Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)
I see both of you willing to mandate the teaching of C and yet not mandate the teaching of any of Ada, Pascal, PL/I etc. This seems like the teaching of making do. And is not making do an important skill? More seriously, as long as Unix variants maintain their position of importance (something that shows no signs of going away), C will be an important language for anyone outside academia to know - and many of those inside academia. As such, I would say that any program with so much as pretensions to preparing people for the real world needs to teach it to some extent. Certainly not exclusively (I know I'm a better programmer for knowing many languages). Perhaps not even predominantly. But as theoretically ugly as it may be, it is still pragmatically critical. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)
ljknews wrote: What is wrong with this picture ? I see both of you willing to mandate the teaching of C and yet not mandate the teaching of any of Ada, Pascal, PL/I etc. This seems like the teaching of making do. You read more into my post than I wrote, as I did not mandate that the students must learn C/C++. They already know C/C++ by the time they take my course, but few have any exposure to the relevant security issues. It's important that a security class cover security issues with the languages that the students have already used in their curriculum, unless that's already covered elsewhere. How many people will change their programming language if they don't see what's wrong with the one they're currently using? In summary, I teach the students the security issues (the powers and failures of C as Dana put it), not the language itself. I do offer an overview of the features of more secure languages that students haven't used, but I don't have time to teach a new language in my security class, which isn't a pure software security class. As for teaching students languages, we traditionally taught software engineering in Ada at my university, though we've moved to mostly Java or Python since the term project was required to be a web-based system. Introductory classes are taught using Java, in part because the AP test is Java-based, while computer architecture and assembly is taught using assembly, and operating systems is taught using C/C++. Electives introduce other languages, of course. I like ocaml myself, but its use is restricted to restricted to certain electives. -- James Walden, Ph.D. Visiting Assistant Professor of EECS The University of Toledo @ LCCC http://www.eecs.utoledo.edu/~jwalden/
Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)
What is wrong with this picture ? I see both of you willing to mandate the teaching of C and yet not mandate the teaching of any of Ada, Pascal, PL/I etc. This seems like the teaching of making do. Hmmm, interesting point. In a particular set of learning objectives required to complete a credential (ie: CompSci, CIS etc) what do you recommend we sacrifice to put in all this teaching? I don't pick C for C's sake. I choose C because ON AVERAGE, most students will be exposed to C more than the languages you suggest. Especially in the majority on industries hiring students out of university. However, that said, I don't think the language matters past exposure to the industry. A strong foundation of programming skills should be language agnostic; loops are loops, recursion is recursion, conditions are conditions etc. Learning the syntax of the language to accomplish it is secondary. Knowing how a loop breaks down into machine instructions is the goal here. Not how to do it in Ada. Think about it in reflection of a linguist doing translation at the United Nations. They didn't simply go and learn every particular language. They are trained in understanding the mechanisms of human speech and formal grammar, and they then apply it to the language they are learning. In other words, they work from their foundation of learning in grammar and then apply the syntax of the particular language they are translating. It makes learning new languages much easier, and much faster. So too should be programming. If a student has a strong foundation of learning when it comes to programming, they can adapt to different computer languages that they are exposed to as it comes to them. C is a perfect language to use to quickly get those concepts across in a practical environment in universities. And more importantly, from a secure coding objective, you can show what NOT to do. -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/]
Re: [SC-L] Education and security -- plus safety, reliability and availability
Dana Epp wrote: I think they should be taught the powers and failures of C. Your course sounds enticing. I'm tempted to sign up for it. Your course should also make a clear distinction between security, safety, reliability and availability. One can write secure code that is not safe and vice versa - and one can write reliable code that is not safe and vice versa - and one can write reliable code that is not secure and vice versa. Finally one can write code that is secure, safe, reliable but not robust and vice versa. In many instances the software requirements, design and implementation concerns for security, safety, reliability and availability overlap. Safety ensures that bad things do not happen. Security ensures that unauthorized access to information is not allowed. Reliability ensures that the system and its software behaves as specified during a given interval of time. Availability ensures that the system and its software are not unavailable for use for more than a given period of time. Higher availability is provided by failure tolerance to system and software failures and human error. I suspect that C has a pervasive hold because a large amount of legacy C code exists. When modifying or enhancing existing C code one should use a safer subset either by enforcing coding standards like in Safer C or eliminating a large class of errors which are not allowed by some newer C compilers, e.g., Safe C and Cyclone. If I had my druders, instead of using C, I would chose Spark - the safer Ada subset which allows you to guarantee that there are no runtime errors. But if you are stuck with C, you should consider adding the following book to the reading list in your security course. It provides an extensive list of all the shortcomings and hazards of C. (1995) Safer C: Developing for High-Integrity and Safety-Critical Systems/ by Hatton, L. /http://www.oakcomp.co.uk/SCT_About.html provides a corresponding toolset to be used with Safer C/ / The Safer C toolset goes to considerable effort to enforce the well-known MISRA C standard. The MISRA C standard was developed by a consortium of car manufacturers with the intention of introducing the notion of safer language subsets for programmable control systems in the auto industry. There is also some interesting research to make C compilers safer but I have not had any experience using them: http://www.cs.wisc.edu/~austin/scc.html http://www.cs.wisc.edu/~austin/talk.scc/ SCC: The Safe C Compiler -SCC is an optimizing C-to-C compiler which implements the extended pointer and array access semantics needed to provide efficient, reliable and immediate detection of memory access errors in /unbridled/ C codes. http://www.zork.org/safestr/ - Provides a safer string handling library for for Safe C. http://www.research.att.com/projects/cyclone/ provides another safer C dialect. Here is a excerpt from their introduction: Cyclone is a language for C programmers who want to write secure, robust programs. *It's a dialect of C designed to be /safe/: free of crashes, buffer overflows, format string attacks*, and so on. Careful C programmers can produce safe C programs, but, in practice, many C programs are unsafe. Our goal is to make /all/ Cyclone programs safe, regardless of how carefully they were written. All Cyclone programs must pass a combination of compile-time, link-time, and run-time checks designed to ensure safety. There are other safe programming languages, including Java, ML, and Scheme. Cyclone is novel because its syntax, types, and semantics are based closely on C. This makes it easier to interface Cyclone with legacy C code, or port C programs to Cyclone. And writing a new program in Cyclone ``feels'' like programming in C: Cyclone tries to give programmers the same control over data representations, memory management, and performance that C has. Yours safely, Jim Ronback Tsawwassen, BC
RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Crispin Cowan Sent: 07 July 2004 23:29 To: ljknews Cc: [EMAIL PROTECTED] Subject: Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content) ljknews wrote: What is wrong with this picture ? I see both of you willing to mandate the teaching of C and yet not mandate the teaching of any of Ada, Pascal, PL/I etc. Makes sense to me. what is the point of teaching dead languages like Ada, Pascal, and PL/I? Teach C, Assembler, and Java/C# (for the mainstream), and some lisp variant (Scheme, ML, Haskell) and Prolog variant for variety. But Ada, Pascal, and PL/I are suitable only for a history of programming languages course :) I do hope that is a sort of smiley at the end of your message. Please. Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. The IT Department at Praxis Critical Systems can be contacted at [EMAIL PROTECTED] This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk
Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)
En un mensaje anterior, ljknews escribió: At 1:56 PM -0700 7/7/04, Dana Epp wrote: I don't pick C for C's sake. I choose C because ON AVERAGE, most students will be exposed to C more than the languages you suggest. Especially in the majority on industries hiring students out of university. Primarily because that is what universities use for training. Originally because Unix was so cheap for educational institutions. I smell a vicious circle. I smell a discusion going nowhere. What is the point of teaching a languague? Teach them to program in a paradigm (better, in all of them, and give them the tools to make educated choices about which is better for each context), and choose any language as an *example* of the paradigm. Latter on, they can pick the particularities of any language by a book. Remember: don't give them fishes, teach them how to fish. Having said that, giving a quick overview of C seems like a good idea when teaching about security, because you can easily show examples of all types of problems (I think is important, however, to make it clear that their represent a class of problems, and can happen in many languages, not only in C). Regards, Fernando.
RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of der Mouse Sent: 08 July 2004 03:47 To: [EMAIL PROTECTED] Subject: Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content) I see both of you willing to mandate the teaching of C and yet not mandate the teaching of any of Ada, Pascal, PL/I etc. This seems like the teaching of making do. And is not making do an important skill? Absolutely, making do is an important skill. However, those being taught have to be told that they are making do and made properly aware of the alternatives. In fact showing them the superiority of the alternatives should help them understand the limitations of C and why they need to know how to make do! What is not acceptable is to deprive them of the knowledge of superior alternatives and leave them thinking that making do is the state of the art. Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. The IT Department at Praxis Critical Systems can be contacted at [EMAIL PROTECTED] This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk
Re: [SC-L] Education and security -- plus safety, reliability and availability
Les's C subset is good to consider. Also look into cyclone (cornell) and cquel. gem -Original Message- From: Jim Mary Ronback [mailto:[EMAIL PROTECTED] Sent: Thu Jul 08 08:30:30 2004 To: Dana Epp Cc: [EMAIL PROTECTED] Subject:Re: [SC-L] Education and security -- plus safety, reliability and availability Dana Epp wrote: I think they should be taught the powers and failures of C. Your course sounds enticing. I'm tempted to sign up for it. Your course should also make a clear distinction between security, safety, reliability and availability. One can write secure code that is not safe and vice versa - and one can write reliable code that is not safe and vice versa - and one can write reliable code that is not secure and vice versa. Finally one can write code that is secure, safe, reliable but not robust and vice versa. In many instances the software requirements, design and implementation concerns for security, safety, reliability and availability overlap. Safety ensures that bad things do not happen. Security ensures that unauthorized access to information is not allowed. Reliability ensures that the system and its software behaves as specified during a given interval of time. Availability ensures that the system and its software are not unavailable for use for more than a given period of time. Higher availability is provided by failure tolerance to system and software failures and human error. I suspect that C has a pervasive hold because a large amount of legacy C code exists. When modifying or enhancing existing C code one should use a safer subset either by enforcing coding standards like in Safer C or eliminating a large class of errors which are not allowed by some newer C compilers, e.g., Safe C and Cyclone. If I had my druders, instead of using C, I would chose Spark - the safer Ada subset which allows you to guarantee that there are no runtime errors. But if you are stuck with C, you should consider adding the following book to the reading list in your security course. It provides an extensive list of all the shortcomings and hazards of C. (1995) Safer C: Developing for High-Integrity and Safety-Critical Systems/ by Hatton, L. /http://www.oakcomp.co.uk/SCT_About.html provides a corresponding toolset to be used with Safer C/ / The Safer C toolset goes to considerable effort to enforce the well-known MISRA C standard. The MISRA C standard was developed by a consortium of car manufacturers with the intention of introducing the notion of safer language subsets for programmable control systems in the auto industry. There is also some interesting research to make C compilers safer but I have not had any experience using them: http://www.cs.wisc.edu/~austin/scc.html http://www.cs.wisc.edu/~austin/talk.scc/ SCC: The Safe C Compiler -SCC is an optimizing C-to-C compiler which implements the extended pointer and array access semantics needed to provide efficient, reliable and immediate detection of memory access errors in /unbridled/ C codes. http://www.zork.org/safestr/ - Provides a safer string handling library for for Safe C. http://www.research.att.com/projects/cyclone/ provides another safer C dialect. Here is a excerpt from their introduction: Cyclone is a language for C programmers who want to write secure, robust programs. *It's a dialect of C designed to be /safe/: free of crashes, buffer overflows, format string attacks*, and so on. Careful C programmers can produce safe C programs, but, in practice, many C programs are unsafe. Our goal is to make /all/ Cyclone programs safe, regardless of how carefully they were written. All Cyclone programs must pass a combination of compile-time, link-time, and run-time checks designed to ensure safety. There are other safe programming languages, including Java, ML, and Scheme. Cyclone is novel because its syntax, types, and semantics are based closely on C. This makes it easier to interface Cyclone with legacy C code, or port C programs to Cyclone. And writing a new program in Cyclone ``feels'' like programming in C: Cyclone tries to give programmers the same control over data representations, memory management, and performance that C has. Yours safely, Jim Ronback Tsawwassen, BC This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no
Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)
Jose Nazario wrote: rather than talking in a vacuum, make sure you've read the latest ACM/IEEE-CS curriculum guidelines: http://www.acm.org/education/curricula.html http://sites.computer.org/ccse/ Hrm. I checked both pages, and searched for secur, and got nothing. I didn't click every link... security is mentioned briefly in a couple of places in the ACM strawman. Was that your point? BB
Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)
Fernando Schapachnik wrote: I smell a discusion going nowhere. What is the point of teaching a languague? Teach them to program in a paradigm (better, in all of them, and give them the tools to make educated choices about which is better for each context), and choose any language as an *example* of the paradigm. Ah... but beyond design problems, aren't most security problems language-specific abuses and bugs? I'm thinking things like I didn't realize it would let me mix signed and unsigned... I didn't realize it would let me right off the end of the buffer... I didn't realize I had to escape or filter certain characters BB