Remote Root Exploit in CVS

RenHoek writes "Security expert Stefan Esser from E-matters discovered a bug in CVS version 1.11.4 and lower, that can give malignant users remote root access. The exploit was confirmed on BSD, but other OS's like Linux, Solaris and Windows are vulnerable too. A security advisory can be found here and there is also a patch available. CVS version 1.11.5 which is fixed can be downloaded as well."

Murphy's Law

[swordboy]

This kind of thing always seems to happen after I burn a new release of something.

Sigh...

Re:Murphy's Law

[questionlp]

You can always use CVSup to pull down the latest version of the source branch (RELENG_5 or RELENG_5_0 I think, but check the FreeBSD Handbook just to make sure) and do a make world on the system once the patch is available in the source tree.

Malignant?

[TheKodiak]

I think "Malicious" is the more... conventional choice.

Re:Malignant?

[commodoresloat]

Yeah but I like the idea of malignant users.

Re:Malignant?

[jasonditz]

This is why I only offer access to benign users.

Re:Malignant?

[TheKodiak]

Liquid nitrogen just got too expensive?

CVS, huh?

[stratjakt]

Sounds like a good way to alter the code stored on a hacked machine to install backdoors for you to get into others.

Do you OSS folks actually read through every line of source before you build something big like Apache or Squid or SAMBA, just to make sure noone has altered the code?

Re:CVS, huh?

[penguin_punk]

"Do you OSS folks actually read through every line of source before you build something big like Apache or Squid or SAMBA, just to make sure noone has altered the code?"

No. But I do check the md5 checksums that I get from at least 2 or 3 different sources. Especially with server software like Apache, Squid or SAMBA.

Do you Closed-Sourced folks trust whatever gets shoved down your throat?

Re:CVS, huh?

[Monkeyman334]

First, the bug being in CVS has nothing to do with changing the source code on a hacked machine. If you have root from ANY bug, you can change the source code. No, "OSS folks" do not waste time looking through every bit of source of Apache, Squid, or SAMBA, if they're just downloading and compiling it on a machine that's been compromised. They probably couldn't find malicious code anyway if they don't know the code well. They just run md5 hashes against the ones on the download site. As for developers checking code that they developed themselves or distribute, yes, you must check every line of code and look for vulnerabilites. That is, unless you have some backup to run a diff against that you can trust. As an example, Themes.org had to go through all their code when their server was compromised before they put the site back up.

Re:CVS, huh?

[guido1]

[Rant]

No. But I do check the md5 checksums that I get from at least 2 or 3 different sources.

So here's the funny thing about doing it that way. You're not necessarily any safer by doing that than just getting the binaries.

Why?

Unless you personally diff all the code that has changed since the last release, you don't know what's in there. Sure, you could check, and others can (and likely do), but you don't know until/unless they/you do.

So enjoy your security blanket, but realize that is is only that.

[/Rant]

Re:CVS, huh?

[bokmann]

No, but plenty of open source projects 'sign' their work, which I can then verify with gpg and the public key of the developer(s).

The question then becomes, "Do I trust that person", instead of, "Do I trust that person and every bloody person who just might be able to alter a file in the long chain of responsibility from him compiling it to me installing it."

GPG. Know it. Live it. Love it.

Re:CVS, huh?

[Alsee]

Do you Closed-Sourced folks trust whatever gets shoved down your throat?

No, but we swallow it anyway, lol.

-

Re:CVS, huh?

[fitten]

"Do I trust that person", instead of, "Do I trust that person and every bloody person who just might be able to alter a file in the long chain of responsibility from him compiling it to me installing it."


Actually... it's more like:
"Do I trust that person and every bloody other person in the 'bazaar' that has access to add/modify the code before I compile it and install it."

vs.

"Do I trust that person and every bloody person who just might be able to alter a file in the long chain of responsibility from him compiling it to me installing it."

Volunary peer review is just that... everyone assuming that some other peers are reviewing the code means that it most likely doesn't get done unless you do it yourself. md5 checksums just mean that you downloaded the stuff that was on the site and it matches the md5 number that was generated when it was put out (could already have had bad stuff in it). In the end, unless you examine the code yourself, you are engaging in the same amount of trust either way.

Re:CVS, huh?

[feed_me_cereal]

Unless you personally diff all the code that has changed since the last release, you don't know what's in there. Sure, you could check, and others can (and likely do), but you don't know until/unless they/you do.

The grandparent said he checks at least 2 or 3 sources. This means all the sources would need to have the same hacked copy. That means the attacker would have either had to have nailed the server distributing the copies (and the people there would have had to have been dumb enough to go ahead with it) or by luck have comprimised all of these random servers.

So enjoy your security blanket, but realize that is is only that.

Although the situation I described above is certainly possible, I would say the grandparents method is good security practice and probably a lot more than a mere "security blanket". That is, if I'm correct in my reasoning. If not, I'd appreciate comments.

Re:CVS, huh?

``Do you OSS folks actually read through every line of source before you build something big like Apache or Squid or SAMBA, just to make sure noone has altered the code?''

I am so tired of hearing the suggestion that if I want to make use of the advantages of OSS, I have to personally read the code. This is so obviously beside the point, I have never even actually tried to put it right....

As is demonstrated by this example as well as by countless others, it is enough if one single person on earth is checking the code. Then the news will spread. I have never looked at a single line of the code of cvs, and yet I knew it had to be upgraded. Oh, and while smart closed-source folks are free to find exploits, they have to rely on the mercy of the sowtware manufacturer to plug the leak. While I, not having bothered to change a single line of cvs code, was able to download the patched version practically without delay right after the leak's discovery.

Re:CVS, huh?

[flynt]

That means the attacker would have either had to have nailed the server distributing the copies

And how are they going to do that? Through a hole in something like CVS??? Couldn't be!

Re:CVS, huh?

[Delirium+Tremens]

You are out of you mind, budy. We are talking about a root exploit through CVS, not a mere CVS privilege escalation issues. I can tell you that the guys who gain root access through this exploit will have more interesting things to do then put some new freaking source code into a CVS tree, you fool. First, that code would have to compile, and secondly, the malicious change would be detected by the component maintainer after a mere diff or check out.
You don't know anything about software development and/or exploits, do you?

Re:CVS, huh?

[HalfStarted]

Ok, the original post was not talking about signing the source just taking a hash of it... but it is a simple thing to go the extra step and sign it as well. Once the code or even a tar is signed it isn't even necessary to get the code from multiple sources (as long as the key is trusted). For those of you that need a quick refresher in public key signing in a nutshell it goes as follows: I create a public key/private key pair and distribute my public key, usually via a key server. I can then use my private key to sign a document, my public key can then be used to verify that 1) I am the person that signed the document and 2) that the document has not been modified since I signed it. If you REALLY want to trust the open source code you run... don't use it unless you have a trusted public key for the distributor and the code passes a sig check.

Re:CVS, huh?

[feed_me_cereal]

you sir, are an idiot.
you sir, are an ass (albeit anonymous)

what good does getting the md5s do? so you get your sources from 2 or 3 places

It works when one of the CVS servers you're downloading from gets hacked. Of course it's possible for the distributing server to get hacked too, but I'd hope people are watching it a bit more keenly. If the developers don't have more than one copy of their own code with which to check before submitting their release to the mirrors, then they shouldn't be making OSS software.

This is still much much much much better than doing nothing. You can never be 100% secure. Security is doing all the reasonable things you can to approach 100%.

maybe the transfer from master to mirror mixed up a few bytes.

Then the MD5 sum will be fucked up. What's your point?!

maybe all your downloads from a mirror mixed up a few bytes

In the exact same way ?! if the file is only a megabyte then the chances of this will be slimmer than 1 to 1 million squared! Either way the MD5 sum, since it's independant of the data, will be fucked up.

either way, it doesn't matter how many sources you use to d/l source packages for 'safety'

Maybe if you've never taken a statistics class.

oss needs a better method of s/w distribution. sign packages and their md5 hashes with pgp would be a start.

Um... there are OSS distribution rules? It's up to you to judge the competency of individual projects, as far as security goes.

Oh, and why is this OSS's problem? Why isn't closed-source even MORE vulnerable to this phenomena? OSS developers aren't the only ones who use CVS internally.

Re:CVS, huh?

[feed_me_cereal]

And how are they going to do that? Through a hole in something like CVS??? Couldn't be!

no shit! Don't quote me out of context. I had some more following that. My original quote:

That means the attacker would have either had to have nailed the server distributing the copies (and the people there would have had to have been dumb enough to go ahead with it)

and also...

Although the situation I described above is certainly possible, I would say the grandparents method is good security practice and probably a lot more than a mere "security blanket".

So... I sincerly hope that the people distributing the release:

1. practice better security than a mirror
2. For christs sake, CHECK the release against a safe backup before releasing it!!! And they had better be backing up their code...

and, of course,it's still possible that this could happen. Certainly. I never said it couldn't. That dosn't change the fact that checking multiple sites will probably take care of most of these CVS attacks, since it's a lot easier to hit one random mirror than the main fucking site.

Re:CVS, huh?

[bokmann]

Not entirely so.

It's not like hundreds upon hundreds of people have commit access to a project like JBoss... or Ant... or Apache... There are relatively few committers, and each of those has generally earned some amount of trust from the maintainer of the project. And those people I'm trusting are easily identifiable to me...

who is administering the server where I can download Apache? I have no friggin clue.

So, I can trust a small group of people who have the earned trust of the person willing to sign their name to it, vs trusting an unknown number of people, or a sysadmin who used his mother's maiden name as the root password to the server he's administering.

Not the same thing at all.

Re:CVS, huh?

[tshak]

Do you Closed-Sourced folks trust whatever gets shoved down your throat?


Nope, it's called testing and conservative upgrading, which should be done with _ALL_ software anyway. And no matter what an EULA may say about a companies responsibility, I guaruntee that if IBM put's a backdoor into the code that they will be hurting hard. Companies are kept accountable by their customers. This is how busienss in America works. I don't inspect my Car to see if my brakes have been tampered with either, or if the fuel computer has a virus that executes at 10,000 miles. Honda's been around too long for me to even worry about it.

Re:CVS, huh?

[archnerd]

You're either a troll or an idiot; I'm not certain which. MD5 is a secure hashing algorithm; given a block of data, there's no known way to find a another block of data which generates the same checksum except by random guessing.

Re:CVS, huh?

[pediddle]

the bug being in CVS has nothing to do with changing the source code on a hacked machine. If you have root from ANY bug, you can change the source code.

I agree, but one thing does make the risk a little higher: any server hacked through a CVS bug is almost guaranteed to have some source code on it. If some script kiddie goes poking around for all the CVS servers he can find with the intention of backdooring as much code as possible, well... it just makes his job easier.

Re:CVS, huh?

[pjrc]

First, the bug being in CVS has nothing to do with changing the source code on a hacked machine.

Now if I were a malicious hacker/cracker, hell-bent on obtaining unauthorized access to as many machines as possible, and I happened to have a 0-day exploit to CVS, which happens to be used to maintain the sources to many of the most popular server applications....

hmmm, what might I do with that exploit ??

Yeah, I know, I'd go root lots of boxen and deface home pages on any machines also running web servers and use the rest to launch DDOS attacks. Yeah, that'd be the thing to do. All that writable source code wouldn't even be on my mind at all, would it??

.

Chicken and egg problem?

[Gentoo+Fan]

So if CVS is in CVS, maybe somebody rooted CVS's CVS to apply a patch to backdoor CVS, even with new CVS patches to CVS? ;)

Re:Chicken and egg problem?

[pclminion]

So if CVS is in CVS, maybe somebody rooted CVS's CVS to apply a patch to backdoor CVS, even with new CVS patches to CVS? ;)

You're making a joke, but the problem you mention is actually a serious one. Ken Thompson who we all know and love from UNIX lore has written Reflections on Trusting Trust which describes just this problem.

Imagine that you insert a backdoor into a compiler, so that everything the compiler compiles is trojaned. If the compiler detects that it is recompiling itself, it quietly reinserts the trojan code. The actual source code to the trojan might be wiped out, but as long as you are running infected binaries, it will keep popping up again and again.

From the paper: "First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere."

A very interesting read.

Re:Chicken and egg problem?

[gstein]

Good thinking, but there is no problem.

The CVS repository on cvshome.org was updated on January 15th, well before the exploit was published.

(but wow, wouldn't that have been cool? every rushes to update their copy of CVS, and now you've got your backdoor installed everywhere? hoo ya!)

Re:Chicken and egg problem?

[Wesley+Everest]

And, of course, the trick would be to hack the official gcc server, put the trojan in the source, wait for a new update (hoping nobody finds the trojan), and then silently remove the trojan. Then, wait again for quite a few new updates (so that nobody would have reason to look at the version that has the trojan in source. After that, some versions would have the trojan and some wouldn't -- any binary that has a hacked binary as its "ancestor" would be hacked, but any one that "skipped a generation" would be clean.

Now, the way to prevent this from happening is to use a compiler other than gcc when compiling gcc. Then, the hackers would have to hack both compilers, which would be a much more significant task.

Are there any really paranoid folks out there that build gcc with the Intel compiler or somesuch? Is it possible to build gcc with another compiler?

Btw, when the russian hackers hacked Microsoft, how do you know they didn't do this to VC++?

Re:Chicken and egg problem?

[TheKodiak]

"One merely has to rename the source code
for the compiler,"

s/has to/has to detect the backdoor, and/

Re:Chicken and egg problem?

[brettper]

Good thinking, but there is no problem.

The CVS repository on cvshome.org was updated on January 15th, well before the exploit was published.

Riiight. So because the exploit wans't published then obviously no-one knew about it?

THE PATCH IS WRONG

cant you guys read? It is an additional patch!

The patch from e-matters does NOT fix the double free bug!!!!

the great circle of software.life

[poindextrose]

ah yes, another representation of sofware's circle of life.

exploit, patch, exploit, patch, exploit, patch.

insert elton john music here

It's true

[mao+che+minh]

Yea, I used CVS to update my mplayer so I could watch some newer Windows Media files sent to be by some nice young woman at "Brintey_XXX_Hot_NAKED_ J-LO_CAUGHT_ACTION@hotmail.com". Shortly thereafter, I came back from the bathroom to discover that my desktop image was replaced by a big penis with the KDE gears for testicles, and I couldn't start any programs.

cvs as root?

[molo]

What fool runs their cvs pserver as root? Every installation I've ever seen has it running as a non-privelidged user. While of course any remote compromise is not good, lets not exagerate the severity of this problem.

Re:cvs as root?

[mustangdavis]

If I can get onto a Linux or BSD box as ANY USER, I can get root (well, 90% of the time, I can).

Remember, many sys admins don't patch local software packages that have buffer overflows or other wonder exploits that can get you root, so just about ANY remote exploit that you can get shell access with can be viewed as a root exploit. This is especially true with University servers and other places that install all software packages that come with their Linux distribution in the name of "research" or "education".

Just my $0.02 cents ...

Re:cvs as root?

[jhealy1024]

What fool runs their cvs pserver as root?

Ummm... People using Debian?

On a stock Woody box:

grep cvs /etc/inetd.conf
cvspserver stream tcp nowait.400 root /usr/sbin/tcpd /usr/sbin/cvs-pserver

Re:cvs as root?

[Fizzl]

Indeed. I'm a Lunix newbie, and I have set-up only one CVS server that is public (not NAT:d).
Yet I was cluefull enough to run it in it's very own sand box.

I can't imagine this exploit is a terrible problem.

Re:cvs as root?

[Q+Who]

This is especially true with University servers and other places that install all software packages that come with their Linux distribution in the name of "research" or "education".

I wonder what is the meaning of those quotes above. Are you suggesting that universities should compromise education possibilities due to some exploits?

I guess you overestimate the importance of network security. It is secondary to network functionality. The latter is defined first, the former is the job of a sysadmin.

Re:cvs as root?

[someonehasmyname]

I think he means instead of running ftpd as "ftpd" they'd config it to run as the username "education."

Then they'd do this with apache, cvs, sendmail, bind, etc.

Am I wrong in assuming this?

Re:cvs as root?

[JourneymanMereel]

Up until about 30 second ago I did... I'm not really sure why, but I saw this question and one of the responces and figured I'd take a look at my xinetd config. Sure enough, it said user = root. The stupid thing is, I even created a user to run CVS as, I just never used it!

As I insinutated above, it's not anymore :)

Re:cvs as root?

[cras]

cvspserver stream tcp nowait.400 root /usr/sbin/tcpd /usr/sbin/cvs-pserver

That's so that setuid() can be called later once user has logged in, so it's not running as root all the time. Pretty standard implementation for most servers that require logging in.

I've set my anonymous CVS pserver so that it's running under anoncvs uid which has no write access to any of the files in CVS. Only problem with this was that CVS wants to create lock files, but it could be done by setting +t flag for all directories so they will behave like /tmp. That pretty much prevents this exploit from causing me any harm. That and grsec.

Re:cvs as root?

[rela]

I think you took the post too literally. =p

Re:cvs as root?

[Quill_28]

you mis-spoke

some jerk-off's attempt at irony, someone should have at least modded it back-up.

I knew I should have posted ac.

Re:cvs as root?

[bolsh]

If you want your CVS users to connect (and read & write) to CVS as any user other than the user that CVS runs under, you need to run the pserver as root. This is because CVS's connect procedure is basically as follows...

1) inetd detects a request on 4901, spawns cvspserver
2) cvs checks CVSROOT/passwd for the username and passwd of the connector
3) unless it's disabled in CVSROOT/config, if the username isn't in CVSROOT/passwd, it will check /etc/passwd.
4) If the password is valid, it forks and does a setuid to the userid of the connector (or to the userid of the local user specified in CVSROOT/passwd
5) As this user, cvs does its thang, and performs all your requested server operations.

If you're not running your pserver as root, step 4 isn't possible, therefore all server operations must be done as the user as which the pserver runs.

In brief, if you run your pserver as a user other than root, you cannot implement user-level access to the repository. If you want to have user-level access, or module-level r/w access, you must run your pserver as root to allow the setuid to happen.

Cheers,
Dave.

Re:cvs as root?

[molo]

You should run the cvs pserver as a user which is not root, and does not have write access to the repository. That would allow anonymous cvs access (the only good reason to run a pserver). Then for authenticated access, do it over ssh. It works, and is the only way to do it securely.

Not to worry

[Achmed+Swaribabu]

I know that a many of people will now say that to use free GPL software is dangerous but I will say that it's still the most robust software around.

When you look at all the expolits in commercial software and then compare them to the amount found in free software you will see what I mean. I used to be a big Microsoft fan until I looked at all the money I save with free Gnu/BSD/linux software and now I never look back.

Malignant users?

[Dthoma]

I wonder how you operate to remove those?

Er....

[Lord_Of_The_Beer]

I thought this affected Windows also......

Re:Er....

[stratjakt]

It does, I'm just raising the point that what makes Linus inherently more trustworthy than Bill Gates?

I'm not trying to troll or flame, just want to point out that Open Source software is every bit as vulnerable to trojan horses/backdoors as closed source.

Re:Er....

[mentin]

I thought this affected Windows also......

Yeah, and we need to quickly find a way to blame Microsoft for this CVS bug. Any ideas?

Cripes, it's time to ban C

[phr2]

I looked at the advisory expecting to see the words "buffer overflow", and instead saw "malloc mistake" (same pointer can get freed twice in some circumstances). Both of these amount to the same thing, getting nailed by C's lack of automatic memory protection and garbage collection.

I think it's time to give up on C for most Internet application development, and use languages which eliminate this wide class of bugs. Banning C altogether is of course an overstatement, but C code in an application should be treated like setuid code. There should be as little of it as possible (the occasional optimized inner loop of something, for example), and it needs to be scrutinized very carefully before deployment.

Anyone know what language Subversion is written in?

Re:Cripes, it's time to ban C

[The+Bungi]

Since you can't cause a buffer overrun/overflow in something like Java or .NET, maybe that's a good choice to write stuff in.

Or maybe not - someone will find a way to exploit those and anything alse that catches on.

It's impossible to protect non-trivial software from *everything*. You might as well get on with your life, plan for exploits and how to deal with them. Anything else is just a pipe dream.

Re:Cripes, it's time to ban C

[stevey]

I think it's time to give up on C for most Internet application development

This is part of the reason that version 2 of my MP3 streaming server is being written in Perl.

Most of the work of the server is in file manipulation, and plugin coding - and the server will be mostly network/IO bound anyway. The speed lost due to the interpretted nature will be gained by safety.

OK I'm using Perl for more reasons that just that; but the lack of buffer overflows was part of the reason for the switch.

Anyone know what language Subversion is written in?

C

Re:Cripes, it's time to ban C

[axxackall]

If you don't like software written on C then use CryptoGnome - a better version control system written in Scheme.

Another alternative is RCS written on shell: Arch.

Wait, both Scheme and Shell are written on C, so you can't use them either. You may try to find someting written directly on Asm.

Re:Cripes, it's time to ban C

[Xerithane]

I looked at the advisory expecting to see the words "buffer overflow", and instead saw "malloc mistake" (same pointer can get freed twice in some circumstances). Both of these amount to the same thing, getting nailed by C's lack of automatic memory protection and garbage collection.

It's not the language, it's the coder. Just like it's not the car, it's the driver, if someone causes an accident. Replacing every sports car with a Kia isn't going to stop accidents. Educating drivers on good practices is. ...it needs to be scrutinized very carefully before deployment.

Uhm, no shit? I think you should write a book! Seriously, saying that there should be code reviews before software gets deployed? That's an awesome idea, I think I'll start implementing it into my own development.

Again, the problem is not the language, it's the coder. People make mistakes, languages do not (compilers on the other hand). Don't blame a language for operating exactly as it's designed to.

You can do garbage collection in C just fine, with external libraries.

Re:Cripes, it's time to ban C

[krajewski]

Yup, I totally agree with you. There must be a better way. I seriously believe that when it comes to application development, there should be little need to deal with memory and pointers. This leads to all the problems that can cause a memory leak or core dump. Application programmers should be dealing generally with just abstract data. I recommend Lisp myself.

I believe that the OS itself should really deal with automatic memory management and abstraction of data. Actually, at least one other programmer and I are in the process of designing an open source OS which does just this (written in Common Lisp, of course).

Re:Cripes, it's time to ban C

[njchick]

Subversion is written in C because it's an Apache module, and Apache is written in C. Check for yourself, version 0.17 has just been released.

Re:Cripes, it's time to ban C

[kscguru]

Ah, but the phrase that jumped out at me was "global pointer variable" - a synchronization-type problem that could hit just about any language (yes, Java included). Java would probably crash with some sort of exception instead of happily running in an invalid state... but do you really want anyone to remotely crash the server daemon either?

But, banning C is the LAST thing you'd want to do in a case like this. C is absolutely, bar none, the fastest language for slinging raw bytes around (err... ignoring assembly, but it's close) - and that's pretty much what a CVS server (or FTP, or HTTP, or ...) does. Switch over to a "safer" language (Java, Perl, whatever) and the commands to run the connection will be safer, but the server as a whole will suffer - and thus less people will use it.

The best case here would probably be to set up two layers - a Perl wrapper that parses and verifies input before passing it on to a C program that actually does the serving. But this is a server - emphasis on the C core, not the Perl wrapper. The parsing/verify is the special case, while the data transfer is the general case, and so designing for the general case makes the language of choice C.

But getting back to the topic, the bug here isn't a memory management bug. It's a flawed PROGRAM design that RESULTS IN a memory management bug. Global variables are bad in general, and should only be used with due diligence - and here's simply a case where that diligence didn't work.

Re:Cripes, it's time to ban C

[HiThere]

Well, D comes to mind. So does Eiffel. And, now that gcj exists, Java. These are't real desireable languages, but they solve the buffer overflow/pointer freeing problem.

The thing is, as long as C code requires type casts, it will be fragile. Java casts know the size of the thing that they are casting, but C doesn't. Eiffel doesn't allow you to cast. I'm not sure just what D does, but it says that it handles this, too. I don't think that this could even be handled by a redesign of C. It's too embedded in the language. C is, essentially, a portable assembler, and intentionally doesn't check anything it doesn't have to. Really helps to optimise memory use. But the pointers just aren't safe, and I don't think that they can be made safe. (I'm not saying that some particular chunk of C code isn't safe. Most is. But there's not much possibility of an automatic check, and even a manual check can be ... interesting.)

Earlier someone suggested using Scheme code... well, Scheme handles this problem, but it introduces it's own (or at least the early versions of Lisp did). And the coding model is too different.

So D is probably the best choice. But, unfortunately, the first version isn't yet into Beta. Whoops! (D is closely modeled on C, but was willing to break compatibility to fix design problems, where C++ required keeping compatibility. And D was designed a lot later. So D has built-in garbage collection, and eliminates the need for pointers, etc.)

Another good feature of D is that it can call C code directly. gcj should be able to also, but I haven't figured out from the docs just how to do it. (Anyway I like the syntax and feel of D more than I do that of Java.)

Then for higer level applications there are things like pyrex. Another beta compiler. Pyrex is designed to sit in between Python and C, so that you can code small pieces in C for efficiency, and the larger pieces in Python for speed in development and understandability.

Programmers can be much smarter than any garbage collections system in small chunks of code, as well as more efficient, as long as they are careful and don't make any mistakes.

Re:Cripes, it's time to ban C

[toast0]

not to pick on you personally, but....

guess what language perl is written in? yeah thats right, C. Guess what, if you work really hard, you can make perl have a buffer overflow (or at least segfault).

also, if you use proper techniques when programming c, its not that hard to avoid buffer overflows and malloc problems.

Re:Cripes, it's time to ban C

[gstein]

My streaming server, edna has been written in Python since day one.

Yes, Subversion is in C. Our network server is Apache. Personally, I'm quite confident in Apache's resistance to exploits. (and yah yah, adding svn to apache means adding exploits, but the point is that we're on a nice base).

Re:Cripes, it's time to ban C

[axxackall]

Do you use GOTO? No? Why? Because it's unsafe and it is not really unnecessary. However, it is still used somewhere hiddenly in the compiled binary code - programmers just don't manipulate it manually.

Same way, manual operations with memory ponters must be prohibited. And they are prohibited in languages with garbage collectors and automatic memory allocation: Java, Python, Perl, Ruby.

GC, automatic memory allocation and disabled GOTO, such methods limit programmers (in a positive way) and help to avoid very critical mistakes. But not all mistakes. Changing the variable (object) value is another source of common mistakes, which must be eliminated. It's solved in Functional Programming languages, such as Lisp, Haskell, ML, Oz, Mercury and Erlang.

Re:Cripes, it's time to ban C

[qodfathr]

Since you can't cause a buffer overrun/overflow in something like Java or .NET, maybe that's a good choice to write stuff in. Or maybe not - someone will find a way to exploit those and anything alse that catches on.

I think you are missing an important point. There is a big difference between exploitation and honest mistakes. The CVS bug is just that -- an unintentional bug. The (debatable, but I agree with) advantage of languages such as Java and C# is that make it much harder for us mere mortals to accidentally introduce system-level bugs into our code. I ran FAR FAR away from C/C++ when Java became a reasonable alternative, because I saw countless incidents of crash bugs caused by mismatched malloc/free or new/delete.

Now, I'm certainly not recommending that anyone go and write an OS kernel in Java. While it would likely be a 'safer' kernel for a particular group of common bugs, it would also likely be dog slow. But, I'm amazed at what people pull off with VM-based languages everyday, so, who knows? I remember the sick guy back in college 12 years ago who seriously considered writting an OS in ML (ML the langauge, not machine language) because it would be so safe and easier to prove correct.

Back on topic, I think we'd be hard-pressed to find a CVS server that is taking such enormous load that it couldn't be implemented in Java or C# and perform perfectly well. Look at what people have done with resin -- a J2EE app server written in Java -- as reported on /.

Mind you, I'm not volunteering for the port -- won't pay the bills and all that -- but I wish I had the time to do it.

Re:Cripes, it's time to ban C

[IamTheRealMike]

Switch over to a "safer" language (Java, Perl, whatever) and the commands to run the connection will be safer, but the server as a whole will suffer - and thus less people will use it.

I don't think that stacks up. Apache Tomcat is actually very high performance, nearly as fast as Apache itself I've been told by people who would know.

I was having this argument with a friend last night. He couldn't understand how Java could be faster than C, so I showed him the HotSpot whitepaper.

But getting back to the topic, the bug here isn't a memory management bug. It's a flawed PROGRAM design that RESULTS IN a memory management bug. Global variables are bad in general, and should only be used with due diligence - and here's simply a case where that diligence didn't work.

No, it's a memory management bug. If the CVS server has a poor design that's a separate issue, but manual memory management is a pain in the ass and very easy to get wrong. Considering how many servers are in fact written in Java and their ilk, I think a possible slight loss in speed is certainly worth the increased security.

Re:Cripes, it's time to ban C

[jroller]

GOTO dead?
Not exactly .

Re:Cripes, it's time to ban C

[Nevyn]

Do you use GOTO?

Of course I do, because I haven't just repeated the subject from knuth's papaer ... I've actually thought about the problem and read followup papers like http://www.cis.temple.edu/~ingargio/cis71/software /roberts/documents/loopexit.txt

Changing the variable (object) value is another source of common mistakes, which must be eliminated. It's solved in Functional Programming

Really, so lisp doesn't have variable Eh? I bet that's news to a lot of people. Haskell and prolog have no variables, IIRC ... but that gets even further from mainstream, and requires a way of thinking about constants so that they become variables.

Re:Cripes, it's time to ban C

[johnnyb]

Or just use a garbage collector like Boehm with it.

Re:Cripes, it's time to ban C

[stevey]

guess what language perl is written in? yeah thats right, C. Guess what, if you work really hard, you can make perl have a buffer overflow.

Indeed that's possible - I even remember the last local root hole via the sperl binary.

Even if there are no buffer overflows possible it's not proof that the software is secure; lots of things need to be checked, PATHs, permissions on files, race conditions, symlink attacks, etc.

Thats why, as you say, proper programming is the way to security. A good developer should always test return codes, never use unbounded copies, etc.

Re:Cripes, it's time to ban C

[stevey]

Your server was pretty much what inspired mine - I even remember posting a few small patches to your mailing list!

Personally I just don't get Python- though it's a fine language - so I struggled making anything over than trivial changes to your code.

I've gone from Edna, to bad Perl, to C, then C++ and now into good Perl.

Threading and memory management were what drove me to c++, but finding std c++ libraries were not threadsafe, and the desire to interface with databases drove me back to perl.

Re:Cripes, it's time to ban C

[johnnyb]

1) Nonlocal exits is not the same as GOTO. The paper you refer to does not advocate use of goto, it advocates the use of escape procedures. Functional Programming people are fine with this - in fact Scheme goes even further with it's call-with-current-continuation function - allowing continuations with unlimited extent - unlike your example, which has only lexical extent. The problem with Goto is that it has no structure whatsoever, and therefore is susceptible to many, many abuses.

2) Lisp is not the same as functional programming. Although it encourages a functional style, it has numerous procedural elements. Variable assignment is NOT functional programming, and Lisp is not the ultimate FP language.

Re:Cripes, it's time to ban C

[johnnyb]

Memory management _is_ tough. I think GCC should have a switch like -usegc to enable garbage collection (i.e. - statically link in Boehm). Memory management is _really_ a tough issue to do manually for any complicated program.

Re:Cripes, it's time to ban C

[The+Bungi]

I think you are missing an important point

Not really =) The fact that the bug is unintentional (and I've never heard of an intentional bug, but still) is irrelevant because it's still a potential exploit. The fact that it's cause by a malloc error is irrelevant, because it's still an exploit.

If you write software in C, you need to follow a certain set of rules to prevent things like these from happening. If you were writing something like CVS in Java, you'd have less things to worry about and you'd probably be more productive, but that doesn't mean that having a huge runtime saves you from having to think about security. Further, larger swaths of the application domain are taken away from you (nee runtime) so you're at the mercy of hackers who find an exploit in the Java IO package and you still need to wait for Sun to patch it.

But the bottom line is you'll never have a 100% exploit-proof application, period. It doesn't matter what you write it with. What you need to do is choose the right tool for the job, follow standards and guidelines, incorporate security into your design from the start and do your best. And then have a plan to deal with the eventual exploit. Because, believe me, you'll have one if your software is used widely enough, as is CVS.

Re:Cripes, it's time to ban C

[QuantumG]

Simple truth: Functional languages are great for writing functions. I/O isn't suited to functional programming for precisely this reason. CVS is a 100% I/O process (talking to sockets and files). Therefore, any functional language is the worst possible choice of language you could make to write something like CVS.

Re:Cripes, it's time to ban C

[kscguru]

Apache Tomcat is actually very high performance, nearly as fast as Apache itself I've been told by people who would know.

Sun seems to continuously pull off miricles with Java. Humbug. :-) But in all seriousness, I think it might be worthwhile to consider memory load (and the associated problems with running out of memory, using swap, etc.) in the term "performance" (yeah, I have to pick on Java's weakness to get anywhere...).

But I also happen to think that Java itself isn't that far removed from straight C++, it can be about as efficient algorithmically and so any debate devolves into inefficiencies of garbage collection versus advantages of HotSpot. Of course, all this assumes good C++ coders and good Java coders!

No, it's a memory management bug. If the CVS server has a poor design that's a separate issue, but manual memory management is a pain in the ass and very easy to get wrong.

It's still poor design. Java could have a similar bug - an old pointer in a static class. It wouldn't create an exploit (I agree), but it would likely throw a null pointer exception or cause data corruption. And I'll lump good Java exception handling right there with manual memory management in terms of difficulty. Not just catching the exception, but handling it in a fail-safe way.

Re:Cripes, it's time to ban C

[damiam]

You may try to find someting written directly on Asm.

Which would be even worse than C.

Re:Cripes, it's time to ban C

[Nevyn]

1) Nonlocal exits is not the same as GOTO

You can create a non-local exit with a goto in C, and you can do it in a very readable way. C also doesn't have any other way to express a non-local exit that is as readable. Therefore I submit that, for C, challenging non use of goto with the non-local exit paper is valid.

Also lot of people, my self included, tend to use goto in C for error recovery ... as there is no usful alternative. That doesn't mean that goto and error recovery are the same thing. But it does mean I should be able to argue that using a goto for error recovery in C is good. The only reason I didn't was because I didn't have a paper saying that -- and the guy I responded to seemed more likely to respond to papers than real life (which isn't a compliment).

The problem with Goto is that it has no structure whatsoever, and therefore is susceptible to many, many abuses.

Sure it has no inherent structure, but that supposes that the programmer has no clue. And if you suppose that nothing will help you. LISP and Haskell are only saved here because hardly any good programers use it, and almost zero amatures (which is probably a bad word for them, but is the best I can think of atm.).

2) Lisp is not the same as functional programming.

I never said it was, the original poster said that Languages such as LISP sovled a major source of bugs (variable assignment). He also implied that it was functional. And to be fair not many people would care that it isn't, it's too scarey on it's own nevermind something like Miranda.

Re:Cripes, it's time to ban C

[trevinofunk]

An OS in ML? Thats about the freakiest thing I've heard in a while. *SHIVER*

Re:Cripes, it's time to ban C

[stevey]

That's what I meant; check all applicable return codes...

Re:Cripes, it's time to ban C

[Old+Wolf]

The words "global variable" jumped out at me too, but for different reasons. Who the hell uses global *pointers* for code that's meant to be secure. Constants yes, variables no. It's just too hard to keep track of them in a project that is evolving. One person changing some code can inadvertantly break something way over on the other side of the project (probably what has happened here).

To those calling for banning C: I'd modify this a bit: ban bad programmers (especially on projects that run as root).

Re:Cripes, it's time to ban C

[johnnyb]

" Sure it has no inherent structure"

That is the problem. Even if the programmer has a clue, there are so many ways that it can be accidentally misused that it's not even funny. EVERY language feature of any Turing-complete language A can be mapped into a Turing-complete language B. However, that does not mean language A is equivalent in usability to language B, or easily susceptible to the same class of errors. If I were to write the equivalent of s!\$\{(.*)\}!lookup($1)!eg; in a language without regular expressions, I can still do it, but a) it takes a lot longer, b) it would be _MUCH_ less clear to future programmers what I was trying to do, and c) it would be much more error-prone. Likewise is the problem with C as a language compared to more functional approaches - the lack continuations, closures, and lazy evaluation makes writing complex programs painful, and the necessity for continual variable assignment makes it begging for errors. It's not that you can't simulate closures and continuations with C, it's just that it is a very error-prone method. When you make it a language feature, you lose an entire class of errors!

Re:Cripes, it's time to ban C

[toast0]

umm... why not use -lgc6 and any applicable includes in your big .h file?

why should the compiler have a seperate flag for it, when its just another library?

(note, i'm using -lgc6, since debian's package for Boehm is called libgc6, your results may vary)

furthermore, whats wrong with dynamically linking the garbage collector?

Re:Cripes, it's time to ban C

[Nevyn]

That is the problem. Even if the programmer has a clue, there are so many ways that it can be accidentally misused that it's not even funny.

I have never seen goto misused by someone with a clue (assuming we discount them trying to make spagetti for a contest or whatever). Sure it's possible to bounce around a function with goto, in the same way it's possible to name all your functions after simpsons/star trek characters ... but noone sane does that.

It's not that you can't simulate closures and continuations with C, it's just that it is a very error-prone method.

You don't write good C by pretending it's LISP , and you don't write good LISP by pretending it's C.

C does have some obvious major faults, but most of them are to do with the standard library and can be replaced.

Re:Cripes, it's time to ban C

[johnnyb]

There's nothing wrong with it being a library, or a dynamically linked one at that. However, it should be considered as part of the compiler and not separate. That's a small distinction, but important. C and C++ developers should make a habit of automatic GC when possible. With a common, defined way of attaching garbage collection to C code, this will enable it to be a part of the language rather than an add-on library, and hopefully encourage more people to use it.

Re:Cripes, it's time to ban C

[johnnyb]

I have _never_ seen goto used except in rare cases by someone with a clue, so the odds of seeing it used poorly are a bit difficult, simply because when it is used so many people take notice. However, as I've tried to point out, I'm not accusing people with a clue of _intentionally_ using goto in a bad way, but _everyone_ makes mistakes, and eliminating goto for better constructs (like continuations) eliminates an entire class of mistakes. I would say that the "anti-goto" crowd has been successful in improving the structure of modern code, simply because anyone who uses gotos these days do so only when all other options have been eliminated.

That's silly

[phr2]

It's like saying that since seat belts and airbags can't prevent every fatal accident, you shouldn't wear them. You might as well get on with your life, plan for fatal car crashes and how to deal with them, because anything else is just a pipe dream.

I'd say part of sensible planning is trying to lower the effect of accidents (or bugs), even if you can't prevent all of them. That means wearing the seat belts in your car, and using array checking and garbage collection in your programs.

Re:That's silly

[The+Bungi]

Actually, it's like saying automoviles and airliners cause far too many deaths, so let's stop using them and just walk.

Dropping C because it's susceptible to exploits is dumb, as is replacing it with some other technology that will eventually be hacked anyway.

Re:That's silly

[smallpaul]

Actually, it's like saying automoviles and airliners cause far too many deaths, so let's stop using them and just walk.

The reason we continue to use automobiles and airliners is because they can get us places that walking cannot practically get us. The original poster admitted that C should be used when it is necessary. But he pointed out that it is used way more often than is necessary at a terrible consequence to our security. He specifically outlined a plan wherein we use C for what it is good for (performance) and use other things for what they are good for (security).

Dropping C because it's susceptible to exploits is dumb, as is replacing it with some other technology that will eventually be hacked anyway.

It isn't that C as a technology was "hacked". It is that C as a technology has a design that makes it more vulnerable than other technologies. Those other technologies will also be hacked but less often. That's a net win even if it doesn't eliminate hacking in total (which is a silly goal in the first place).

Re:That's silly

[meadowsp]

No it's not, check out Fortran.

Local Exploits

[ink]

It's not as bad as that; most local exploits will only give you the same privileges that you already have, not elevate them. For example, the mutt hole made it possible for certain data items to run code as the same user that is running mutt. There are very few programs that are allowed to run with superuser privileges, and those packages should be kept to an absolute minimum. CVS, Apache, samba, ftpd and their like should NEVER run with root privileges; at worst a daemon may need permission to open a privileged port, but then relinquish such privleges. At best, they run in a chroot'd environment (like any FTP server that accepts incomming requests...).

About Tradeoffs

[kscguru]

But it's also like saying that fatal accidents are more common when cars are travelling above 40MPH, so we'll add a device to prevent high speed - oops, your house burned down because the fire truck couldn't get there in time? Sorry, hope the decreased risk of an accident was worth it. Or, saying that your seat belt is so heavy that your car only goes half as fast - not such a good deal anymore, is it?

The point is software is about tradeoffs. Take Windows 95, for example. Any time something becomes corrupted, you get a Blue Screen. If MS wanted to prevent the bug from spreading and corrupting anything else, they'd reboot immediately. But people are willing to take the risk of running with a potentially unstable system because there are advantages: the risk of further bugs is small, I'd like to save the document I've been working on the past three hours, or it's just not worth my time to wait through a reboot.

Choosing C is about tradeoffs too. Coding in C means you get a fast language that produces a well-understood output. And you are also very sure that no language vendor is ever going to change the underlying behavior and break your code. Plus, the C source can be compiled and run on practically every OS out there with minimal overhead.

The person who writes the software gets to decide where the software sits on this tradeoff. If you disagree, you are free to write your own server in whatever language you want.

Re:About Tradeoffs

[tshak]

The problem with your comparison is that many programs (esp programs like CVS) will probably run just as fast in Java or C# (faster in some areas, slower in others). Also, as time goes on, Abstract Syntax Machines and Garbage Collection has gotten faster and faster. Also, hardware has gotten faster and cheaper. Therefore, for many types of apps the safety clearly outweighs the [nominal] performance tradeoff (if any).

Re:About Tradeoffs

[anshil]

A sentence for you to remember:

In no case will a Java or C# application run faster than a !_well_! written C application.

(The development of the application may be cheaper in java, or more cross-platform compability is given, or it will sooner get in a stable state, all aceptable arguments, but speed...)

Whaddya mean, "imagine"?

[devphil]

"First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere."

I became a GCC maintainer for precisely this reason.

And I'll just say to you, pclminion, that those JPGs in your home directory aren't as, ahem, secure as you'd like to think.

What's wrong with GOTO?

[Theatetus]

Bashing goto is so tired. It's a great construct for a procedural language. As someone above pointed out, most languages (even the LISP I championed earlier) are written in C. Well, C is "written" in assembly, and all assembly has is goto. Not to mention the performance advantages goto can offer over more structured control flow (for evidence, grep -r goto /usr/src/linux ).

Maybe goto is counter to the spirit of object-orientation, but then again "OO" and "Procedural" are orthogonal when you get right down to it: C++ is OO and procedural and Haskell can be OO but is not procedural.

Goto is not the enemy!

Re:What's wrong with GOTO?

[sirket]

Last I checked, assembly also had "call" "jne" etc. These are very different from GOTO.

-sirket

Re:What's wrong with GOTO?

[Simon+Brooke]

As someone above pointed out, most languages (even the LISP I championed earlier) are written in C.

Sometimes I feel very, very old. This one reminds me about Zaphod Beeblebrox and the accident with the contraceptive and the time machine. LISP was written in 1958, one of the oldest high level languages for programming. BCPL (on which C is based) was written in 1967, and C was written in 1971. So are you trying to tell me that John McCarthy wrote LISP in a language which wasn't even going to be devised for another twenty three years? That was extremely clever of him.

Re:What's wrong with GOTO?

[Theatetus]

assembly also had "call" "jne" etc.

Ummm... "call" is just "push ESP; goto $ADDRESS_OF_SUBROUTINE"

"jne" is just "if !(flags ~ 0x0010) goto $ADDRESS_OF_THEN_CLAUSE"

Re:What's wrong with GOTO?

[Theatetus]

are you trying to tell me that John McCarthy wrote LISP in a language which wasn't even going to be devised for another twenty three years?

Not at all. I'm saying that Bruno Haible, et al, wrote CLISP (the LISP I use) in C. McCarthy's LISP (which was like a programming language, OS, hardware spec, etc. all in one) bears little more than a superficial relation to a modern LISP interpreter running on a modern OS on a modern PC. Or so it seems to me.

Re:What's wrong with GOTO?

[Jacek+Poplawski]

LISP was written in 1958, one of the oldest high level languages for programming. BCPL (on which C is based) was written in 1967, and C was written in 1971. So are you trying to tell me that John McCarthy [stanford.edu] wrote LISP [stanford.edu] in a language which wasn't even going to be devised for another twenty three years?

1971 - 1958 = 13

Uninformed! Yes, let's please move on from C!

[Tom7]

This post is severely uninformed, like most others that defend C for network applications. Here's why.

- "Java would probably crash with some sort of exception instead of happily running in an invalid state... but do you really
want anyone to remotely crash the server daemon either?"

No, of course not, but that's about ten million times better than giving the attacker remote root access. Script kiddies don't get much out of crashing servers, but they do out of compromising a computer. And it is much much harder to detect and clean up afterwards.

- "C is absolutely, bar none, the fastest language for slinging raw bytes around (err... ignoring assembly, but it's close) -
and that's pretty much what a CVS server (or FTP, or HTTP, or ...) does."

Wrong. Most server programs are network and disk-bound, *not* CPU bound. (In fact, I believe that CVS spends most of its CPU time doing diffs, that is, text processing--something that C is notoriously awful at.) Most users wouldn't notice if their CVS server used 20 times more CPU. C is no more than 2x faster than modern safe languages like O'Caml and SML (http://www.bagley.org/~doug/shootout/craps.shtml) . For well optimized code, that number can easily be within 20%. Of course, writing in a high level language gives you more time to work on better algorithms, which as any good programmer knows, is what *really* matters in its performance.

I'm not just bullshitting, either: Last summer after another wu_ftpd remote hole I rewrote the damn thing in SML (http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/to m7misc/net/mlftpd/). It took me only about a weekend and the result was about 10% the length of the C program. It also saturates my 100mbit link without using more than a few percent of my crappy 400mhz CPU. (It transfers data using basically the same mechanisms that C uses, so C doesn't have any advantage in that part.) Most importantly, I sleep tighter at night knowing that my server is 100% buffer overflow, double-free, and integer overflow free.

- "... the bug here isn't a memory management bug. It's a flawed PROGRAM design that RESULTS IN a memory management bug."

Unfortunately, C encourages such bad program design, and then makes bugs deadly. How else can you explain so many buffer overflows, double-frees, and integer overflows? Don't tell me it's the programmers, because almost all of the most revered C software, written by the most talented programmers I know, has had such bugs. (Quake III, ssh, linux kernel, wu_ftpd, apache, perl, etc., etc., etc.)

Re:Uninformed! Yes, let's please move on from C!

[drinkypoo]

Script kiddies don't get much out of crashing servers, but they do out of compromising a computer. And it is much much harder to detect and clean up afterwards.

Crashing a computer, or otherwise rendering it useless, is the basis of many many attacks which occur on the internet every day. We call them "Denial of Service" attacks, or DoS. I'm surprised you haven't heard of them. It is true that being crashed is better than being compromised, though.

Unfortunately, C encourages such bad program design, and then makes bugs deadly. How else can you explain so many buffer overflows, double-frees, and integer overflows? Don't tell me it's the programmers, because almost all of the most revered C software, written by the most talented programmers I know, has had such bugs.

While this does seem true, it also seems to me that it's mostly a result of various deprecated libraries still being used. Not enough thought went into designing a lot of the string functions, obviously; they look like something you'd write in assembler, what with no bounds checking. Even when I wrote asm I terminated all my strings with nulls and specified lengths, and this was just for a class. C may not manage memory very well, but there seem to be a handful of rules which you can follow which will prevent shooting yourself in the foot with what happens to be a very useful gun.

Re:Uninformed! Yes, let's please move on from C!

[Tom7]

> We call them "Denial of Service" attacks, or DoS. I'm surprised you haven't heard of them.

What makes you think that I haven't heard of them?

Essentially nothing can protect me from Denial of Service attacks. If an enterprising script kiddie wants to make my network connection unusable, he can, no matter what software I run. Though it's bad if he can crash my servers with little effort, I can notice that kind of behavior and patch them -- unless I'm running a service for someone else, that's no big deal. (Being compromised is much worse, though, because even the home user who hardly cares if his cvs pserver works cares if his computer is controlled by someone else.)

> While this does seem true, it also seems to me that it's mostly a result of various deprecated libraries still being used.

Although beginners still make the old strcpy mistakes, most of those bugs are gone from the high profile software. That's because it's fairly easy to automatically look for problematic library calls and audit them. For the last few years format string attacks were pretty popular, but now we've figured out how to audit against those, too. Recently, the bugs I've been seeing on bugtraq have been rather insidious. Heap corruption (through double-frees) and integer overflow seem to be pretty popular, and those are quite difficult (AFAIK) to find automatically. The C rules for memory management work most of the time -- the problem is, a single bug is disastrous. My impression is that many of these problems come from error conditions, which is further exacerbated by the fact that C has completely primitive error recovery features. (ie, no exception support outside of setjmp).

Finally, C is indeed a useful gun, but there are plenty of other guns that are just as useful (if not more so!) but have better safety features. If security is critical (and I think most people on slashdot think it is), why do we settle for C?

Re:Uninformed! Yes, let's please move on from C!

[Tom7]

An AC writes,

> Wrong. Most server programs are network and disk-bound, *not* CPU bound. (In fact, I believe that CVS spends most of its CPU
> time doing diffs, that is, text processing--something that C is notoriously awful at.)
>
> It might be difficult to code for beginners, but what text processing languages like perl are written in lower-level
> languages like C. Its plenty fast.

Well, I didn't really have perl in mind -- perl is pretty slow. (Though, since the language is built for string manipulation, it is pretty convenient!) My main point is borne out by the existence of perl, though: since C's facilities for string handling are so rudimentary, people found it necessary to invent new languages on top of C just to make it tractable.

Re:Uninformed! Yes, let's please move on from C!

[drinkypoo]

If security is critical (and I think most people on slashdot think it is), why do we settle for C?

For the same reason we settle for IPv4, it's well-known and entrenched and it works "Good enough" in that if you go to extreme measures 5% of the time, the other 95% of the code doesn't matter so much. Of course, you do end up with the occasional security hole, ha ha, but that matters less and less since more and more software is open/free/collaborative and gets fixed rapidly. Not to mention, software distribution methods like BSD ports and the descendants thereof make it easy to stay up to date, what with the explosive growth of the internet. So we have found ways to work around the general problems, many of which aren't solved entirely by simply moving to another language.

C has the advantage of immense momentum, and until something comes along that is provably worth moving to... trying to shift all that momentum to another language is (obviously but I'm saying it anyway) going to be a trial at best, is it worth it with any language which exists at this point? I guess that's a matter of opinion, but the general consensus seems to be no. Other languages are definitely gathering steam, and it will be interesting to see what happens in the next few years, but I don't think that C is really superseded yet.

Re:Uninformed! Yes, let's please move on from C!

[pyrrho]

>Unfortunately, C encourages such bad program design, and then makes bugs deadly.

I don't think so. I think languages that claim to do it all for you and protect you from logic errors (I guess you start from a truth and only divide, truth truth truth all around) are the ones that encourage bad program design. C encourages very careful program design after one, maybe two feet are gone. But C++ is better, in general and with respect to your desire to allow automatic memory management techniques (plural).

Re:Uninformed! Yes, let's please move on from C!

[Tom7]

> I think languages that claim to do it all for you and protect you from logic errors (I guess you start from a truth and only
> divide, truth truth truth all around) are the ones that encourage bad program design.

Well, I used to love C too, so maybe the only way to change one's mind is to try a radically modern language for a while and see. For me, I hated it at first and now I don't want to go back. No language claims to "do it all" for you, of course. The specific thing I'm talking about is automatic safety, which is easy to achieve in one of these languages and essentially impossible in C. For people who care about security (I thought slashdot programmers did? Or do we just love the 70s?) this seems like an obvious choice!

Re:Uninformed! Yes, let's please move on from C!

[pyrrho]

Well, I work with Java professionally, so if that's radically modern, then ok. There is nothing Java forced me to do that I couldn't do in C++.

Is C++ modern enough for your context because here is the deal: it's efficient (oh, we used to have the C programmers thinking it was bloated, but now we have a world of VMs to compare with), it's flexible, there is nothing it cannot do.

I like Java, but it's not "general purpose" in the sense that C++ is. In fact, all the "pure" languages ever tried (like Pascal) limit you in some way that C/C++ refuses to. This is a power of C++. The difficulties involved are possibly things you simply have to learn. Mathematicians have to learn mathematics. A simpler mathematics that loses some scope is not superior, even if it's interesting or important to a subfield of mathematics, overall, the broader mathematics is "superior" and a better tool.

Memory issues... they will not be solved in a general purpose compiled language by the language itself b/c that removes the ability to create certain memory management schemes. However, they are well solved in classes, including classes from the standard library such as auto_ptr. Solving them there and using a compiled and flexible language means you get the benefit of code that can do it's best to keep things clean "for" the programmer, but you don't lose in performance, you don't lose access to designs that would otherwise be available.

I like the fact that many idioms are available in C++ and that it embraces that. Let the craftsman chose his idiom.

I like Java and other languages, but there is no getting around that C/C++ is the most powerful tool at the moment. "But there are gotchas and it's hard to learn" doesn't change that... especially for those of us that have learned it.

Know what I think? Memory management in C is not rocket science and in C++ it doesn't have to be an issue if you chose a sensible paradigm for handling memory. They are easy! AND flexible. No harder than closing parenthesis, and sanity checking is rather easily automated, in C with various tools, in C++ by the classes responsible for the memory. Rule. Free what you Malloc, Set your pointers to null when you free. All done.

I use Java and I don't find myself not thinking about memory management. But I do lose "delete" and the ability to have special heaps, etc. etc., that is, I'm no longer "allowed" to memory manage in Java.

The advantages of Java are special, not general. WORA without recompilation makes Java great for servlets and for distributed computing where you want to fling code around a network. The API is large, but C++ has a huge array of free and commericial libraries, so again, the "problem" with C++ is a lot of choice and decisions to make. Making those decisions and being informed about the state of the available libraries is just a part of the job.

I think one memory issue that C++ has is the idea of ownership. If you pass memory to a function or class, you have to be clear on who "owns" it, meaning, who has to or can delete it. In Java, well, it doesn't matter, anyone with a reference owns it.

But see, this is flexibility. You can decide who own it, and if you want it to "own" itself, and use a reference counting scheme where it frees itself when it's final reference is decremented... well I've done that many times too!

I understand why people want to compare languages on syntax and readability, etc. the internal view of the code... but isn't that really secondary... shouldn't they be judged based on their abilities? What is the resulting running process like? Professional tools are tools that allow a professional to produce the optimal result, and if the professional has to learn the tool to accomplish that... is that not simply the way of the craftsman?

Lesser craftsmen will use lesser tools, lesser cooks will use storebought mixes, amateur handymen will use good-enough tools that yeild lesser but good-enough results, but the best will use the tool promising the best results. C++ provides some structure to make C safer, and essentially is just as capable as C, so it's an improvement. But if you remove ability, the total value of the safety introduced is called into question.

Finally, I suspect all "obvious" choices, as they are based on assumptions. I don't think it's really "more secure" in an "obvious" sense. I don't prefer the 70's, but then I segued into a C++ advocacy and maybe that isn't even what you meant... maybe that counts as a modern language, certainly C++ provides solutions or avenues to address all the 70's-era problems with C.

Re:Uninformed! Yes, let's please move on from C!

[Tom7]

Well, let me first say that Java is not the language I'd advocate first over C or C++, though if you want to program in an Object Oriented style, maybe it is the most appropriate. I would consider a language like SML or O'Caml or Haskell to be "radically modern" in the sense that, unlike Java, they don't feel that they need to present the user with familiar paridigms (OO) and syntax and buzzwords just to gain industry acceptance. My favorite is SML, so if you're interested, that would be a good one to try.

> In fact, all the "pure" languages ever tried (like Pascal) limit you in some way that C/C++
> refuses to. This is a power of C++.

I'd be interested in knowing what sort of ways you believe "pure" languages limit you; this seems to be a common fear. Especially I'd like to know which ones are important for programming network applications. It's true that most "pure" languages would be inappropriate for writing OS kernels (at least certain parts of the kernel), and it's true that some kinds of allocation strategies are not possible in a garbage collection environment (but it's not clear what examples you have in mind and why those are important for general applications). In my experience, I'm never troubled writing real world applications in SML (or even Java) because I feel like the languages limit me as compared to what I can do in C++. Basically, the things that I can do in C but can't do in these languages are things I don't want to do, or shouldn't be doing (unsafe casts?). So, what do you have in mind?

To tell you the truth, whenever I have to program in C or C++ I find that I have an opposite problem: C and C++ limit my ability to control access to my data structures because of the lack of safety in the language. In SML (or even Java) I can write an interface to my module that specifies precisely how others can use my code. If the code malfunctions, I know that the error is mine. There is no mechanism by which a programmer can deviously (or accidentally) mess with its internals. This is of course essential for having a modular program, and invaluable for debugging, since it makes faults easier to isolate. No matter how hard I try in C or C++, though, a user can still cast my data structure, or even accidentally corrupt it by writing outside the bounds of an array, or double-freeing some memory. That sucks! It can't happen in SML (and to a lesser extent, Java), and I consider that a feature. In fact, you sort of allude to this in your post with respect to the "ownership" of an object in C++.

Of course, there are many other features of SML (higher order functions, polymorphism, type inference, parameterized modules, nested modules, exceptions, datatypes, pattern matching, first-class continuations, tuples, etc.) that are missing or typically badly designed/implemented in C or C++, and I miss those, too! Some of those are only possible or practical because the language has safety and garbage collection. Safety alone is enough to sell me on modern languages if I care about security, but all of the new-fangled features are awfully nice to have, too.

Re:Uninformed! Yes, let's please move on from C!

[pyrrho]

>I would consider a language like SML or O'Caml or Haskell to be "radically modern" in the sense that, unlike Java, they don't feel that they need to present the user with familiar paridigms (OO) and syntax and buzzwords just to gain industry acceptance.

Very interesting take. I like that too, but I'm not familiar with SML or O'Caml, though O'Caml was recently recommended to me and it does sound like something I should check out.

As for the kinds of limits I'm talking about with "pure" languages, I'm really thinking in a general sense that there has to be some compromise. I see C++ as a very practical language, but which tries to give the higher level constructs, like constructors and destructors, to allow a "better way", without losing any abilities. But the results are as you see, C++ does not appeal to those that want a clean logic throughout their language, without compromise to being compatible with a legacy language like C, allowing direct memory manipulation, and the like. I tend to think the practical languages will always look messy to purists.

So put another way, C++ is trying to be the "better language" but "errs" by keeping legacy stuff that may even now be officially obsolete! How do you turn C++ into a purists language (just imagine it might be possible ;)... by removing those old features and the abilities that went with them. Good riddence, maybe...

As for particulars, I was thinking about Java, and I don't like the loss of memory management control... I believe I should be able to call delete and have a destructor called. Right now, in Java, you don't know if the destructor will EVER be called. Remove goto... ok, fine, goto is evil. However, for a long time goto was the best way in C and C++ for the best error handling idiom. Exceptions are better, but for a long time poorly supported in C++. I was glad to have a language that would not cut off any old avenue while new avenues were being developed. But in any other case, I think the limitations would be different. C and C++'s limitation: you have to learn what you are doing, which is in general good advice!

It's funny your comment about the loss of control vs. gaining control... like all things it's perspective. I've created SDKs and classes for other people to use, and perhaps that's what you do because that is when you see C++ as limiting you ability... it limits your ability to limit. E.g. You CAN protect your class with the private and protected keywords, but I can take the .h file you have to provide, I can create a class that matches yours but has "public" where you have "private", I can do an illegal cast, and I can probably abuse your object quite well. I'd be insane to do it... but insanity is not exactly in short supply among programmers. To me it's, "if you point the gun at your foot an fire, don't blame the safety lock design!" But don't get me wrong, I'm not differing with you, it's a matter of perspective and it is best to provide classes that really are bullet proof, I understand the desire to be able to do that. Then... I guess the point for me is it's seems a bit futile to expect to TOTALLY protect something from misuse, there are so many other kinds of misuse besides the kinds of memory games that Java, at least, tries to globally address. That is... memory related issues is not the top bug I find myself worrying over in my carreer, so I'm not willing to give up much in the way of performance, etc., for a magic solution.

Re: memory ownership. To manage memory wisely with C++ (or C), you do have to have an idea of ownership. In C it's a bit unworkable, b/c some functions will own their memory, some won't, and the library calls will work however they like, breaking any consistency you impose. In C++ it's much easier... objects own memory, they own objects declared as members, and it's easy to impose this on your class system, essentially answering the question globally.

Finally, you (and some others) have convinced me I should look at OCml and SML (and Ruby, for that matter), which I imagine I will get to within the year. Nice talking to you.

Re:Uninformed! Yes, let's please move on from C!

[Tom7]

Well, you're right about limitations being in the eye of the beholder. I just wanted to make the point that it is not simply a matter of giving the user all of the possible features, even questionable ones (unsafe casts), and letting him pick which ones to use -- a key feature of safe language is that they prevent such questionable access, enabling the user to make more precise restrictions on how his code is used. I've found this has made a huge difference in my ability to write large scale software.

> That is... memory related issues is not the top bug I find myself worrying over in my carreer, so I'm not willing to give up
> much in the way of performance, etc., for a magic solution.

Yeah, memory safety is a pretty minor one, although if you don't have memory safety than you can never really be sure about any other properties. SML achieves, I think, better control over data structures than java with its sophisticated type system, and that I think is a bigger win as far as real world interface specification (that is checked by the compiler).

> I tend to think the practical languages will always look messy to purists.

This is true, but nonetheless SML is practical (most implementations even have unsafe features like the ability to interface to C code -- the difference is that you sure as hell know when you're using these!) and a lot more palatable to us purists. ;)

> C and C++'s limitation: you have to learn what you are doing, which is in general good advice!

You have to learn the language *and* the implementation in order to really understand C or C++. A good example is the address-of operator; in order to understand why you can't return the address of a . There's no question that understanding compilers and architecture and operating systems is useful and helpful when programming, but somehow I don't think of it as a fair prerequisite for being able to program on a platform.

Re:Uninformed! Yes, let's please move on from C!

[pyrrho]

>You have to learn the language *and* the implementation in order to really understand C or C++.

Yes, you're right! It was so long ago I started to internalize this that I had forgotten, and in fact, this would explain my weakness for C/C++, which is that it satisfied the urge to think of code in terms of the instructions the CPU understands aka, assembly/machine language. C++ does extend the tradition of C, which is having some idea of what a pariticular construct compiles to in machine language (at least roughly).

Re:Cripes, 's time to ban C

[Spy+Hunter]

It's not the language, it's the coder.

Well I guess that makes all VB coders geniuses then, since they never get buffer overflows. They must just be the greatest bunch of programmers around.

Seriously, that's a stupid attitude to have. When you're talking about security, you have to assume the worst from the start. That means assuming coders will make mistakes, no matter how good they are. Even the best coders do make mistakes. In a language designed to be secure, the impact of coding mistakes is minimized.

Yes, blame the language!

[Tom7]

> Again, the problem is not the language, it's the coder. ... Don't blame a language for operating exactly as it's designed to.

I blame the language. The reason is this: C makes it so easy, and so dangerous, to make such bugs, that they are extremely common, even among the best programmers. I challenge you to explain why some of the most revered software created by some of the most revered C hackers has had buffer overflows, if it's not the language's fault:

Quake I, II, and III
Linux Kernel, OpenBSD Kernel, FreeBSD Kernel
SSH
perl
Half-Life
X11
BIND
dhcpd
ap ache
mozilla, internet explorer, netscape navigator, konqueror, opera
etc.
etc.
etc.
etc.

(Things like the operating system kernels are not so easy to rewrite in a modern safe language, but network daemons are an *obvious choice* and are also the most dangerous!!)

By the way, C garbage collection is crappy compared to built in support in a modern language: It needs to be conservative, and can't compact the heap. (Of course, that doesn't stop the authors of gcc from using it!)

Re:Yes, blame the language!

[Xerithane]

I blame the language. The reason is this: C makes it so easy, and so dangerous, to make such bugs, that they are extremely common, even among the best programmers. I challenge you to explain why some of the most revered software created by some of the most revered C hackers has had buffer overflows, if it's not the language's fault:

The language operates exactly as it is designed. It is human error. Not language error. Just because a gun makes it easy to kill people, doesn't mean guns kill people.

Things like the operating system kernels are not so easy to rewrite in a modern safe language, but network daemons are an *obvious choice* and are also the most dangerous!!

It really is not so hard to never use an unbounded function (snprintf instead of sprintf) or to count malloc() and frees() and if you do your code well structured, than it works. If you test your code with code that will cause buffer overflows everywhere, you will find them. If you do your math correctly, you will find them. If you don't, it's human error.

By the way, C garbage collection is crappy compared to built in support in a modern language: It needs to be conservative, and can't compact the heap. (Of course, that doesn't stop the authors of gcc from using it!)


Anything external will usually be less reliable and robust than something built-in to the language specifications. But, I would trust the authors of gcc more than you, no offense mate.

Re:Yes, blame the language!

[Tom7]

> It really is not so hard to never use an unbounded function (snprintf instead of sprintf) or to count malloc() and frees()
> and if you do your code well structured, than it works. If you test your code with code that will cause buffer overflows
> everywhere, you will find them. If you do your math correctly, you will find them. If you don't, it's human error.

I think you must have never written any big software, because it's not as simple as you think. Look at the complexity of the recent SSH bugs, for instance. Human error is universal, even if you are trying hard, and even if you are an excellent programmer (see the list in my previous post). And it is extremely dangerous. Regardless of whether this is C's "fault" (can a tool really be at "fault"?) or the programmer's "fault" for choosing a tool that is so dangerous, it is clear to me that C is a bad language for writing security-critical software.

Now, if we always go to so much trouble to look for bugs, and always use functions that check bounds, then why not simply have the language (compiler) do this work for us? This can free us to spend more time doing things that are not totally mechanical (looking for other kinds of security holes) or useful (looking for ways to make the program better). What is wrong with my reasoning?

> Anything external will usually be less reliable and robust than something built-in to the language specifications. But, I
> would trust the authors of gcc more than you, no offense mate.

I think you missed my point: The authors of *gcc*, which is THE quintessential C program (in a strong sense), have found it so difficult to manage memory manually that they've resorted to using a garbage collector, despite its deficiencies. If anything is a testament to the inappropriateness of C, that is.

Re:Yes, blame the language!

[Xerithane]

I think you must have never written any big software, because it's not as simple as you think.
Sorry, but buffer overflows are that simple.

Look at the complexity of the recent SSH bugs, for instance. Human error is universal, even if you are trying hard, and even if you are an excellent programmer (see the list in my previous post). And it is extremely dangerous. Regardless of whether this is C's "fault" (can a tool really be at "fault"?) or the programmer's "fault" for choosing a tool that is so dangerous, it is clear to me that C is a bad language for writing security-critical software.

Again, C operates exactly as designed. The SSH exploits could exist regardless of what language. Saying the reason why there are security exploits is because software is written in C is exactly like saying car crashes occur because people drive sports cars.

I think you missed my point: The authors of *gcc*, which is THE quintessential C program (in a strong sense), have found it so difficult to manage memory manually that they've resorted to using a garbage collector, despite its deficiencies. If anything is a testament to the inappropriateness of C, that is.

Did I ever say it wasn't a pain in the ass? No. I said it operates exactly as it is designed, and nothing more. There is nothing else aside from that. I'm an advocate for best-tool-for-the-job, if that requires C than it's the best tool.

Accusing a language which functions according of spec of being dead and the cause of security concerns is stupid. Yes, C is harder to write secure applications in. No, it doesn't mean it should die. Yes, you must be very vigilant while writing C.

As for GCC, the C based garbage collection is not bad when used properly. It is not as full featured as Java, but it still works. I'll still code in C++ for most of the projects I work on because it is a good trade-off for power/security.

The faults of everything you list are the faults of people. I've worked on 600K lines of software written in C. It was all very self-contained, and didn't have any buffer overflow style problems. Why was it so big? Because it was designed with security in mind, and was very verbose and robust in what it did. If you audit every function thoroughly, garbage collection becomes useless.

I was working on this piece of network code that was written in C, I had an off-by-one error that was really screwing everything up. My code was very tight, and had another set of eyes look at it and was easily able to spot my mistake.

Well written code, regardless of language, will do exactly what you tell it to do, regardless of the complexity of how you tell it to do it.

Re:Yes, blame the language!

[Tom7]

> The SSH exploits could exist regardless of what language.

This is totally wrong. How can you claim this?? Safe languages would NOT have been vulnerable to the integer overflow attacks. The only recent ssh flaw (AFAIK) that was language-neutral was the one where the passwd file was being improperly interpreted on some platforms. The rest would not have been exploitable if sshd were written in Java, SML, O'Caml, or another safe language, period.

My response to the rest of your post can be summed up as: C behaving as it is designed is no consolation if the design is bad, and the design is bad as far as security is concerned. It's true that it's possible (to a certain extent) to grin and bear it, but why would you want to do that??

Re:Yes, blame the language!

[Xerithane]

This is totally wrong. How can you claim this?? Safe languages would NOT have been vulnerable to the integer overflow attacks. The only recent ssh flaw (AFAIK) that was language-neutral was the one where the passwd file was being improperly interpreted on some platforms. The rest would not have been exploitable if sshd were written in Java, SML, O'Caml, or another safe language, period.

There are not enough daemons written in other languages to determine if security exploits would be present in them. No one thought bind and sendmail were so insecure when they implemented them. A careful look would have revealed that, just because Java so far doesn't look insecure doesn't mean it is.

But you are wrong about SSH, go to CERT and search for SSH. The first 5 (that's all I checked) were implementation problems _NOT_ buffer overflow problems.

C behaving as it is designed is no consolation if the design is bad

The design isn't bad. At the time it was developed (1970s) it was revolutionary with what it could do. Programmers had a better sense of constraint (working in smaller memory spaces) as well as more discipline. I'm curious, but do you actually know C? I mean really know it. Know the caveats of realloc? If so, I'd find it odd that you think C is bad by design.

Re:Yes, blame the language!

[Tom7]

> There are not enough daemons written in other languages to determine if security exploits would be present in them.

That's true. I think there are good reasons to believe that security would be better, but we have seen with scripting languages (which are "safe" in the sense I'm using here) that easy access to the shell and behind-the-scenes globbing can be just as dangerous. However, we can say for sure that using compiled safe languages does remove the largest class of unix security vulnerabilities: buffer overflows, format string attacks, heap corruption, and integer overflow. So, for sure something gets better, but maybe (not likely) something else gets worse. Sounds good to me!

> But you are wrong about SSH, go to CERT [cert.org] and search for SSH. The first 5 (that's all I checked) were implementation
> problems _NOT_ buffer overflow problems.

I meant OpenSSH, sorry. I just checked openssh.org/security.html, and the newest vulnerabilities are:

- Remote challenge vulnerability (integer overflow -- impossible)
- Overflow in AFS/Kerberos (buffer overflow -- impossible)
- Off-by-one error in the channel code (array overflow -- impossible)

In other words, I would have avoided having to do emergency upgrades of my sshd the last two times had it been written in a modern safe language.

There are a few before that that were language-neutral (probably), and several other buffer overflows. The overflow attacks were the most serious, because they often affected the default configuration. Many of the other vulnerabilities were relatively theoretical or difficult attacks that could not be carried out by script kiddies in an automated, large-scale way. Also, I think I am being generous by choosing ssh, since the algorithmic issues in crypto login software are much more difficult than those in, say, ftp or named.

> I'm curious, but do you actually know C? I mean really know it. Know the caveats of realloc? If so, I'd find it odd that you
> think C is bad by design.

Yes, absolutely. At the beginning of college I was a total C cowboy, but I have grown out of that. Now I am studying programming languages for my PhD so I have more refined tastes. ;) But unlike a lot of programming language researchers, I really do a lot of practical programming. I don't think C was designed to be bad, but I do think that it is no longer an appropriate design for application languages.

Re:Yes, blame the language!

[Xerithane]

Yes, absolutely. At the beginning of college I was a total C cowboy, but I have grown out of that. Now I am studying programming languages for my PhD so I have more refined tastes. ;) But unlike a lot of programming language researchers, I really do a lot of practical programming. I don't think C was designed to be bad, but I do think that it is no longer an appropriate design for application languages.


Ok, most of these security problems happen in one function that would have failed auditing. Whether it is a C, Java, Perl, Pascal, VB program.. doesn't matter. The point is, it will always, always, without exception, rely upon the developer not fucking up. If you remove the capacity for pointers, they'll find some other way to exploit the system. There is no such thing as security.

Re:Yes, blame the language!

[Tom7]

> The point is, it will always, always, without exception, rely upon the developer not fucking up.
> If you remove the capacity for pointers, they'll find some other way to exploit the system. There is no such thing as
> security.

This is a pretty extreme position to take, and I think it's impractical. Using more safe languages can make our programs more reliable and more secure, by limiting the ways that programmers can make exploitable bugs. Of course, a language that doesn't allow the developer to make any holes at all, even if he's trying, is not very useful (in a sense ssh itself is a 'hole' that grants access to someone who 'exploits' it with a password). I am not claiming that we should program in these languages, if in fact they exist. But there is a rich middle ground between such a useless language and a language like C that makes it so easy and dangerous to make mistakes. These languages absolutely do make a very popular class of errors (that occur even among the world's best programmers) vanish instantly, and that to me is obviously a step in the right direction.

Most functional languages are not ONLY functional

[Tom7]

Many "functional" languages (like SML and O'Caml) have imperative features for exactly this reason, just as C has (sort of) the ability to pass around functions. It's true that Haskell (purely functional) is not a great language to write I/O intensive software in (though Haskell has its own ways to do IO, and Haskell fans have written many I/O intensive, interactive applications, including network daemons). However, Haskell would be far from the worst language, because at least you'd have a better chance of ending up with a program that works correctly (doesn't provide remote root access to anyone).

I maintain that SML and O'Caml ("functional" languages) are utterly practical (and in fact superior to C and C++ in terms of correctness and ease of use) for network software. I've written a full-featured ftp server in SML to replace my buggy wu_ftpd, so I have some evidence to back this up.

/POSSIBLE/? Jeez...

[devphil]

Is it possible to build gcc with another compiler?

Holy screaming fuckmonkeys, Batman. You have no idea how much work we/they go through to ensure that GCC is buildable by anything even resembling a C compiler. (I say "we/they" because I generally don't have to worry about it in my little corner of the world.)

GCC was intended from its earliest days to replace whatever native (proprietary) compiler came with or was sold for your native (proprietary, evil, etc) Unix platform. When you build GCC, it actually is built three times:

1. Your Proprietary Evil Compiler[tm] builds Copy #1 of gcc. However, YPEC could have bugs, which would make gcc#1 buggy. So...
2. gcc#1 builds itself from scratch. Call this one gcc#2. In theory, gcc#2 can now be used. But just to be certain...
3. gcc#2 builds itself from scratch. This is gcc#3. And if all is well, gcc#2 == gcc#3. So at the end, all of the various .o files from #2 and #3 are compared, and if there's a mismatch, the build aborts.

Copy #3 is then used to build the rest of the compiler (other languages) and the runtime libraries. Copy #3 is what gets installed on your system.

Huge chunks of the GCC source are still maintained in K&R C for those platforms which don't have an ISO (ANSI) C compiler. Chunks of the standard C library have homegrown replacements inside GCC, for those platforms which aren't ANSI/POSIX.

Fortunately, the number of those systems has dwindled, but at one time they were the majority.

Re:Cripes, 's time to ban C

[Xerithane]

Well I guess that makes all VB coders geniuses then, since they never get buffer overflows. They must just be the greatest bunch of programmers around.

It's just hard to kill people when you are driving a go-cart in a predefined track.

That means assuming coders will make mistakes, no matter how good they are. Even the best coders do make mistakes. In a language designed to be secure, the impact of coding mistakes is minimized.

C was never designed to be secure. Blame C programmers for insecure code, not the language. There are plenty of steps you can take to ensure safe C code. If you expect a secure application, and you use C, than take the proper steps to make it secure. It's user error.

It's not a stupid attitude, it's a philosophical attitude. I'm not defending C, but it works exactly as designed. End of story.

Re:Cripes, 's time to ban C

[Spy+Hunter]

C was never designed to be secure. Blame C programmers for insecure code, not the language.

There is enough blame for everyone. When a C programmer makes a mistake, he deserves some of the blame. But if the language is inherently insecure, it is also partly the fault of the language. The way you're talking, we should just all use C for our secure code and punish programmers when they make mistakes because it's their fault. Instead you can realize that part of the fault is with the language and replace the language. Even though C wasn't designed to be secure you can still blame it for security related problems.

In the end, the semantics of the word "blame" aren't important. The important thing is that people realize that C programmers make security mistakes because C is an insecure language, and don't use C in security-critical areas, or review security-related C code extremely thoroughly before release.

Re:Cripes, 's time to ban C

[Xerithane]

But if the language is inherently insecure, it is also partly the fault of the language.

Ok, the language isn't insecure... well, you can make it secure, and have setuid wrappers on all your scripts and have a truly secure implementation. It would constrict freedom. The language allows people to write insecure code. All the recent SSH notifications on CERT were implementation, and not C-specific problems.

The important thing is that people realize that C programmers make security mistakes because C is an insecure language, and don't use C in security-critical areas, or review security-related C code extremely thoroughly before release.

C programmers make mistakes because they get lazy and don't properly audit their code. After every function you write, simply give it another good look and make sure it cleans up after itself, and maintains proper design. It's perfectly fine then. Like I said in another comment, I've worked on a project that had a bit over 600K lines. You could have done the same in about 250K or so, but it was 600K because everything was modularized. Taking design queues from Knuth, it was extremely robust and very stable. No memory leaks, no buffer overflow problems. Everything that got alloc'd actually had a comment where the variable would get free'd at.

It's called good design of software, not good design of language.

Agreed. However

[phr2]

A lot of programs are written in C that really don't need to be. CVS is an example. It just doesn't do anything cpu-intensive. It's all intricate control logic--it could have been written as a big shell script without performance suffering too much. All the real work is done by external programs. Even if there are some parts that really need to be written in C, then fine, write those parts in C. Heck, there will even be parts where C isn't fast enough and you have to write in asm. That doesn't make asm appropriate these days for large-scale application writing.

Someone asked what I'd recommend instead of C. I don't know. I don't think there's a One True Language. Lately I'm coding in Python and like it, though it has its own shortcomings. Java is C-like enough to be comfortable for today's C and C++ programmers. I like the Java language but despise the runtime systems that are usually shipped with it. Perl seems like a monstrosity to me (awk with cancer) but with the -T option (taint checking), it, too, saves you from making a lot of bugs that are easy to miss when writing a C program.

If you've ever written setuid code (at least responsibly), you know the feeling of paranoia and vigilance you have to bring to every line of it that you write. I'm very skeptical if you tell me you bring the same paranoia to all the code you write. Of course there's no magic bullet to secure programming, but there are tools available (i.e. languages with fewer exposed sharp edges) that provide various kinds of safety nets that can rescue you a sizeable percentage of the time. It's foolish not to use those tools.

Re:Cripes, 's time to ban C

[Spy+Hunter]

Java isn't any less "free" than C even though it is a much more secure language. It is just as turing-complete as C is. If you use a language with security features built in you spend less time auditing and more time being productive. As we all know, programmer time is more expensive than CPU time, so a little less efficiency is excusable. Even so, the technology behind new languages is maturing to the point where it's hard to tell the difference anymore.

Patching Debian systems. (was Re:cvs as root?)

[Mortenson]

If you are using Debian, you should add security.debian.org to your package source list. As usual with most problems like this, a patched version has already been released. Take a look at http://www.debian.org/security/ for more info on how to set your system up to take advantage of security patches.

Hook, Line, and Sinker.

[FallLine]

Your statement is illogical

"When you look at all the expolits in commercial software and then compare them to the amount found in free software you will see what I mean..."

You mention no numbers nor any sort of basis for comparison. Could it be that commercial software merely gets more reports because it has a larger user base and not that it has more exploits? OR maybe there are far more exploits in "free" software but people overlook them or don't catch them.
"I used to be a big Microsoft fan until I looked at all the money I save with free Gnu/BSD/linux software and now I never look back."

How does this have anything to do with exploits? Do you save money because your software was being hacked all the time or something like that? If not this sentence does not fit with the remainder of your statement.

Hi. You got trolled and it was a rather obvious one at that. Heh.

Re:Most functional languages are not ONLY function

[QuantumG]

I'm aware of your ftp server. I'm also aware that it is the only one of its kind. Why don't you write some more software and compete to determine which is better.

Re:Cripes, it's time to ban C (not Mac C)

[The+Bungi]

It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.

It's also a concrete fact that there are only 6 of those polluting the Internet, so let's not go into comparisons.

[btw, your crapflooding is getting tiresome, especially when it's so stupid]

You asked for it!

[krumms]

And it seems to me, your stack got hacked
By a buffer overflow.
You're never fixed by patches,
'Cause you still free() twice.
And I would try not to install you,
If I had another choice.
cvs diff you now,
And hope they don't get r00t.

Re:/POSSIBLE/? Jeez...

[anshil]

Sorry but "normal" builds of gcc like configure-make-make install only perform step 1 and 2. To perform step 3 as well you have to call a special make target for this actually paranoidly step, but do not remember of hand which.

Offsite backups

[benb]

Just create a source tarball for each release and store it offsite. Then you can at any time check out the old sources from CVS and compare them with your tarball. Then you can compare the source tarball of this release with the one from the last one, ideally read that diff manually for bugs, and make a cvs diff, which you compare with the diff of the tarballs you made.

You can do that at any interval you choose.

Still severe

[benb]

Um, so, if CVS runs as user "cvs", which can write your source. Have fun to verify that nobody installed an exploit in your software

Yes, running as user prevents from the CVS binary itself being comprimised, which would allow same nasty tricks to hide exploits. But maybe you can achieve almost the same with smart, unusual rcs files.

But otherwise, your source is probably the most valueable asset on that machine (you're not running the company database on the same machine, are you?), so write access to the source *is* severe.

Re:Still severe

[molo]

You should run the cvs pserver as a user which does NOT have write access to the files. That would allow anonymous cvs access (the only good reason to run a pserver). Then for authenticated access, do it over ssh. It works.

Almost but not quite

[devphil]

A "normal" build like the one you describe doesn't even do the compile twice. Only step #1 is done. (That's not what we call a normal build, so that's why I didn't mention it.)

You call the triple-stage idea "actually paranoidly," but I assure you that it's still needed when the native compiler/library is buggy or in some ways lacking. Most Linux users and distros use an earlier version of GCC as the "native compiler" in step #1, which makes steps 2 and 3 (usually) unnecessary. Perhaps that's why you think 2 and 3 are paranoid, but it's good to remember that GCC's target platform is far wider than Linux.

The fact that a simple "make"/"make all" does not do the 3-stage build performed by "make bootstrap" is considered a bug by some of the maintainers. We're actually trying, in the medium- and long-term, to have more of the compiler built in the 3-stage fashion, not less.

Re:Almost but not quite

[anshil]

Well as embedded developer I value gcc for it's cross-compile capabilities, even 2 stage is impossible here :o)

However for building the crosscompiler we need to build a native compieler of that version also. I've automated the more or less compilicated build steps to get a crosscompiler in a script, and for that I want to run it as fast as possible. Where steps 2 and 3 for the native compiler are really only nerving. On an Athlon 700 it takes 1-2 hours eitherway to get the crosscompiler (glibc needs to be compiled also by an intermediate cross compiler). Here more paranoia only takes time (and thus money). My opinion, those who want paranoia shall enable it.

Re:Almost but not quite

[devphil]

The "make bootstrap" step is intended only for a native compiler, really. For building a cross compiler, your host compiler is already GCC. Doing a multi-stage build is pointless.

Re:Almost but not quite

[anshil]

Well the compiler building the cross compiler should be the very same compiler source, so you build a native host gcc first, you want the cross compiler be bugfree won't you? :o)

Actually, You Can Use ML For System Software

[Chris-S]

The Fox project at CMU is studying the use of advanced programming languages, such as ML, for the construction of system software. They already have a web server written in ML.

Re:Cripes, 's time to ban C

[Xerithane]

Java isn't any less "free" than C even though it is a much more secure language.

Garbage collection is not secure. Safe pointers is not secure. Java is not secure. C is not secure. A language can be as insecure as the coder tells it to be. Nothing you want to believe will change this.

If you use a language with security features built in you spend less time auditing and more time being productive.

If you worked with me, you would be fired right now. This is the exact mentality that leads to security problems in the first place. "The language is secure so I don't need to audit"

No offense, but you really just destroyed your credibility with me by saying this, and I'm done talking to you.

Re:Cripes, 's time to ban C

[Spy+Hunter]

Oh come on. Of course any language can be insecure. It is just a matter of how easy it is to make a mistake that compromises security. It is much, much easier to make such a mistake in C (buffer overflow, double free, wild pointer, null pointer, etc) than in Java. Therefore Java code is less likely to have security holes. It is that simple. Using C for all your secure code just because it is possible to write insecure code in Java is stupid.

"The language is secure so I don't need to audit"

Who said that? Did I say that? No, I did not say that. I said you spend less time auditing. Please don't put words in my mouth. Since there are (for example) no double free errors in Java, you don't have to check for them. Therefore you spend less time auditing. You still have to audit for errors that still can occur in Java. Duh.

I'm done talking to you.

Classic "uh-oh, I'm losing the argument" cop-out. Oh well.

Re:Cripes, 's time to ban C

[Xerithane]

Classic "uh-oh, I'm losing the argument" cop-out. Oh well.

No, it's the "I'm arguing with an idiot with no scope of reality" statement. I didn't say you said that verbatim, but what you did say was just as idiotic. You shouldn't spend less time auditing. You should not sacrifice security if the application should be secure (always). Any developer of mine that decides he doesn't need to audit, or spend less time than what should be applied, will find himself quickly unemployed.

Since there are (for example) no double free errors in Java, you don't have to check for them.

Pairing alloc/free's in properly designed code takes all of about a tenth of a second. Auditing code ensures good design, not syntactic checking. Good design will eliminate most of those problems.
It seems you don't know C well enough to know that at a quick glance you should be able to see any of the conventional mishap-bugs (double free, buffer overflows) relatively easy.

Re:Cripes, 's time to ban C

[Spy+Hunter]

You shouldn't spend less time auditing. You should not sacrifice security

But you're not sacrificing security. If you spend less time auditing code that has much fewer security holes, you get the same level of security in the end. You can never guarantee perfect security, only extremely good security. If the language gives you a head start, it takes less time to achieve the same level of security.

Pairing alloc/free's in properly designed code takes all of about a tenth of a second.

Oh, right. And next you'll tell me that loop constructs are for lazy programmers because constructing them with gotos only takes "about a tenth of a second". Give me a break. For one thing, it takes longer than that in any reasonably complex project. For another thing, humans will occasionally make a mistake. Poof, security hole. Compilers don't make those kind of mistakes. Why not let the compiler do it, both for coding speed and security reasons?

Re:Cripes, 's time to ban C

[Xerithane]

For another thing, humans will occasionally make a mistake. Poof, security hole. Compilers don't make those kind of mistakes. Why not let the compiler do it, both for coding speed and security reasons?

Which is why most security-based applications (aside from openSSH, which I wont get into) don't have many problems aside from implementation logic issues. If you design and code with security in mind, it's a moot point.