Re: [SC-L] Interesting article on the adoption of Software Security
Damir Rajnovic wrote: While this is true that only some of the bugs are fixed that fixing can have unexpectedly high price tag attached. No matter how do you look at this it _is_ cheaper to fix bugs as soon as possible in the process (or not introduce them at the first place). This is true in the isolation of looking at the cost of fixing any one individual bug, but it is not true in general. Fixing one bug early in the process is cheap and easy. Fixing the *last* bug in a system is astronomically expensive, because the cost of *finding* bugs rises exponentially as you further and further refine it. Worse, you eventually reach a point of equilibrium where your chances of inserting a new bug in the course of fixing a known bug are about even, and it becomes almost impossible to reduce the bug count further. Personally, I do not see how this can be easily measured. This entire area is rife with mushy psychological issues involving huan's ability to process information correctly. As a result, nearly all of the absolute statements are wrong, and they function only within certain ranges, .e.g. fixing bugs early in development is cheaper than patching in the field, but only within the bounds of digging only so hard for bugs. But even this statement is self-limiting. The above claim is not true (or at least less true) for safety-critical systems like fly-by-wire systems and nuclear reactor controllers, where the cost of failure due to a bug is so high that it is worth paying the extra $$$ to find the residual bugs in the development phase. My reaction to the feuding over whether it is better to shore up C/C++ or to use newer safer languages like Java and C#: each has their place. * There are millions of lines of existing C/C++ code running the world. Holding your breath until they are all replaced with type safe code is not going to be effective, and therefore there is strong motive to deploy tools (e.g. StackGuard, RATS, etc.) to improve the safety of this code. * New code should be written in type safe languages unless there is a very strong reason to do otherwise. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Re: [SC-L] opinion, ACM Queue: Buffer Overrun Madness
On Wed, Jun 09, 2004 at 03:34:52PM +0100, David Crocker wrote: Apart from the obvious solution of choosing another language, there are at least two ways to avoid these problems in C++: 1. Ban arrays (to quote Marshall Cline's C++ FAQ Lite, arrays are evil!). Use classes from the STL, or another template library instead. Arrays should be used only in the template library, where their use can be controlled. 2. If you really must have naked arrays, ban the use of indexing and arithmetic on naked pointers to arrays (i.e. if p is a pointer, then p[x], p+x, p-x, ++p and --p are all banned). Instead, refer to arrays using instances of a template class ArrayX that encapsulates both the pointer (an X*) and the limit (an unsigned int). Unfortunately, I don't think this advice will work for many projects. First, Many programs must make system calls that only use arrays. Some of those calls are unsafe. Second, There is a lot of legacy code written with the error-prone array indexing that you condemn. While the code must be maintained, changing it introduces risks of new bugs that lead to instability, and many people aren't willing to take that risk. So I think your advice to ban arrays could only be applied to new code, and new projects. Either that, or the conversion must be made gradually, and must be timed at the right stage of a maintenance cycle. - Jared
