Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fix the Bugs, Secure the System

Posted by michael on from the crunchy-on-the-outside dept.

LiquidPC writes: "OpenBSD's Louis Bertrand has put his MUSESS 2002 presentation online, entitled Fix the Bugs, Secure the System. Does an overview of OpenBSD, then explains Format String Ugliness, Buffer Overflows, The Wrong Way to Fix Overflows, along with numerous other things."

5 of 334 comments (clear)

  1. Re:The real problem with OpenBSD by zulux · · Score: 5, Insightful

    What's the point of a rock-solid operating system if very few are actually using it

    OpenBSD will never show up on my networks - but every packet that gets to my FreeBSD webserves goes through an OpenBSD firewall. I imagine that a lot of packet are touched by OpenBSD - an we'll never know it.

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  2. Re:Why not just mark the stack non-executable? by Saint+Nobody · · Score: 4, Insightful

    granted, a non-executable stack makes it significantly harder to exploit a buffer vulnerability, but it's not impossible. you can also put your shellcode in environment variables, in the heap, or various other places. if you wanted to follow your line of reasoning to completion, you'd have to have an isolated code segment, marked read-only, and everything else marked non-executable. of course, then we have the issue of how to handle run-time dynamic loading, and programs like vmware--pretty much anything that gets machine code from a source outside of itself and the libraries that are linked in at compile time.

    i do agree with the idea of a non-executable stack, though. it's just regarded far too often as a panacea for buffer overflows.

    --
    #define F(x) int main(){printf(#x,10,#x);}
    F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
  3. Presentation... by sean23007 · · Score: 5, Insightful

    If this had been converted from presentation-style to an actual webpage, it would have been deemed a big waste of time. Where is all the information? There isn't even anything new here, I already knew everything there, and I've only been using OpenBSD for a couple weeks.

    The only thing there was a long list of titles with no information, old or new.

    --

    Lack of eloquence does not denote lack of intelligence, though they often coincide.
  4. Security: start in education by LoonXTall · · Score: 5, Insightful

    I'm a CS major, and we just got some sample code from the professor to help us on our first project. The very first thing it does in main is have a buffer overflow.

    #define SZ 100;
    char buf[SZ];
    cout << "Enter courses filename: ";
    cin >> buf; // BAM!!

    This is C++! We have the string datatype for this! There's absolutely no excuse for this--especially in code that will be referenced as "good" code by everyone else in the class.

    So anyway, the point of this rant is that security will remain horrible until we start teaching people to write securely in the first place.

    --

    ~~~LXT~~~
    Life is like a computer program: anything that can't happen, will.

  5. Performance and C by Tom7 · · Score: 4, Insightful


    I don't agree with your assessment that safe high-level languages necessarily perform badly. (What is the difference between speed and performance?) But, let's forget about that.

    What is "OS-level" about an ftp daemon? BIND? Mozilla? Gnutella? All sorts of network (and other) applications are written in C, even though there certainly isn't any need for performance or device-level bit manipulation. (At least, I would place security way above performance!)

    Cyclone is actually from Cornell, by the way. It's a good project for moving systemsy people away from C, but there are already mature programming languages that are not slow, and yet are secure by default. (Try SML or O'Caml, for instance.)