Re: [SC-L] Insecure Java Code Snippets
At 12:47 PM -0500 5/7/09, Brad Andrews wrote: > Quoting ljknews : > >> At 5:49 PM -0500 5/6/09, Brad Andrews wrote: >> >>> Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. >>> They can be really hard to figure out, >> >> And yet people keep choosing those programming languages. > > They offer quite a bit of power in exchange for the danger. I would be interested in hearing what they can do that cannot be done in Ada. My bias is based on my experience. I am sure somebody who knows Eiffel would be interested in hearing what C/C++ can do that cannot be done in Eiffel. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
On Thu, 7 May 2009, ljknews wrote: > At 5:49 PM -0500 5/6/09, Brad Andrews wrote: > > > Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. > > They can be really hard to figure out, > > And yet people keep choosing those programming languages. Yeah. Like the developers of the compilers/interpreters for Java, Perl, PHP, Ruby, Python, and probably whatever else the kids are raving about these days. ;-) And of course these languages never use C/C++ libraries. I imagine that at some point, even things like Ada boil down to some assembly code somewhere. More seriously, at one point or another you're building on top of something else that's insecure, and while that might mostly remove you from the bugs that occur at the lower level, all it really means is the vulnerabilities shift to a higher level and are much more powerful. C programmers would rarely bother to take untrusted input, insert it into a program, compile the program, and execute that program. But PHP programmers like to do that all the time by implementing config files as PHP programs and inserting untrusted data into them. Or how about all those web worms compromising gazillions of LAMP installations because of PHP's little remote file inclusion feature? I'm not saying that later-generation languages don't have important features that are useful for security, but I personally wouldn't want to implement some real-time high-throughput packet analyzer in Java, nor would I want to implement a blogging system in C. Compiler features like canary-based protection are making significant improvements for C-based security, just like Java performance is improving. Can't wait for the flames. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
Quoting ljknews : > At 5:49 PM -0500 5/6/09, Brad Andrews wrote: > >> Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. >> They can be really hard to figure out, > > And yet people keep choosing those programming languages. They offer quite a bit of power in exchange for the danger. A steak knife can be dangerous, but I would greatly prefer it over a butter knife if I am eating a steak. :) I also believe some Java security flaws can be just as difficult to figure out. Some aren't, but why would secure code review be such a challenge if it was so easy? Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
Brad, I recommend you approach this problem in reverse. Think of the bug you want people to hunt for and then put together an appropriate regular expressions in Google Code Search (http://www.google.com/codesearch) For instance "lang:java request getParameter .*price" might be a good starting point. After doing that search I found a few different possible vulns. Once you find a vulnerability you can extract as much or as little code out of it as you'd like. I use this often in class design. Cheers, Rohit On Wed, May 6, 2009 at 6:49 PM, Brad Andrews wrote: > > I had the name wrong, it was PC-Lint. > > See > > http://www.gimpel.com/html/bugs.htm > > That is what I am looking for, not just a general listing of bugs or > insecure code. I want bugs that are hard to find and formatted like > this. If I do create some and do it on my own (outside work), I will > try to submit them to OWASP, possibly starting a project on that. > > Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can > be really hard to figure out, though maybe not by all the smart people > here! :) > > Brad > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > -- Rohit Sethi Security Compass http://www.securitycompass.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
At 5:49 PM -0500 5/6/09, Brad Andrews wrote: > Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. > They can be really hard to figure out, And yet people keep choosing those programming languages. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
Brad, I recently read a book called "Java Puzzlers" (http://www.amazon.com/Java-TM-Puzzlers-Pitfalls-Corner/dp/032133678X/ref=sr_1_1?ie=UTF8&s=books&qid=1241707826&sr=8-1 ). The book consist of small Java programs that appear to do one thing but actually behave differently than expected. I guess this is more in the line of snippets that you are looking for. However, the examples in the book are not centered on security. Hence, some modifications would still be necessary to fit your purpose. Best, Martin -- Martin Johns http://www.martinjohns.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
I had the name wrong, it was PC-Lint. See http://www.gimpel.com/html/bugs.htm That is what I am looking for, not just a general listing of bugs or insecure code. I want bugs that are hard to find and formatted like this. If I do create some and do it on my own (outside work), I will try to submit them to OWASP, possibly starting a project on that. Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can be really hard to figure out, though maybe not by all the smart people here! :) Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
See here: http://suif.stanford.edu/~livshits/work/securibench-micro/ -Ben From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Goertzel, Karen [USA] Sent: Wednesday, May 06, 2009 12:40 PM To: Brad Andrews; sc-l@securecoding.org Subject: Re: [SC-L] Insecure Java Code Snippets The NIST SAMATE Reference Dataset has mainly C code in it, but there is also Java, C++, and PHP. There's a search function that allows you to search by programming language to find what you want. http://samate.nist.gov/SRD/ -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com -Original Message- From: sc-l-boun...@securecoding.org on behalf of Brad Andrews Sent: Wed 06-May-09 13:41 To: sc-l@securecoding.org Subject: [SC-L] Insecure Java Code Snippets Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a "find the bug" like the old C-Lint ads. Does anyone know of a source of something like this. Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
Thanks Karen, that site may have enough of what I can use. Still a bit of work to do, but worth pursuing. The other sources were a bit too short on the snippets side, which is my fault for not making the question better. I don't know how many of you used to read the C-Lint ads that said "find the bug in this C code". They were very difficult in all the cases I worked at. :) The whole point of their ad was that their product would find things you couldn't find easily in a manual review. I want something like that. Just playing "tell me the security flaw in these 3 lines of code will not do quite the same thing. I will find a copy of Core Java to look through again, but I don't recall seeing things in this format when I looked before. The challenge with this is that I need something that fits well in a single PowerPoint slide (so it can be viewed while the participants eat). It also has to be fairly difficult. I am not sure that just "not filtering user input" is sufficiently strong. I want something that would take some thinking. I expect that I will have to design and format these myself, but I would love to have something sooner by using something that already did this. Thanks for the other replies. I am going to check out the NIST site some more. I will read over the other sites, but using them will take more effort than I was hoping for. Brad Quoting "Goertzel, Karen [USA]" : > The NIST SAMATE Reference Dataset has mainly C code in it, but there > is also Java, C++, and PHP. There's a search function that allows > you to search by programming language to find what you want. > > http://samate.nist.gov/SRD/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___