Re: [SC-L] Interesting article on the adoption of Software Security

2004-06-10 Thread Crispin Cowan
Damir Rajnovic wrote:
While this is true that only some of the bugs are fixed that fixing can
have unexpectedly high price tag attached. No matter how do you look
at this it _is_ cheaper to fix bugs as soon as possible in the process
(or not introduce them at the first place).

This is true in the isolation of looking at the cost of fixing any one 
individual bug, but it is not true in general. Fixing one bug early in 
the process is cheap and easy. Fixing the *last* bug in a system is 
astronomically expensive, because the cost of *finding* bugs rises 
exponentially as you further and further refine it. Worse, you 
eventually reach a point of equilibrium where your chances of inserting 
a new bug in the course of fixing a known bug are about even, and it 
becomes almost impossible to reduce the bug count further.

Personally, I do not see how this can be easily measured.
This entire area is rife with mushy psychological issues involving 
huan's ability to process information correctly. As a result, nearly all 
of the absolute statements are wrong, and they function only within 
certain ranges, .e.g. fixing bugs early in development is cheaper than 
patching in the field, but only within the bounds of digging only so 
hard for bugs.

But even this statement is self-limiting. The above claim is not true 
(or at least less true) for safety-critical systems like fly-by-wire 
systems and nuclear reactor controllers, where the cost of failure due 
to a bug is so high that it is worth paying the extra $$$ to find the 
residual bugs in the development phase.

My reaction to the feuding over whether it is better to shore up C/C++ 
or to use newer safer languages like Java and C#: each has their place.

   * There are millions of lines of existing C/C++ code running the
 world. Holding your breath until they are all replaced with type
 safe code is not going to be effective, and therefore there is
 strong motive to deploy tools (e.g. StackGuard, RATS, etc.) to
 improve the safety of this code.
   * New code should be written in type safe languages unless there is
 a very strong reason to do otherwise.
Crispin Cowan, Ph.D.
CTO, Immunix

Re: [SC-L] opinion, ACM Queue: Buffer Overrun Madness

2004-06-10 Thread Jared W. Robinson
On Wed, Jun 09, 2004 at 03:34:52PM +0100, David Crocker wrote:
 Apart from the obvious solution of choosing another language, there are at least
 two ways to avoid these problems in C++:
 1. Ban arrays (to quote Marshall Cline's C++ FAQ Lite, arrays are evil!). Use
 classes from the STL, or another template library instead. Arrays should be used
 only in the template library, where their use can be controlled.
 2. If you really must have naked arrays, ban the use of indexing and arithmetic
 on naked pointers to arrays (i.e. if p is a pointer, then p[x], p+x, p-x, ++p
 and --p are all banned). Instead, refer to arrays using instances of a template
 class ArrayX that encapsulates both the pointer (an X*) and the limit (an
 unsigned int).

Unfortunately, I don't think this advice will work for many projects.

First, Many programs must make system calls that only use arrays.
Some of those calls are unsafe.

Second, There is a lot of legacy code written with the error-prone
array indexing that you condemn. While the code must be maintained,
changing it introduces risks of new bugs that lead to instability, and
many people aren't willing to take that risk. So I think your advice
to ban arrays could only be applied to new code, and new projects.
Either that, or the conversion must be made gradually, and must be timed
at the right stage of a maintenance cycle.

- Jared