> not accurately conform to what the programmer coded.
It accurately conforms to what the programmer coded, just not to what
the programmer intended to code. The "problem" affects only code that
depends on certain pointer computations whose behaviour has never been
promised by C.
t bugs, but rather an end user misapplying software.
I've often enough written software that was perfectly fine in its
intended application but, if misapplied, could be a risk.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTE
hich have been perverted in recent years to mean just about
the opposite of what they should.) Who gets hit with tax when a bug is
found in, say, the Linux kernel? Why?
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Em
(Not
just security decisions, either, though that's one of the cases with
the most unfortunate consequences.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5
uot; is
code, a proof, prover software, whatever - and people make mistakes.
We're still finding bugs in C compilers. Do you really think the
(vastly more complex) compilers for very-high-level specification
languages will be any better?
/~\ The ASCII der Mouse
\ / Ri
> Like it or not, the Web doesn't work right without Javascript now.
Depends on what you mean by "the Web" and "work right". Fortunately,
for at least some people's values of those, this is not true.
/~\ The ASCII der Mouse
\ /
icant increase in people actually
using such environments (languages, whatever), then it's an
improvement for the industry, even if it's no theoretical advance.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email!
nfig file without crashing, great. But if there's a
choice to be made, I'd put the brain cycles into hardening the network
interface before the config-file interface.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
ddly enough, they also tend to be markets wherein software isn't
security Swiss cheese. :-)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
's true of.
(At least, for hash functions in general. A *good* hash function will
of course have this property for all hash values. I don't know whether
SHA-1 is good in this respect, though I would expect it is.)
Okay, nitpicky-mathematician mode off :-)
/~\ The ASCII
g that finds bugs helps, whether it's eyeballs and brains,
binary analysis tools, source-level analysis tools, magic 8-balls,
whatever - if it finds bugs, it's good.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \
involved in the
threat model. To pick a historic example, fixing the "rlogin -l
-froot" bug "merely" changed attacker behaviour to password guessing,
but in most environments it was nevertheless a win.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X A
NetBSD's (and
probably others') fhopen, for example. It's restricted to root, but it
exists.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
__
t impossible to keep things like crypto keys out of swap
space. (Looking through swap space is a relatively well-known forensic
technique for finding things like crypto keys or passwords.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PR
to do with the languages'
capabilities per se.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
___
Secure Co
w cases where
intervening stack frames have to be aware of the throw-through-them
potential, and none where I would say it was painful. Perhaps that's
just an artifact of how I design my code....
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
branches that are downward or
sideways in the code parse tree (versus "structured" constructs, which
do such branches upward only). Exceptions are upward-only branches,
and as a result don't have most of the problems gotos do.
/~\ The ASCII der Mouse
\ /
7;re simply trying to prove something
like "this code never writes outside an array's dimentioned bounds",
which is not what I usually take "provably correct code" to mean).
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
-A version is semantically correct, then you know that a bug
exists in the language-B version. It might be of type k or it might be
of some other type (possibly a type that can exist in language A,
possibly not). And in any case, you have not found it; you have only
demonstrated its existence.
/~
curities relevant to my threat model.
But if my threat model included an adversary sufficiently resourceful
and subtle to subvert the electronic-part distribution chain upstream
of me, and the price of getting subverted were high enough, I might
want to set up a small smelter/forge/whatever to mak
. You are then subject to the bugs present in *that*
"program" (the spec) and the bugs present in the "compiler" (the formal
verifier).
Formal methods are a useful tool, and have a place. But they are not a
magic bullet.
/~\ The ASCII der Mouse
\
or I'd be trying to chase down the diff.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
___
Secure Coding mailing lis
You can make it moderately
difficult, in fact. But you can't make it impossible.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
__
ge under Windows - and the former will garner
your OS widespread rejection (even if it does gain a sliver of
acceptance from those who (a) understand the security principles
involved and (b) want to run a shop that tight).
/~\ The ASCII der Mouse
\ / Ribbon
pages, *and* they
> get it evaluated up to EAL7.
Strictly speaking, you don't need to have it evaluated for it to be
high security. Evaluation does not give the security; it gives
confidence in the security (or lack thereof, if it flunks).
Okay, okay,
/~\ The ASCII
sses), downward-growing stacks would have
exactly this kind of buffer overrun protection.
Hmm, I wonder if there's something useful lurking there.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 6
> Der Mouse is barking up the right rathole.
:-) That's a lovely mangled metaphor. And, thanks for the kind words;
I'm glad to see I'm not totally out to lunch. (I haven't been at this
for as long as you have - you write "from 1965 to 1969", during which
time I
at would require
the mythical mind-reading peripheral.)
> Are we dealing with symptoms or the real solution?
Symptoms. The real problem is...well, depending on how you want to
spin it, it could be "choosing the wrong OS for the job" or "the high
cost of inconvenience" o
> no, a browser written in java would not have buffer overflow/stack
> issues. the jvm is specifically designed to prevent it ...
And of course, we all know all JVM implementations are perfect.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Agains
to be looking on it from a point of view which
disagrees with that, which actually means just that you've picked the
wrong TCP stack for your environment, not that there's anything wrong
with the stack for its design environment.
/~\ The ASCII der Mouse
\ / Ribbon
ot;, I've still
done it, though on only a few occasions.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
___
Se
rder, and attackers would have
done it if the PPC target had been as big as the x86 target.
> After all, didn't attackers also have access to powerpc systems to
> build attacks on during the same timeframe that Symantec suggests?
Sure, but less motivation to do so, because most of the
lon of good, start
chipping away at the mountain of negative karma they've built up.
But maybe it's not, too. And if I want examples of bad code I hardly
have to go to Microsoft to find them.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
pposedly cases where a bug has
already been found. I don't for a moment think that there will always
be exactly one bug in each post, nor that they wouldn't listen to other
code-review-style critiques.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against H
t, Jim, I'm an OS hacker, not a
miracle worker!" (Well, okay, I do do application work sometimes. :)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
of argument rather irritating; the
> theoretical limits of proof are quite a different thing from the
> practical application of proof-based technology in a suitably
> constrained environment.
Entirely true. But if you use theoretical language like "proof", you
have to expect to be h
the panacea that "proving the program correct" makes
it sound like. As someone (who? I forget) is said to have said,
"Beware, I have only proven this program correct, not tested it".
/~\ The ASCIIder Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
mitted.
Yes, that is the implication. It is wrong.
The correct response to "is it secure?" is "against what threat?", not
"yes" or "no". I would argue that anyone who thinks otherwise should
not be coding or specifying for anything that has a significan
assurance on "Smart people
looked at it and think it's OK". You can shuffle that point around,
but it's always lurking somewhere.
/~\ The ASCIIder Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
's also not always clear whether a given thing constitutes a security
risk or not. A certain validation check that's omitted could lead to
nothing worse than, say, a one-cycle delay in recognizing a given
signal in the initial design, but reused in another way that nobody
knew e
more "how do we write code
more securely, assuming we have the mandate to do so" or "how do we
cause more of the code written to be more secure" (or perhaps something
else).
/~\ The ASCIIder Mouse
\ / Ribbon Campaign
X Against HTML[EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
aws; it
would give us hard data about what their effect is, rather than the
speculation (however well-informed) that's all we have to go on now -
and it quite likely would have the pleasant side effect of pushing most
open source projects out into the free (or at least freer) world.
/~\
list,
JavaScript arguably should not have a separate entry from Java (and
probably VBScript vs Visual Basic too). I also think ADA should be
spelled Ada - you seem to be _trying_ to capitalize correctly
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
t would arguably be more
sensible to generate a SIGSEGV/SIGBUS rather than returning EFAULT).
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
R, we'll have a
safe and secure programming language". We won't; we'll just have one
where the unsafe and insecure errors are at a higher level.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
vides the same kind of capability for expressing error. (The
errors will be at a higher level, because the language is higher level,
but they will occur if the thing being built is nontrivial.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [E
achine language, or as C
or Pascal does as compared to assembly language - but coding errors
will still occur, just as they do in assembly or C. They'll just be
errors at or above the level at which the code is written.
Or, of course, they'll due to be bugs in the compiler.
/~\ The
extent.
Certainly not exclusively (I know I'm a better programmer for knowing
many languages). Perhaps not even predominantly. But as theoretically
ugly as it may be, it is still pragmatically critical.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against H
#x27;t_ defined as well as what _is_; security for programmers includes
things like not overrunning buffers. Again, there's a lot of overlap.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
rses exist now. But only
a few of them and only very recently.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
n up a channel (to use a neutral term) to receive
> incoming traffic,
This is not so much a difference between DECnet and IP as a difference
between VMS and Unix.
/~\ The ASCIIder Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
ally knows Visual BASIC inside and out.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
ion. (Some of the most obviously plausible: it's what the
programmers know; it's what the target sytem supports; it's necessary
to interface to some externally-supplied libraries)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
xt space, and picking up the
day number from there. Most months, this worked fine. May 1 through
9, it worked, because the leading space on the day number stopped the
scan. But May 10, the 10 was mistaken for the rest of the month name,
the parser got confused, and things went downhill from t
istakes - but while some buffer overflows are due
to someone trying to do it right and making a mistake, most of them
come from not even trying. Limit it to exploitable overflows and the
proportion is even higher.)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HT
pen-source monolithic Unix variant.
There _are_ security benefits to microkernel designs, it's true, but
there are also security benefits to monolithic designs, and which
outweighs the other is a decision each system's architect must make -
it certainly isn't a slam-dunk either way,
or
c) The comparison is honest about its bias.
That is, I have nothing against "my product is better than their
product, and here are some flaws theirs has but mine doesn't". I have
trouble with it only when it's disguised as an unbiased comparison.
/~\ The ASCII
es.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML [EMAIL PROTECTED]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
rom machine to machine, and some of those sites don't have anyone
competent to figure out what the restrictions should be for them, much
less correctly configure the sandbox to implement them.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
59 matches
Mail list logo
