Boing, EADS and BAE Systems are wrong on their choice? But like many has stated, what makes programs good and secure is the programmer, but IMHO the tools and languages are important too. You cannot use something like C in a really security demanding situation, and here I think about humans lives, like in spacecrafts. Completely false. You can use any tool you want with an appropriate model of the system; this includes your tools and code. The software for the original US moon missions was written in assembly code; portions may still be in use today because of its extreme reliability. Did you post a list somewhere or did I miss it? Ofcourse you can use any tool you want, but that's not the point. Let me rephrase what I wrote: you can use any tool you want, but you should not use something like C if your life depends on it. Again lets ask Boing. A simple buffer overflow might crash the plane, and you have to have some ways of eliminating that completely. That is why Ada was designed the way it was. You can read about the history of Ada on Wikipedia. Why so much is written in C on Unix-like systems, I think its mainly tradition. IMO Ada would be much better from a security point of view. Your opinion means nothing without code. Even with code, the OpenBSD project likely won't care anyways. You are barking up the wrong tree. I am not barking at OpenBSD. I agree that it would be better if OpenBSD or any other system for that matter was written in Ada rather than C, and they could just as well, but re-writing something as huge as OpenBSD is a MAJOR task, and what would the real benefits be in this situation? The OpenBSD team knows exactly what they are doing hence the extra security of Ada becomes almost un-necessary, but again I agree, had OpenBSD been in Ada from day one, that would save them a LOT of time! Bugs would be caught on compile time and bad-coding would almost be eliminated. Go back to Wikipedia. OpenBSD was a fork and essentially worked from day one. However, as you say, rewriting something as big as OpenBSD is a MAJOR task in the timeframe of years or decades. Instead of improving security in a known system, all those years would be wasted reinventing the wheel and playing catch-up with the pre-existing feature set of modern operating systems. Yes you are right. Your insistence on equating compile-time checks with secure programming is incorrect, and indicates your inexperience in secure programming. Academic questions like this should be googled or asked on comp.lang.ada. I did not equate compile-time checks with secure programming. Like I wrote: But like many has stated, what makes programs good and secure is the programmer, but IMHO the tools and languages are important too. Combining the two surely doesn't hurt. No matter how skillful you are at programming securely, you are going to fail sooner or later in catching a bug, and having the compiler save you from that is like have an airbag on you car. The driver still has to know how to drive, but having a safe car doesn't decrease the risk! Good luck. --david
Re: Using the C programming language
I have used and taught Ada, for what that's worth. I also looked at Ada for writing OS kernel code, but the quality of the compilers forced me back to the C family. Question for the proponents of Ada: how many operating system kernels do you know of which are written in Ada? Now answer the same question for C. For extra marks, explain why the discrepancy, paying particular attention to the strengths and weaknesses of each language in this particular usage. -- Christopher Vance
Re: Using the C programming language
On Sun, 23 Dec 2007 21:11:50 +1100 Christopher Vance [EMAIL PROTECTED] wrote: I have used and taught Ada, for what that's worth. I also looked at Ada for writing OS kernel code, but the quality of the compilers forced me back to the C family. What compilers? Question for the proponents of Ada: how many operating system kernels do you know of which are written in Ada? Now answer the same question for C. Ada has mainly been used in real-time life dependent systems, not in operating systems. There hasn't been a free compiler around before 1995 and it hasn't been that good. For extra marks, explain why the discrepancy, paying particular attention to the strengths and weaknesses of each language in this particular usage. Free compiler. -- Christopher Vance
Re: Using the C programming language
On Sat, 22 Dec 2007 15:08:05 +0100 Erik Wikstrvm [EMAIL PROTECTED] wrote: On 2007-12-22 12:06, Brian Hansen wrote: Hi. I address this issue on this list, because a lot of people here are very skillfull C programmers. When looking at some of the different reasons for security problems such as: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/ I can't help wonder, why so much software are being developed using C. This isn't the right place, but since you did it anyway, try looking at the compiler issue. The Portable C Compiler (PCC) was written in mid-1970s. PCC shipped with BSD Unix until the release of 4.4BSD in 1994. The history of Ada is?
Re: Using the C programming language
On Sun, Dec 23, 2007 at 09:12:53AM +0100, Rico Secada wrote: On Sun, 23 Dec 2007 01:06:39 -0600 David Higgs [EMAIL PROTECTED] wrote: On Dec 22, 2007 5:53 PM, Rico Secada [EMAIL PROTECTED] wrote: It is my understanding that C is the hackers tool while Ada is the tool of the engineer. I think it is mostly because of tradition. Your understanding is wrong. I suspect that many professional engineers using C (and/or other languages) would strongly disagree with your offhand characterization. Any yet many would agree. Show me the code. No really, show it to us. You find Ada in almost all of Boings airplanes, and in most industry critical systems. Ada was written with compile time protection against bugs such as buffer-overflows and so on. Didn't I read a Slashdot article about the NYSE going to Linux? What language is medical software written in? What about the competing companies that aren't using Ada? How does their track record of software faults compare? Lets address your question here: http://www.adacore.com/home/ada_answers/lookwho Yay marketing fodder. I am sure lots of fortune 500 companies use java and c++ too; doesn't make it a good idea. They are still stupid and bad languages that are costing you and me something (slow cell phones, mgmt interfaces that only work in ie, etc). Compile time protection isn't worth the time it takes to run them if your specification has flaws, your code doesn't match the spec, or the compiler has errors. There are MANY other types of errors that can never be caught at compile-time. Just because these errors SHOULD be accounted for in the program's spec doesn't mean that they WILL be. No but it sure makes a big difference, or maybe Airbus, Boing, EADS and BAE Systems are wrong on their choice? Good for them. They made a choice that met THEIR needs. But like many has stated, what makes programs good and secure is the programmer, but IMHO the tools and languages are important too. You cannot use something like C in a really security demanding situation, and here I think about humans lives, like in spacecrafts. Completely false. You can use any tool you want with an appropriate model of the system; this includes your tools and code. The software for the original US moon missions was written in assembly code; portions may still be in use today because of its extreme reliability. Did you post a list somewhere or did I miss it? Ofcourse you can use any tool you want, but that's not the point. Let me rephrase what I wrote: you can use any tool you want, but you should not use something like C if your life depends on it. Again lets ask Boing. Give me a language and I'll show you how to crash a program written in it. It isn't to hard to over run a buffer in any language. Here is a constant: your code is a bad as the developer. A simple buffer overflow might crash the plane, and you have to have some ways of eliminating that completely. That is why Ada was designed the way it was. You can read about the history of Ada on Wikipedia. Why so much is written in C on Unix-like systems, I think its mainly tradition. IMO Ada would be much better from a security point of view. Your opinion means nothing without code. Even with code, the OpenBSD project likely won't care anyways. You are barking up the wrong tree. I am not barking at OpenBSD. You are talking about a language that has no relevance to the OpenBSD OS. Yes you are barking up the wrong tree. I am sure other language people would like to discuss the theoretical merit of languages, elsewhere! I agree that it would be better if OpenBSD or any other system for that matter was written in Ada rather than C, and they could just as well, but re-writing something as huge as OpenBSD is a MAJOR task, and what would the real benefits be in this situation? The OpenBSD team knows exactly what they are doing hence the extra security of Ada becomes almost un-necessary, but again I agree, had OpenBSD been in Ada from day one, that would save them a LOT of time! Bugs would be caught on compile time and bad-coding would almost be eliminated. Go back to Wikipedia. OpenBSD was a fork and essentially worked from day one. However, as you say, rewriting something as big as OpenBSD is a MAJOR task in the timeframe of years or decades. Instead of improving security in a known system, all those years would be wasted reinventing the wheel and playing catch-up with the pre-existing feature set of modern operating systems. Yes you are right. Your insistence on equating compile-time checks with secure programming is incorrect, and indicates your inexperience in secure programming. Academic questions like this should be googled or asked on comp.lang.ada. I did not equate compile-time checks with secure programming. Like I
Re: Using the C programming language
So lets get the story straight. Ada is great but the compiler sucks. Winning combination for an open source os. On Sun, Dec 23, 2007 at 04:33:47PM +0100, Rico Secada wrote: On Sun, 23 Dec 2007 21:11:50 +1100 Christopher Vance [EMAIL PROTECTED] wrote: I have used and taught Ada, for what that's worth. I also looked at Ada for writing OS kernel code, but the quality of the compilers forced me back to the C family. What compilers? Question for the proponents of Ada: how many operating system kernels do you know of which are written in Ada? Now answer the same question for C. Ada has mainly been used in real-time life dependent systems, not in operating systems. There hasn't been a free compiler around before 1995 and it hasn't been that good. For extra marks, explain why the discrepancy, paying particular attention to the strengths and weaknesses of each language in this particular usage. Free compiler. -- Christopher Vance
Re: Using the C programming language
On Sun, Dec 23, 2007 at 09:11:55AM -0600, Marco Peereboom wrote: I even found a use for C++! Encapsulating the win32 api using Borland VCL makes it almost useful and a whole lot less painful. Thats about as good as I have seen C++ be; everything else is downhill. But isn't the VCL written in modern Pascal? Kind of ironic... -- Jussi Peltola
Re: Using the C programming language
On Sat, Dec 22, 2007 at 12:06:34PM +0100, Brian Hansen wrote: Hi. I address this issue on this list, because a lot of people here are very skillfull C programmers. Unlike you. You're not even skilled at looking through mailing-list archives. This specific subject has already been debated to death around here. You weren't around ? tough. Look it up.
Re: Using the C programming language
On 12/22/07, Brian Hansen [EMAIL PROTECTED] wrote: 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). why did you write your email in english? esperanto is simpler and less error-prone.
Re: Using the C programming language
On Sun, 23 Dec 2007 09:11:55 -0600 Marco Peereboom [EMAIL PROTECTED] wrote: Here is a constant: your code is a bad as the developer. I agree :-), and here is another constant: #define strlcpy Theo de Raadt From lwn.net in 2003: Years of buffer overflow problems have made it clear that the classic C string functions - strcpy() and friends - are unsafe. Functions like strncpy(), which take a length argument, have been presented as the safe alternatives. But strncpy() has always been poorly suited to the task; it wastes time by zero-filling the destination string, and, if the string to be copied must be truncated, the result is no longer NULL-terminated. A non-terminated string can lead to overflows and bugs in its own right. So Linus finally got fed up and put together a new copy_string() function which does what most strncpy() users really wanted in the first place. As is often the case with this sort of security-related improvement, OpenBSD got there first. In fact, back in 1996, the OpenBSD team came up with a new string API which avoids the problems of both strcpy() and strncpy(). The resulting functions, with names like strlcpy(), have been spreading beyond OpenBSD. The basic function is simple: size_t strlcpy(char *dest, const char *src, size_t size); The source string is copied to the destination and properly terminated; the return value is the length of the source. If that length is greater than the destination string, the caller knows that the string has been truncated. Linus agreed that following OpenBSD's lead was the right way forward, and strlcpy() is in his BitKeeper repository, waiting for 2.5.71. There has also been a flurry of activity to convert kernel code over to the new function. By the time 2.6.0 comes out, strncpy() may no longer have a place in the Linux kernel.
Re: Using the C programming language
I have been trying to learn programming for a long time. Admittedly, I've wasted a good amount of time trying to find the right language to start. I eventually came across Ada. I read all about it and bought into all the stuff that you've mentioned. I even spent a couple of hundred dollars on books for Ada. I eventually gave up on Ada as a first language. The reason I couldn't find a compiler, especially for openbsd, especially one that was actively maintained. The best I could come up with, was one that required a C compiler (GCC). Most of the websites on Ada looked very outdated and not a lot of tutorials for a newbie like me. Even the books I bought were outdated. My theory for why people don't use Ada is because C came out first and it was a simple programming language, and freely available to college students. Because of this, people started using it, making libraries for it, writing tutorials and books for it, and teaching classes for it in colleges around the world. The simplicity, free compilers, C libraries, tutorials, books, and classes brought in more people creating a hurricane of mind share. And the C language has been kept relevant as time passes by its users. This hasn't been the case for Ada. Ada came out roughly a decade after C and when it did, the compilers were proprietary and very expensive. Only big aircraft companies could afford the compilers. Thus it's growth in mind share was impotent from its beginning while C kept/keeps growing. This is my own opinion based off what I read and googled. Be sceptical about what I say as I'm no authority especially since I don't yet know how to program. One more thing, NASA and the US government use all kinds of programming languages. It's fragmented in languages despite the so called standardization on Ada. I read one story where NASA had an expensive satellite in space that stopped functioning because of a software bug. Luckily they programmed it in Lisp. Lisp can be changed while it's still running. So they found the Lisp bug and sent the change and the change was instantaneous once the satellite received it. No compiling or rerunning the script/code necessary. Can you do that in Ada? (Note that question is a really deep question in light of all the advantages of Ada.)
Re: Using the C programming language
On Dec 23, 2007 1:40 PM, Ted Unangst [EMAIL PROTECTED] wrote: On 12/22/07, Brian Hansen [EMAIL PROTECTED] wrote: 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). why did you write your email in english? esperanto is simpler and less error-prone. OK, I have to say - ROTFLMAO. Brian, I hope you get Ted's point. Oh my god. I think this response ought to be in the FAQ... -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: Using the C programming language
On Sun, 23 Dec 2007, Kim Naim Lesmer wrote: The Portable C Compiler (PCC) was written in mid-1970s. PCC shipped with BSD Unix until the release of 4.4BSD in 1994. The history of Ada is? About 10 years younger. So? Dave
Re: Using the C programming language
On 12:06:34 Dec 22, Brian Hansen wrote: Hi. I address this issue on this list, because a lot of people here are very skillfull C programmers. Yes. OpenBSD not only is secure , the code is also exceedingly beautiful. You can discern a certain artistic beauty in the way code is written, even commented. If you don't believe me, take a look at IPsec implementation in the other BSDs from KAME and the one in OpenBSD. ;) If you are really bold, also see the same under linux. www.freeswan.org which was abandoned. The code is so direct, clear and straight forward. Security can be obtained only thro' simplicity, less code and good review process. OpenBSD's C coding process ensures all three. And more. It is not possible for ssh to be so secure but for these practices. If you look at secure code from other projects, you will find that the code is so poorly indented, carelessly written and all sorts of tricks resorted to. This makes review ineffective and audit close to impossible. It is not just the programming language. It is also how it is used and who uses it that matters. In Tamil, my mother tongue there is a beautiful simile. Flower garland in the hand of a monkey. You need really smart people to do a good job. Even the best of tools will be misused by incompetent people the same way a flower garland is spoilt by a monkey. When looking at some of the different reasons for security problems such as: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/ I can't help wonder, why so much software are being developed using C. To conclude my study I appreciate any help on the following questions: 1. If security is a major concern, or perhaps The Main Concern, why not use Ada? I specifically mention Ada since one of the most security demanding industries are building aircrafts and they use Ada. I dunno about ada. 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). There is simply no alternative to C. Period. 3. Are there any real benefits in using C++ over C regarding security? Are C++ really better from a security perspective? C++ is a disease. A horrible programming language. 4. Has anyone from the OpenBSD team written any guidelines in secure programming? (I haven't been able to locate anything except some interviews and stuff). Check out the papers on http://www.openbsd.org/papers/ You can take a look at one of them on OpenBSD culture. -Girish
Re: Using the C programming language
On 2007-12-22 12:06, Brian Hansen wrote: Hi. I address this issue on this list, because a lot of people here are very skillfull C programmers. When looking at some of the different reasons for security problems such as: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/ I can't help wonder, why so much software are being developed using C. To conclude my study I appreciate any help on the following questions: 1. If security is a major concern, or perhaps The Main Concern, why not use Ada? I specifically mention Ada since one of the most security demanding industries are building aircrafts and they use Ada. I'm not very familiar with Ada so I do not know if it allows for the same kinds of low-level programming (which is necessary when writing an OS or code that interacts with hardware) that C does. 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). The speed of comes, among other things, from the lack of security checks and by allowing potentially unsafe operations. Again, I do not know Ada so I do not know how it achieves its high level of safety but I would think that runtime checks is part of it. 3. Are there any real benefits in using C++ over C regarding security? Are C++ really better from a security perspective? C++ is not inherently safer than C (in fact much C code is also valid C++) but there are a number of mechanisms in C++ that makes some kinds of constructs easier/more convenient. But there is nothing that can be done in C++ that can not be done or emulated in C. What C++ does offer with its more extensive OO support is to make it easier to encapsulate potentially unsafe operations and constructs in higher-level objects. By making sure that those objects never perform any unsafe actions you eliminate some low-hanging fruit (one of the most common security problems comes from to small string-buffers, by using string classes instead the user does not have to concern him/her self with such things). Of course such encapsulation is not free and there are both speed and memory considerations. Having said that you should be aware that most of the tougher security issues are language independent, even code written in C# and similar languages can have security issues. -- Erik WikstrC6m
Re: Using the C programming language
On Sat, Dec 22, 2007 at 12:06:34PM +0100, Brian Hansen wrote: I address this issue on this list, because a lot of people here are very skillfull C programmers. When looking at some of the different reasons for security problems such as: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/ I can't help wonder, why so much software are being developed using C. To conclude my study I appreciate any help on the following questions: 1. If security is a major concern, or perhaps The Main Concern, why not use Ada? I specifically mention Ada since one of the most security demanding industries are building aircrafts and they use Ada. I've been wondering the same thing ever since I started learning about Ada. So many of the problems found during OpenBSD code audits would have been found at compile time if written in Ada since the Ada compiler itself looks for them. As you know, it also keeps track of things during run-time. 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). Considering that Ada was written in a language design-competition (and not written by a committee as is the common myth) to replace all the hundreds of languages used in the US military, it has to be able to do everything from low-level system programming to high-level computational computer modeling. The amzing thing is that it does it all so well on the full range of hardware from an anti-tank missle to a Cray. It also is trivial to write for multiple-threads or multiple processors. Set up the program correctly and it will use whatever mult-* is available at run-time with no change in compilation; if no threading or only a single processor is available it will run just fine too. I haven't been able to find any OS that is written in Ada. There are probably lots of propriatary ones. Doug.
Re: Using the C programming language
I can't help wonder, why so much software are being developed using C. C permits the programmer freedom to write code as the programmer sees fit. How the programmer uses that freedom, is up to the programmer. Putting 'training wheels' on a programming language not only limits the mistakes that can be made... it also limits the exceptionally creative code that can be written. I would rather force myself to become a better programmer... one worthy and capable of using C correctly, than to have myself 'protected' from making 'mistakes'. C give me enough rope to either hang myself, or pull myself up to the next level on the Learning Curve. Live Free Or Die. -- -wittig http://www.robertwittig.com/ http://robertwittig.net/ http://robertwittig.org/ .
Re: Using the C programming language
On Sat, Dec 22, 2007 at 09:25:14AM -0500, Douglas A. Tutty wrote: 1. If security is a major concern, or perhaps The Main Concern, why not use Ada? I specifically mention Ada since one of the most security demanding industries are building aircrafts and they use Ada. I've been wondering the same thing ever since I started learning about Ada. So many of the problems found during OpenBSD code audits would have been found at compile time if written in Ada since the Ada compiler itself looks for them. As you know, it also keeps track of things during run-time. 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). Considering that Ada was written in a language design-competition (and not written by a committee as is the common myth) to replace all the hundreds of languages used in the US military, it has to be able to do everything from low-level system programming to high-level computational computer modeling. The amzing thing is that it does it all so well on the full range of hardware from an anti-tank missle to a Cray. It also is trivial to write for multiple-threads or multiple processors. Set up the program correctly and it will use whatever mult-* is available at run-time with no change in compilation; if no threading or only a single processor is available it will run just fine too. I haven't been able to find any OS that is written in Ada. There are probably lots of propriatary ones. Ada is cool. Ada can be used for a lot of things, and it does them well. Ada is more complex, and that carries its own problems. C is really a very simple language. There are a handful of things about C that cause endless problems for people who have not learned the details of how C really works (this includes some people who have been writing C for a long time). But for those that know C well, it's very easy to write correct and readable code. C is also easily ported, which is why you often see other language compilers/interpreters written in C. If OpenBSD adopted Ada, there would still be the need for code audits. There is no magic bullet to solve all security problems. Security (and code quality) takes work, and a sensible development process. If you have a good process, the language matters less. If you have a bad process, then the language will not make things much better. C is used all over the world by a huge number of people. It's far easier to find coders who know how to write clean C than it is to find competent Ada coders. Others can say better why C is a better choice for systems-level programming, but the above points are still worth mentioning on their own. If other languages have addressed some failings of C, they have not done so in a compelling enough way to make it worthwhile to abandon the advantages of using C. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Using the C programming language
Brian Hansen wrote: ... I can't help wonder, why so much software are being developed using C. ... Because no one has done anything other than TALK about an alternative. People who talk, like alternatives. People who program seem to like C. Bringing up a general purpose OS on another language is going to be a major task, but if it is going to happen, people need to quit suggesting what other people do and start doing it and PROVE it is better by results, not talk. (hint: self-supporting OS on multiple different platforms, from amd64 to Zaurus. Self-supporting.) When you actually attempt this, you will probably find out: 1) It's a heck of a lot of work. 2) It's the people (programmers and management) that make an OS secure, not one tool. 3) why people write in C. 4) OpenBSD written in C is more secure, more stable, and more right than your alternative. You can do stupid stuff in C. You can do stupid stuff in any language. By lowering the bar and letting people think they are incapable of writing bad software, you will get entirely predictable results. There are things that can (and have!) been done to improve C, see the strl* functions for an example. But ultimately, people who write bad software will do it on any platform, with any set of tools. Make it easier, you just get more bad software. Nick.
Re: Using the C programming language
Hi. I address this issue on this list, because a lot of people here are very skillfull C programmers. When looking at some of the different reasons for security problems such as: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/ I can't help wonder, why so much software are being developed using C. To conclude my study I appreciate any help on the following questions: 1. If security is a major concern, or perhaps The Main Concern, why not use Ada? I specifically mention Ada since one of the most security demanding industries are building aircrafts and they use Ada. You are right, Ada is widely used in avionics, aerospace and defence systems, systems that demand a VERY high level of security and safety regarding lives and expensive equipment. And Ada is specifically designed for embedded systems too. It is my understanding that C is the hackers tool while Ada is the tool of the engineer. I think it is mostly because of tradition. You find Ada in almost all of Boings airplanes, and in most industry critical systems. Ada was written with compile time protection against bugs such as buffer-overflows and so on. But like many has stated, what makes programs good and secure is the programmer, but IMHO the tools and languages are important too. You cannot use something like C in a really security demanding situation, and here I think about humans lives, like in spacecrafts. A simple buffer overflow might crash the plane, and you have to have some ways of eliminating that completely. That is why Ada was designed the way it was. You can read about the history of Ada on Wikipedia. Why so much is written in C on Unix-like systems, I think its mainly tradition. IMO Ada would be much better from a security point of view. 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). Some has stated that the speed of comes, among other things, from the lack of security checks and by allowing potentially unsafe operations. But that's not the reason. You just cannot do it in Ada instead, you have to re-write the OS. OpenBSD like other BSD's are written in C. To use Ada instead you have to re-write the kernel and base system and so on. You talk about what the OpenBSD security team are doing and this means that you are talking about the kernel and base system, not ports and packages. The kernel and base system is in C. I agree that it would be better if OpenBSD or any other system for that matter was written in Ada rather than C, and they could just as well, but re-writing something as huge as OpenBSD is a MAJOR task, and what would the real benefits be in this situation? The OpenBSD team knows exactly what they are doing hence the extra security of Ada becomes almost un-necessary, but again I agree, had OpenBSD been in Ada from day one, that would save them a LOT of time! Bugs would be caught on compile time and bad-coding would almost be eliminated. 3. Are there any real benefits in using C++ over C regarding security? Are C++ really better from a security perspective? You didn't ask this, but there is certainly no benefit in using C or C+ + over Ada, regarding security or other issues. Whatever you can do in C and C ++ you can do in Ada, but the Ada code is much better because it is so much more easy to read and thus more easy to maintain and the result is a hundred times safer. This has been clearly proven in the industry over the past two decades. Just ask Boing or NASA :-) Whether there is any benefits in using C++ over C from a security perspective, IMO not really. C++ has some better ways to do some things to prevent some of the errors of C, but then it has its own problems. The language is bloated with functions, it is constantly changing making backwards compatibility difficult, and really.. Its just C and then some more crap. You cannot beautify what is born ugly. Rico Secada.
Re: Using the C programming language
On Sat, 22 Dec 2007 15:08:05 +0100 Erik Wikstrvm [EMAIL PROTECTED] wrote: I'm not very familiar with Ada so I do not know if it allows for the same kinds of low-level programming (which is necessary when writing an OS or code that interacts with hardware) that C does. It does. Again, I do not know Ada so I do not know how it achieves its high level of safety but I would think that runtime checks is part of it. Yes. Use of Ada: http://www.adacore.com/home/ada_answers/lookwho
Re: Using the C programming language
On Sat, 22 Dec 2007 17:04:05 +0530 Girish Venkatachalam [EMAIL PROTECTED] wrote: 1. If security is a major concern, or perhaps The Main Concern, why not use Ada? I specifically mention Ada since one of the most security demanding industries are building aircrafts and they use Ada. I dunno about ada. 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). There is simply no alternative to C. Period. Now those two statements are somewhat in contradiction. You can't say that Ada isn't an alternative to C without knowing what it is. Ada fully serve as an alternative to C, but read up on that if you must know. Regarding it being an alternative to C in BSD is another issue, you have to reprogram everything then.
Re: Using the C programming language
On 07:32:54 Dec 23, Rico Secada wrote: Now those two statements are somewhat in contradiction. You can't say that Ada isn't an alternative to C without knowing what it is. Ada fully serve as an alternative to C, but read up on that if you must know. I have been wanting to ask this. Lot of people seem to be in favor of Ada. I had no clue that Ada was such an important language in embedded systems and mission critical applications. Anyway it is never too late to learn. Can someone give me a list of useful links on Ada so I can start learning the language? I did read the wikipedia entry though. Thanks. -Girish