Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fix the Bugs, Secure the System

Posted by michael on from the crunchy-on-the-outside dept.

LiquidPC writes: "OpenBSD's Louis Bertrand has put his MUSESS 2002 presentation online, entitled Fix the Bugs, Secure the System. Does an overview of OpenBSD, then explains Format String Ugliness, Buffer Overflows, The Wrong Way to Fix Overflows, along with numerous other things."

3 of 334 comments (clear)

  1. Script Kitties by Mattygfunk · · Score: 4, Interesting

    It was a bit tedious flicking through all those slides but the final one did bring a smile to my face.

  2. The only remaining wish... by __past__ · · Score: 4, Interesting
    The only thing I'd like to see from the OpenBSD guys would be a write-up of the gathered wisdom, in form of a "Code-auditing Howto". Unless everybody starts using OBSD (not due this week, unfortunatly), it would be nice if they would share their knowledge so that other platforms like, say, Linux, could benefit.

    But then I guess producing a high quality operating system keeps then busy enough...

    --
    Programming can be fun again. Film at 11.
    1. Re:The only remaining wish... by dvdeug · · Score: 4, Interesting

      As if they'd pay attention. And before you mod that as flamebait, ask yourself why strlcpy() still isn't part of glibc..

      There's a few huge winding threads in libc-alpha <http://sources.redhat.com/ml/libc-alpha> on this. One answer is:

      These words make sense. The problem with strlcat and strlcpy is that they
      assume that it's okay to arbitrarily discard data for the sake of preventing a
      buffer overflow. The buffer overflow may be prevented, but because data may
      have been discarded, the program is still incorrect. This is roughly analogous
      to clamping floating point overflow to DBL_MAX and merrily continuing
      in the calculation. ;)

      Agree or disagree, the developers of glibc don't find strlcpy to be an appropriate function based on its merits. Trying to claim otherwise is just trying to stir up trouble.