Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread der Mouse
 I see both of you willing to mandate the teaching of C and yet not
 mandate the teaching of any of Ada, Pascal, PL/I etc.

 This seems like the teaching of making do.

And is not making do an important skill?

More seriously, as long as Unix variants maintain their position of
importance (something that shows no signs of going away), C will be an
important language for anyone outside academia to know - and many of
those inside academia.  As such, I would say that any program with so
much as pretensions to preparing people for the real world needs to
teach it to some extent.

Certainly not exclusively (I know I'm a better programmer for knowing
many languages).  Perhaps not even predominantly.  But as theoretically
ugly as it may be, it is still pragmatically critical.

/~\ The ASCII   der Mouse
\ / Ribbon Campaign
 X  Against HTML   [EMAIL PROTECTED]
/ \ Email!   7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Julie JCH Ryan, D.Sc.
Another perspective on the education problem, keeping in mind that this 
is a global issue (as most are):

How Professor Hawking computes
Posted June 10, 2004 in ALS News
http://www.rideforlife.com/archives/001014.html
 Copyright 2003: Indian Express Group (Mumbai, India).
. extract follows
Mehta has himself been working with computers since 1971, when he was 
a student at IIT Delhi. His early exposure to computers was a result of 
a student programmer scheme started by Professor PCP Bhatt. There are 
few activities that match programming in sheer creative potential. On 
the Internet, programmers can claim to have changed the world. You can 
make a decent living from it as well, says he.

 What does he see as the three most important fields where Indian 
skills should be focussed upon? Mehta says, Mobile phone applications, 
particularly m-commerce, and the integration of desktop and mobile 
apps. Secondly, industrial and home applications, including automation 
and networking. Thirdly, games, particularly for an older population.

His regret is that the quality of programmers churned out by Indias 
education system is poor. Those who develop programming skills pretty 
much learn by themselves, or from their peers. The state of computer 
education particularly in our schools needs urgent attention, what is 
taught is horrific and by people with poor skills, he says.

. extract ends 




Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread James Walden
ljknews wrote:
What is wrong with this picture ?
I see both of you willing to mandate the teaching of C and yet not
mandate the teaching of any of Ada, Pascal, PL/I etc.

This seems like the teaching of making do.
You read more into my post than I wrote, as I did not mandate that the students 
must learn C/C++.  They already know C/C++ by the time they take my course, but 
few have any exposure to the relevant security issues.  It's important that a 
security class cover security issues with the languages that the students have 
already used in their curriculum, unless that's already covered elsewhere.  How 
many people will change their programming language if they don't see what's 
wrong with the one they're currently using?

In summary, I teach the students the security issues (the powers and failures 
of C as Dana put it), not the language itself.  I do offer an overview of the 
features of more secure languages that students haven't used, but I don't have 
time to teach a new language in my security class, which isn't a pure software 
security class.

As for teaching students languages, we traditionally taught software 
engineering in Ada at my university, though we've moved to mostly Java or 
Python since the term project was required to be a web-based system. 
Introductory classes are taught using Java, in part because the AP test is 
Java-based, while computer architecture and assembly is taught using assembly, 
and operating systems is taught using C/C++.  Electives introduce other 
languages, of course.  I like ocaml myself, but its use is restricted to 
restricted to certain electives.

--
James Walden, Ph.D.
Visiting Assistant Professor of EECS
The University of Toledo @ LCCC
http://www.eecs.utoledo.edu/~jwalden/



Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Dana Epp
What is wrong with this picture ?
I see both of you willing to mandate the teaching of C and yet not
mandate the teaching of any of Ada, Pascal, PL/I etc.
This seems like the teaching of making do.
Hmmm, interesting point. In a particular set of learning objectives 
required to complete a credential (ie: CompSci, CIS etc) what do you 
recommend we sacrifice to put in all this teaching?

I don't pick C for C's sake. I choose C because ON AVERAGE, most 
students will be exposed to C more than the languages you suggest. 
Especially in the majority on industries hiring students out of university.

However, that said, I don't think the language matters past exposure to 
the industry. A strong foundation of programming skills should be 
language agnostic; loops are loops, recursion is recursion, conditions 
are conditions etc. Learning the syntax of the language to accomplish it 
is secondary. Knowing how a loop breaks down into machine instructions 
is the goal here. Not how to do it in Ada.

Think about it in reflection of a linguist doing translation at the 
United Nations. They didn't simply go and learn every particular 
language. They are trained in understanding the mechanisms of human 
speech and formal grammar, and they then apply it to the language they 
are learning. In other words, they work from their foundation of 
learning in grammar and then apply the syntax of the particular language 
they are translating. It makes learning new languages much easier, and 
much faster.

So too should be programming. If a student has a strong foundation of 
learning when it comes to programming, they can adapt to different 
computer languages that they are exposed to as it comes to them. C is a 
perfect language to use to quickly get those concepts across in a 
practical environment in universities. And more importantly, from a 
secure coding objective, you can show what NOT to do.

--
Regards,
Dana Epp
[Blog: http://silverstr.ufies.org/blog/]


Re: [SC-L] Education and security -- plus safety, reliability and availability

2004-07-08 Thread Jim Mary Ronback
Dana Epp wrote:

  I think they should be taught the powers and failures of C.

Your course sounds enticing. I'm tempted to sign up for it.

Your course should also make a clear distinction between security, 
safety, reliability and availability.
One can write secure code that is not safe and vice versa - and one can 
write reliable code that is not safe and vice versa - and one can write 
reliable code that is not secure and vice versa. Finally one can write 
code that is secure, safe, reliable but not robust and vice versa. In 
many instances the software requirements, design and implementation 
concerns for security, safety,  reliability and availability overlap.  
Safety ensures that bad things do not  happen. Security ensures that  
unauthorized access to information is not allowed. Reliability ensures 
that the system and its software  behaves as specified during a given 
interval of time.  Availability ensures that the system and its software 
are not unavailable for use for more than a given period of time. Higher 
availability is provided by failure tolerance to system and software 
failures and human error.

I suspect that C has a pervasive hold because a large amount of legacy C 
code exists. When modifying or enhancing existing C code one should use 
a safer subset either by enforcing coding standards like in Safer C or 
eliminating a large class of errors which are not allowed by some newer 
C compilers, e.g., Safe C and Cyclone. If I had my druders, instead of 
using C, I would chose Spark - the safer Ada subset which allows you to 
guarantee that there are no runtime errors.

But if you are stuck with C, you should consider adding the following 
book to the reading list in your security course. It provides an 
extensive list of all the shortcomings and hazards of C.
(1995) Safer C: Developing for High-Integrity and Safety-Critical 
Systems/ by Hatton, L. 
/http://www.oakcomp.co.uk/SCT_About.html  provides a corresponding 
toolset to be used with Safer C/
/
The Safer C toolset goes to considerable effort to enforce the 
well-known MISRA C standard. The MISRA C standard was developed by a 
consortium of car manufacturers with the intention of introducing the 
notion of safer language subsets for programmable control systems in the 
auto industry.

There is also some interesting research to make C compilers safer but I 
have not had any experience using them:

http://www.cs.wisc.edu/~austin/scc.html
http://www.cs.wisc.edu/~austin/talk.scc/
SCC: The Safe C Compiler -SCC is an optimizing C-to-C compiler which 
implements the extended pointer and array access semantics needed to 
provide efficient, reliable and immediate detection of memory access 
errors in /unbridled/ C codes.

http://www.zork.org/safestr/ - Provides a safer string handling library 
for for Safe C.

http://www.research.att.com/projects/cyclone/ provides another safer C 
dialect. Here is a excerpt from their introduction:

Cyclone is a language for C programmers who want to write secure, 
robust programs. *It's a dialect of C designed to be /safe/: free of 
crashes, buffer overflows, format string attacks*, and so on. Careful C 
programmers can produce safe C programs, but, in practice, many C 
programs are unsafe. Our goal is to make /all/ Cyclone programs safe, 
regardless of how carefully they were written. All Cyclone programs must 
pass a combination of compile-time, link-time, and run-time checks 
designed to ensure safety.

There are other safe programming languages, including Java, ML, and 
Scheme. Cyclone is novel because its syntax, types, and semantics are 
based closely on C. This makes it easier to interface Cyclone with 
legacy C code, or port C programs to Cyclone. And writing a new program 
in Cyclone ``feels'' like programming in C: Cyclone tries to give 
programmers the same control over data representations, memory 
management, and performance that C has.

Yours safely,

Jim Ronback
Tsawwassen, BC


RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Peter Amey


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]
 Behalf Of Crispin Cowan
 Sent: 07 July 2004 23:29
 To: ljknews
 Cc: [EMAIL PROTECTED]
 Subject: Re: [SC-L] Education and security -- another perspective (was
 ACM Queue - Content)
 
 
 ljknews wrote:
 
 What is wrong with this picture ?
 
 I see both of you willing to mandate the teaching of C and yet not
 mandate the teaching of any of Ada, Pascal, PL/I etc.
   
 
 Makes sense to me. what is the point of teaching dead languages like 
 Ada, Pascal, and PL/I?  Teach C, Assembler, and Java/C# (for the 
 mainstream), and some lisp variant (Scheme, ML, Haskell) and Prolog 
 variant for variety. But Ada, Pascal, and PL/I are suitable 
 only for a 
 history of programming languages course :)
 

I do hope that is a sort of smiley at the end of your message.  Please.

Peter


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.  The IT Department at Praxis Critical Systems can be contacted at 
[EMAIL PROTECTED]
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**



This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk





Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Fernando Schapachnik
En un mensaje anterior, ljknews escribió:
 At 1:56 PM -0700 7/7/04, Dana Epp wrote:
 
 I don't pick C for C's sake. I choose C because ON AVERAGE, most students will be 
 exposed to C more than the languages you suggest. Especially in the majority on 
 industries hiring students out of university.
 
 Primarily because that is what universities use for training.
 
 Originally because Unix was so cheap for educational institutions.
 
 I smell a vicious circle.

I smell a discusion going nowhere. What is the point of teaching a languague?
Teach them to program in a paradigm (better, in all of them, and give them the
tools to make educated choices about which is better for each context), and
choose any language as an *example* of the paradigm.

Latter on, they can pick the particularities of any language by a book.
Remember: don't give them fishes, teach them how to fish.

Having said that, giving a quick overview of C seems like a good idea when
teaching about security, because you can easily show examples of all types of
problems (I think is important, however, to make it clear that their represent a
class of problems, and can happen in many languages, not only in C).

Regards, Fernando.





RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Peter Amey


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]
 Behalf Of der Mouse
 Sent: 08 July 2004 03:47
 To: [EMAIL PROTECTED]
 Subject: Re: [SC-L] Education and security -- another perspective (was
 ACM Queue - Content)
 
 
  I see both of you willing to mandate the teaching of C and yet not
  mandate the teaching of any of Ada, Pascal, PL/I etc.
 
  This seems like the teaching of making do.
 
 And is not making do an important skill?
 

Absolutely, making do is an important skill.  However, those being taught have to be 
told that they are making do and made properly aware of the alternatives.  In fact 
showing them the superiority of the alternatives should help them understand the 
limitations of C and why they need to know how to make do!

What is not acceptable is to deprive them of the knowledge of superior alternatives 
and leave them thinking that making do is the state of the art.

Peter


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.  The IT Department at Praxis Critical Systems can be contacted at 
[EMAIL PROTECTED]
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**



This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk





Re: [SC-L] Education and security -- plus safety, reliability and availability

2004-07-08 Thread Gary McGraw
Les's C subset is good to consider.  Also look into cyclone (cornell) and cquel.

gem

 -Original Message-
From:   Jim  Mary Ronback [mailto:[EMAIL PROTECTED]
Sent:   Thu Jul 08 08:30:30 2004
To: Dana Epp
Cc: [EMAIL PROTECTED]
Subject:Re: [SC-L] Education and security -- plus safety, reliability and 
availability

Dana Epp wrote:

  I think they should be taught the powers and failures of C.

Your course sounds enticing. I'm tempted to sign up for it.

Your course should also make a clear distinction between security, 
safety, reliability and availability.
One can write secure code that is not safe and vice versa - and one can 
write reliable code that is not safe and vice versa - and one can write 
reliable code that is not secure and vice versa. Finally one can write 
code that is secure, safe, reliable but not robust and vice versa. In 
many instances the software requirements, design and implementation 
concerns for security, safety,  reliability and availability overlap.  
Safety ensures that bad things do not  happen. Security ensures that  
unauthorized access to information is not allowed. Reliability ensures 
that the system and its software  behaves as specified during a given 
interval of time.  Availability ensures that the system and its software 
are not unavailable for use for more than a given period of time. Higher 
availability is provided by failure tolerance to system and software 
failures and human error.

I suspect that C has a pervasive hold because a large amount of legacy C 
code exists. When modifying or enhancing existing C code one should use 
a safer subset either by enforcing coding standards like in Safer C or 
eliminating a large class of errors which are not allowed by some newer 
C compilers, e.g., Safe C and Cyclone. If I had my druders, instead of 
using C, I would chose Spark - the safer Ada subset which allows you to 
guarantee that there are no runtime errors.

But if you are stuck with C, you should consider adding the following 
book to the reading list in your security course. It provides an 
extensive list of all the shortcomings and hazards of C.
(1995) Safer C: Developing for High-Integrity and Safety-Critical 
Systems/ by Hatton, L. 
/http://www.oakcomp.co.uk/SCT_About.html  provides a corresponding 
toolset to be used with Safer C/
/
The Safer C toolset goes to considerable effort to enforce the 
well-known MISRA C standard. The MISRA C standard was developed by a 
consortium of car manufacturers with the intention of introducing the 
notion of safer language subsets for programmable control systems in the 
auto industry.

There is also some interesting research to make C compilers safer but I 
have not had any experience using them:

http://www.cs.wisc.edu/~austin/scc.html
http://www.cs.wisc.edu/~austin/talk.scc/
SCC: The Safe C Compiler -SCC is an optimizing C-to-C compiler which 
implements the extended pointer and array access semantics needed to 
provide efficient, reliable and immediate detection of memory access 
errors in /unbridled/ C codes.

http://www.zork.org/safestr/ - Provides a safer string handling library 
for for Safe C.

http://www.research.att.com/projects/cyclone/ provides another safer C 
dialect. Here is a excerpt from their introduction:

Cyclone is a language for C programmers who want to write secure, 
robust programs. *It's a dialect of C designed to be /safe/: free of 
crashes, buffer overflows, format string attacks*, and so on. Careful C 
programmers can produce safe C programs, but, in practice, many C 
programs are unsafe. Our goal is to make /all/ Cyclone programs safe, 
regardless of how carefully they were written. All Cyclone programs must 
pass a combination of compile-time, link-time, and run-time checks 
designed to ensure safety.

There are other safe programming languages, including Java, ML, and 
Scheme. Cyclone is novel because its syntax, types, and semantics are 
based closely on C. This makes it easier to interface Cyclone with 
legacy C code, or port C programs to Cyclone. And writing a new program 
in Cyclone ``feels'' like programming in C: Cyclone tries to give 
programmers the same control over data representations, memory 
management, and performance that C has.

Yours safely,

Jim Ronback
Tsawwassen, BC





This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no

Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Blue Boar
Jose Nazario wrote:
rather than talking in a vacuum, make sure you've read the latest
ACM/IEEE-CS curriculum guidelines:
http://www.acm.org/education/curricula.html
http://sites.computer.org/ccse/
Hrm.  I checked both pages, and searched for secur, and got nothing. 
I didn't click every link... security is mentioned briefly in a couple 
of places in the ACM strawman.

Was that your point?
BB



Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Blue Boar
Fernando Schapachnik wrote:
I smell a discusion going nowhere. What is the point of teaching a languague?
Teach them to program in a paradigm (better, in all of them, and give them the
tools to make educated choices about which is better for each context), and
choose any language as an *example* of the paradigm.
Ah... but beyond design problems, aren't most security problems 
language-specific abuses and bugs?  I'm thinking things like I didn't 
realize it would let me mix signed and unsigned... I didn't realize it 
would let me right off the end of the buffer... I didn't realize I had 
to escape or filter certain characters

BB