Secure Programming

viega writes "Matt Messier and I have just launched a secure programming web site. While this site does support our new book The Secure Programming Cookbook for C and C++ , it also serves as a thorough resource for developers. It has numerous links to articles and other topical resources, new recipes that demonstrate secure programming techniques a large glossary and the obligatory web log. We accept outside submissions, and will reward the best recipe submission each month-- O'Reilly will publish it on the O'Reilly Network web site and will give the author a free book. There's already a decent amount of new content, including recipes on avoiding malloc()/new-related integer overflows, watching out for security problems in API differences and issues when truncating data. There's also an RSS feed for the web log."

Run-on sentence time

[mao+che+minh]

Ten bucks says that this endeavor will go widely unnoticed by 90% of developers. Now I'm just a lowly IT worker, managing web servers and crawling under desks, but I do know that 95% of the developers in corporate America do not read Slashdot, and 95% of the ones that do are so intimately involved with Microsoft or Microsoft dependant technologies that this book/article/section/endeavor won't mean a damn. And before the trolls bark: YES, Microsoft = less security in development. Not by design - hardly - but rather because if a developer is working on a project that is Microsoft centric from the ground up, he/she is likely working on a time table set by some PHB a hundred miles away, and has been working on such projects for years, and has long since given up on making good, secure code, and rather coding whatever keeps his/her salary.

Once you have worked 50 hours a week in a corporate setting for 5 years as a developer (2 years) and a run-of-the-mill network/system/any-god-damn-thing-they-can-get-you -to administer(4 years, you will understand.

Re:Run-on sentence time

[Dark+Coder]

Pay up.

With not quite a million slashdot anonymous cowards, that Bureau of Labor Statistic makes for more than all the software developers, I&T guys, database report wizards and embedded software engineers by twice here in U.S of A (not to mention outside world).

Yes, you may be a lowly I&T worker; but you probably should not be worthy of posting ludicrous assumptions at Slashdot.

And Ah, 95% of slashdot readers are Microsoft involved? Mmmmm. I put money down that this is closer to 85% or less that the readers are deeply involved in Microsoft-specific stuff than they would be deeper in Unix.

Try working 60-80 hours a week as a Sr. Embedded Software Engineer for 22 years at top-notched startup companies, so that experience becomes you.

Re:Run-on sentence time

[cerberusss]

...has long since given up on making good, secure code, and rather coding whatever keeps his/her salary.

I know what you mean, but projects differ. Where one application doesn't need every security risk nailed down, there are others where it's more important.

I might just read this book out of sheer interest, and I know teamleader/manager will definitely appreciate it when I can make a smart security-related suggestion while discussing one project or another.

Re:Run-on sentence time

[tuomoks]

Unfortynately - you are correct, period ! Just dont blame MS too much - they are bad but... As an example we do develope for public safety and have absolytely no guidlines or methods for safe software. Our management thinks that application level encryption is enough and safe - go figure. Makes me wonder - after 30 years in network security.. have a nice day.

Re:Run-on sentence time

[JaredOfEuropa]

Ten bucks says that this endeavor will go widely unnoticed by 90% of developers.

Sadly, you may be right.

95% of the ones that do are so intimately involved with Microsoft or Microsoft dependant technologies that this book/article/section/endeavor won't mean a damn.

What?! It is precisely because of the flaws of most modern operating systems that do not protect you from sloppy programming, that programmers need to be aware of secure programming methods. It's not just Windows either; Unix/Linux does not protect a programmer from, say, buffer overruns either. All programmers need to be aware of such flaws, and work around them.

Programming securely does not have to cost you a lot of time either. Take the SafeStr library mentioned on the website for instance... a string library that can be used as replacement for the standard C string functions, a notorious source of buffer overruns and bugs. Using this library instead of the standard functions will cost little or no extra time.

Programming securely is just like other good programming practices. Generally they do not cost extra time, they save time. It does take time to learn these practices, and that's where the responsibility of each programmer comes in. Take the time to learn good programming practices and get used to them, stay abreast of new developments, and above all train and encourage your junior team members to use these methods as well.

The team that fails to adhere to good programming practices will turn out unstable and insecure software. Where do you think the bugs in Microsoft products come from? Tight timelines? Perhaps... but a great many of the bugs I come across are generally the result of a sloppy programmer, tight deadlines or no.

Re:Run-on sentence time

[tony_gardner]

It's security through obscurity....

Re:Run-on sentence time

[wawannem]

Wow, I sense quite a bit of anger in your portrayal of your own position...

I only have a few questions to ask of you -

1. So, if you are just a lowly IT worker, managing web servers and crawling under desks, how exactly is it that you came across such knowledge of what the developers in corporate America do with their spare time?
I am one of those developers and 100% of the people I work with are part of that group also. 100% of the partners I work with are part of this generalization and what's more, each of the companies in question are Fortune 500 or better. Although we don't all read /., it is better than 5%. And, even further, none of us are so intimately involved with Microsoft or Microsoft dependant technologies that this book/article/section/endeavor won't mean a damn. In fact, none of the work I have done in the past two years has involved M$ at all. But, since you posted so confidently, I'll assume that you can back up your numbers with solid proof.

2. How did you come to the conclusion that working on a M$ platform automatically equals: working on such projects for years, and has long since given up on making good, secure code, and rather coding whatever keeps his/her salary. ?
I mean, you made more than one ridiculous generalization here... How does the amount of time a project is worked on directly affect the quality of the code? And further how does the M$ platform have anything to do with either of these statements? I'll admit that some developers write code to get a paycheck and nothing more, and even further, some of them work within an M$ platform... But come off it, the quality of code is only directly proportional to the coder's habits. Just because you might have stumbled across a few bad code monkeys that work with M$-related products doesn't mean that (95% * 95%) .9025 coders have long since given up on making good, secure code, and rather coding whatever keeps his/her salary.

Also, since you threw out your resume so quickly, I'd like to add that I have been working in this field for 9 years and been a developer for 4. But, funny, the experience didn't make me just understand.

Re:Run-on sentence time

He spent 2 years as a developer - he mentioned that. Also, the "lowly IT guy" that spends his time under desks and fixinf email issues usually has the best overall grasp on the sorts of things - due to constant exposure from all levels (everyone from management to the developers to the clients). Wise up. By the way, YHBT.

Re:Run-on sentence time

[wawannem]

Wow, an anonymous coward just told me to 'wise up'. I forgot to mention that in the five years before I became a developer, I did do the under desks thing... and I got news for you, you don't know near as much as you think you do.

Re:Run-on sentence time

[Beliskner]

What?! It is precisely because of the flaws of most modern operating systems that do not protect you from sloppy programming, that programmers need to be aware of secure programming methods. It's not just Windows either; Unix/Linux does not protect a programmer from, say, buffer overruns either. All programmers need to be aware of such flaws, and work around them.

The programmers care about security, but the managers don't give a damn. I asked my manager for time off to secure the software I wrote for a client by performing a security audit, he said, "Only if the customer complains that he wants security in his software product, and is willing to pay extra for security feature in the product". So there ya go.

Re:Speed issues aside

[An+Onerous+Coward]

Lesson #1: All Java programs are automatically secure.

See, that's why I keep coming to Slashdot. You learn something new every day. :)

Good idea

[ljavelin]

It's a good idea to have resources that are committed to security. Although some will claim that languages such as Java or C# prevent security issues, this is simply not true - there are many avenues to building security weaknesses... and those that think they're safe merely by using a particular programming language are in for a nasty surprise.

Of course, a web site and a few books won't prevent security issues - but the more it gets the word out about good programming practices, the better!

---
Herb Chambers - where my nightmare came true!

Re:Good idea

[fussman]

and those that think they're safe merely by using a particular programming language are in for a nasty surprise

Tell that to some of these flamers out here. There's no such thing as the perfect program.

Re:Good idea

[An+Onerous+Coward]

int main()
{
return 0;
}

// Try hacking THIS, suckas!

Re:Good idea

[Monkey+Badass]

Of course, a web site and a few books won't prevent security issues - but the more it gets the word out about good programming practices, the better!

I agree. Cookie-cutter methods don't teach good secure coding practices. What we really need are more books that discuss how to address security throughout the life of software, beginning at its design. It's kind of sad that even after years of acknowledging this need, there are still only a handful of such books available. This kind of knowledge also would give developers the insight they need to know how to properly adapt these cookbook methods to a very complex software design. Teach a developer to fish ...

I'm currently doing relevant research. Check out the survey if you get a chance. I'd greatly appreciate it.

Re:Good idea

[viega]

There are several books out there that try to teach secure programming by relating it to good software engineering principles. The problem is, you can say things like "use encryption" all you want, but if you don't get far more concrete than that, people are going to get it wrong over and over again.

If you look at the book, while there are indeed plenty of pieces of code people can just use, we thoroughly discuss design and implementation issues for each of the examples we give. That is, we're covering far more of the things that really do go wrong than the average high-level book is going to be able to cover.

Re:Good idea

[Frymaster]

// Try hacking THIS, suckas!

ah, you think it's funny - but it's true! the more a program does, the greater its potential for security flaws. thus, frymaster's first rule of secure programming: "your program shall do no more than what is absolutely required by the spec-n-rec[1]".

1. you got a spec-n-rec from the client? lucky you!

Re:Good idea

Yep. It's got that creamy nut aroma.

Re:Good idea

Tell that to some of these flamers out here.

I see no reason to bring sexuality into this discussion.

Re:Good idea

[An+Onerous+Coward]

"the more a program does, the greater its potential for security flaws."

Yeah, that's basically what I was saying. Seem to have gotten trollbranded for it. :)

Technically, I guess a truly "perfect" program would actually have to accomplish something.

Warding off the inevitable "switch to Java" commen

[sco08y]

If you RTFA, or even just GATFA (glance at) you'll notice that the book has info on:

Random numbers

Input validation

Cryptography (e.g. ssh)

Buffer overruns are just one kind of problem you need to deal with when writing secure code. There are also DOS attacks and information theft. Even with Java, it can be quite challenging to ensure that data is properly encrypted and authenticated, and you still need to worry about permissions in the file system.

And let's not even dredge up the standard "why can't you just rewrite 100s of 1000s of lines of working C++ code in Java?" inanity.

Re:Speed issues aside

[endx7]

Might Java or C# have their own security issues, where if the right set of things occur bad things could happen?

I'd rather use a language which doesn't give a false sense of security, a language which everyone obviously (well, we hope they do, but, true, not always the case) knows you have to do checks and specify how much space you really have (and so forth).

The really is no excuse to use a language like Java or C# to do your checking when you can do it yourself. Except of course, laziness >:P

Re:Speed issues aside

Yes, Java is more secure than C/C++.

No buffer overflows
No dereferencing of null pointers
No object creation failures (all "new"s succeed)
No direct access to memory location

C/C++ have none of these protections. So yes, Java is more secure than C/C++.

I'd love to read the site, but ...

[russh347]

I won't given the color scheme.

Re:I'd love to read the site, but ...

> I won't given the color scheme.

Opera (www.opera.com) has two modes, "author mode" and "user mode". In author mode the page is displayed as the author wanted it to be. In user mode, your own settings apply. You can override most attributes, eg disable background grafics, font sizes, etc. The switch between author mode and user mode is done with a simple mouse click (you don't have to wade through menus).

It's a very useful feature for text-biased pages.

Re:I'd love to read the site, but ...

That makes sense really. Gay programmers are far more likely to leave their holes open for intuders to take advantage of.

We really need a different language

[smiff]

The most common security hole is a buffer overflow. OpenBSD is well regarded as one of the most secure systems in the world. It was extensively audited, yet it still had a remote root exploit. And what type of exploit was it? A buffer overflow!

Buffer overflows should not happen in the first place. In most languages, they are impossible. They happen because A) most code is written in C or C++, and B) everyone makes mistakes (even the finest open source developers overlook simple buffer overflows).

Microsoft is moving to languages with managed types. If they had been using managed types all along, the overwhelming majority of Microsoft security holes would have never happened. In a few years, Microsoft software will be more secure than anything Open Source has to offer.

Open Source developers, on the other hand, arrogantly believe that they are immune to mistakes. They somehow overlook the countless exploits discovered in their own code (more than 500 in Debian over the past 4 years).

It is time for open source to wake up and start using better tools and better practices.

Re:We really need a different language

[wordisms]

Has anyone tried Cyclone?

I've heard of it, and I know someone talked about it at DEFCON this year. Has anyone tried it for production applications, or just for proof of concept?

Re:We really need a different language

[The+Original+Atrox]

Hmmm.... I smell a TROLL

Atrox

Re:We really need a different language

[pVoid]

Microsoft is moving to languages with managed types [...]overwhelming majority of Microsoft security holes would have never happened

Are you somehow recommending a kernel be written in something else than C??? Sure, not all systems software is kernel mode C, but you have to realize that unless the underlying infrastructure is built (on some low level language), you can't have high level languages... in other words, the bottom line is Assembly. You have to build your way to it.

Now that said, the buffer overflow isn't the only security hole in the world, in fact more security holes come from very very high level, very abstract programming fallacies... such as for example the cookie exploit (it's a logical bug) that Hotmail had a while back.

All this being said, I feel like a dirty karma whore right now (feeling the slimey breath of modders down my neck), so I'll say it right out: I'M PRO MICROSOFT.

<runs for cover>

Re:We really need a different language

[Electrum]

They happen because A) most code is written in C or C++, and B) everyone makes mistakes (even the finest open source developers overlook simple buffer overflows).

That's not true. qmail and djbdns do not have security holes. They were written using secure coding techniques that make them immune to things like buffer overflows. You can't "overlook" a buffer overflow with stralloc.

Re:We really need a different language

[Snoopy77]

Now that you've got off your high pony, the problem is not necessarily the tools. As the site points out, buffer overflows can be avoided in C/C++. The whole point of the site is to try and improve coding practices.

And don't think that just because Microsoft is switching to managed types that they are all of a sudden going to fix bad coding practices. Sure it may reduce the effect of bad coding but it won't single handedly catapult Microsoft into security heaven.

Go back in your cave troll.

Re:We really need a different language

Open Source developers, on the other hand, arrogantly believe that they are immune to mistakes.

Did you do an opinion poll to get that bit of FUD? Or is it just that your next door neighbour open source coder an arrogant SOB? Fuckwad.

Re:We really need a different language

[RetroGeek]

Now that said, the buffer overflow isn't the only security hole in the world, in fact more security holes come from very very high level, very abstract programming fallacies... such as for example the cookie exploit (it's a logical bug) that Hotmail had a while back.

There is a difference between a programmer error (buffer overflow) and a design problem.

If you can use a language which reduces programmer error, then you can spend more resources working on proper design.

Re:We really need a different language

[viega]

I would actually argue that the most common security problem in software systems is likely NOT the buffer overflow. Yes, the most common thing to see in places like bugtraq, etc. is the buffer overflow, but this is because people know how to find them and turn them into exploits ( and, the consequences are running code on a remote machine, which is pretty severe).

However, C and C++ are a fairly small part of the market these days, too. All the market data I've seen recently suggests that no more than 1/3 of commercial development is in one of these languages. It's probably less.

And, there are plenty of security problems that apply to all languages, such as problems in authentication systems that provide the attacker some kind of leverage (e.g., practical guessing attacks), other misuse of cryptography (e.g., misapplying SSL) and other generic input validation problems (e.g., SQL injection). These things come up in all languages, and are things people frequently get wrong.

Re:We really need a different language

[defile]

I recommend Python.

Open source, expressive (very short code can achieve a lot), readable (very short expressive code is easily groked -- fewer bugs), no direct pointer manipulation (safe -- fewer bugs), integrates nicely with other languages, runs on a variety of platforms, very easy to learn.

Re:We really need a different language

[slamb]

qmail and djbdns do not have security holes.

Bah. That they do not have security holes is implausible, if not actually impossible, to prove. It's hard to even define what a security hole is; a changing threat model has "caused" many security holes. (Is an open relay a security hole? I say yes. Twenty years ago, everyone said no.) I doubt your statement. I can't point at a hole right now, but I have confidence that at least one security hole will eventually be discovered in those programs.

They were written using secure coding techniques that make them immune to things like buffer overflows. You can't "overlook" a buffer overflow with stralloc.

No, they make it easier to avoid buffer overflows. They don't prevent them: I quote from your hyperlink:

A stralloc structure has three components: sa.s is a pointer to the first byte of the string, or 0 if space is not allocated; sa.len is the number of bytes in the string, or undefined if space is not allocated; sa.a is the number of bytes allocated for the string, or undefined if space is not allocated. A stralloc variable should be initialized to {0}, meaning unallocated.

Applications are expected to use sa.s and sa.len directly.

If they use sa.s and sa.len directly, they can screw up and increase len inappropriately. The API seems good in that it makes it much harder to do things wrong, but it is hubris to say it makes you invulnerable. Besides, buffer overflows are possible for things other than strings, so this solves only (the most common) part of the problem. And there's still the legacy code that people can use without porting to stralloc.

It does seem like a good library if you're stuck using C. Another alternative is APR, which makes managing all sorts of memory allocations much easier. Pools are handy things when dealing with a language that primitive.

But there are languages in which it actually is impossible to have a buffer overflow. Please don't confuse the issue by saying that this (which makes it somewhat easier to avoid this error) makes the error impossible.

Re:We really need a different language

[Omnedon]

Open Source developers, on the other hand, arrogantly believe that they are immune to mistakes. They somehow overlook the countless exploits discovered in their own code (more than 500 in Debian over the past 4 years).

Overlook? Hardly.

Most open source models encourage reporting of exploits so they can be fixed. (more than 500 in Debian over the past 4 years). How many of those are STILL exploitable? How long between when an error is found and a fix is available?

Your argument is common and entirely false.

When an error is found in Debian, it is soon fixed.

When an error is found in M$, it gets swept under the rug and ignored. When finally made public (usually via 3rd party press release or some spectacular virus/worm) M$ often denies, then grudgingly releases a patch. This patch may or may not fix the problem and may or may not break something else.

Re:We really need a different language

[Dun+Malg]

I recommend Python. Open source, expressive (very short code can achieve a lot), readable (very short expressive code is easily groked -- fewer bugs), no direct pointer manipulation (safe -- fewer bugs), integrates nicely with other languages, runs on a variety of platforms, very easy to learn.

Python is good for some things, but it's hardly a 1:1 replacement for C/C++. While it may be somewhat better in some areas, interpreted languages have certain shortcomings that make them unsuitable as replacements for compiled languages in many cases. Such as anything rquiring small size or fast execution...

Re:We really need a different language

Great. Let us know when DJB has personally written all of the software that we will ever need.

Otherwise, DJB and OpenBSD are the exceptions that prove the rule: UNIX & Microsoft were wrong, network services should not be written in C/C++.

Re:We really need a different language

[Malcontent]

"but I have confidence that at least one security hole will eventually be discovered in those programs."

qmail is very widely used and deployed (they claim it's the second most popular smtp program) and it has never been hacked. If it has held up so far I am pretty sure it's unbreakable.

Re:We really need a different language

[William+Baric]

Are you somehow recommending a kernel be written in something else than C?

Personally I never understood why C was so popular. In particular I never understood why people thought of C as a powerful language. I don't know about the parent post, but for me I do recommend writing a kernel with something else. A mix of Ada and assembly would be my choice (yes, I know I'll get flamed for saying "Ada").

but you have to realize that unless the underlying infrastructure is built (on some low level language), you can't have high level languages.

I'm not sure what you mean by this (you don't mean you can only write a compiler from assembly, right?) but what's the difference between C and another high level language? (except for the fact it's easier to write a C compiler than an Ada95 compiler)

buffer overflow isn't the only security hole in the world

No but they are really "popular". Also don't forget about simple bugs that could be found at compile time by using a more powerful language than C.

Yes, I know you can have good programming practice in C. You can have good programming in assembly too. Unfortunately a programming language comes not only with syntax rules but also with a "culture"... and let's be honnest, C "culture" is not about good programming pratice.

Re:We really need a different language

[tuomoks]

No way a troll !! I'm a Linux and Unix person BUT C and C++ are really a problem. Managed languages ( C# is not on that level yet! ) will prevent most ( not all ) of that king of problems. C could be fine but the education of safe coding is not really part of the normal learning today. Just an idea from an old assembler coder.

Re:We really need a different language

If it has held up so far I am pretty sure it's unbreakable.

Horrible, terrible, abysmal way to look at things. The fact that no one has broken it yet hardly means it's impossible. Before the openbsd remote root hole, were you also thinking that it was impossible for openbsd to be broken into?

Re:We really need a different language

[axxackall]

Python is good for some things, but it's hardly a 1:1 replacement for C/C++. While it may be somewhat better in some areas, interpreted languages have certain shortcomings that make them unsuitable as replacements for compiled languages in many cases. Such as anything rquiring small size or fast execution...

I think you exagurate a lot here, when you use the word many to advocate C, and the word some applying to Python and other interpreters. I think that in most of projects (by amount of projects and by amount of programmers assigned to) good interpreters (like Python or Lisp or Erlang) are more preferable as they let coding in safity, they let coding fast and they cut the cost of further maintainance.

Tasks that rquiring small size or fast execution are very rarely cases, such as kernel drivers and DB engines. In most applications C is overkill in terms of compactness and speed. In some programs C is the best choice.

Modern interpretors are also more effective than before. For example, check Zope content management and application server and its companion ZODB object database. Both are written in Python. Zope when running is comparable by size to full-loaded Apache (vs typical Java based application servers), while by speed it's not (much) slower than JBoss.

Same good things can be said also about interpreters of Lisp and Erlang, another full-featured generic programming languages used in many commercial applications.

Re:We really need a different language

[varjag]

> Are you somehow recommending a kernel be written in something else than C???

Um.. why not?

> you have to realize that unless the underlying infrastructure is built (on some low level language), you can't have high level languages... in other words, the bottom line is Assembly.

Yes, but the next level don't have to be C.

Re:We really need a different language

[andreas]

I tend to repeat myself on this: Lisp (and Dylan, which is Lisp with an easier syntax) are not interpreted languages. There are compilers available that match C in terms of speed.

Unfortunately, the same isn't true for Python, which makes it inattractive for a number of applications.

Re:We really need a different language

Exploits reside in semantics of programs, not syntax. It means that even with the best secured language, you can still write unsecure code.
It could be simply because the coder is dumb, as in this obvious example : a password input program that displays the password on the screen as it is typed in.
But generally it's a tradeof between performance and security. Less obvious example : race conditions between threads accessing the same data (do you know a language automaticaly inserting locks on sensible data ?).
Bottom line : secure programing is a matter of good engineering practices, more than good engineering tools.

Re:We really need a different language

[Torne]

You can write an OS in Java, if you want, with almost no assembly. Just get yourself a chip like the Jazelle ARM cores which can execute Java bytecodes in its native instruction pipeline. You now need only your very early startup code to be in assembler, as you can bring up the majority of the environment from bytecode. There are people around at the lab where I work who are building this kind of thing, and are seeing it run comparably to an ordinary embedded OS.

Re:We really need a different language

[smiff]

Did you do an opinion poll to get that bit of FUD? Or is it just that your next door neighbour open source coder an arrogant SOB? Fuckwad.

I posted several similar comments on Slashdot and got quite a few responses asserting that security holes are due to stupid programmers. The moderations on the grandparent comment say it all.

Re:We really need a different language

[blibbleblobble]

"That they do not have security holes is implausible, if not actually impossible, to prove"

I'd go for "impossible to prove": you can only be secure if you've guarded against any method an attacker can use. So no matter how much you guard against, you'll always be insecure against an attacker with more imagination than you. And imagination doesn't have an upper-bound. So you can't prove any system is secure.

Re:We really need a different language

[pVoid]

what's the difference between C and another high level

The difference is that C is almost assembly. C is so transparent that you could almost see the assembly gushing out of it. C++ is a very different matter (with the compiler making sure constructors and destructors are triggered etc), but C is not really a high level language: it does little to no book-keeping for you. I could be so bold to say "C is a shorthand for assembly"...

But that's exagerating a bit. The thing is a language so let's not defecate on it.

Re:We really need a different language

[pVoid]

Yes, but the next level don't have to be C.

Absolutely not, but if you somehow think that you can find a next level that's going to miraculously handle buffer overflows - read is going to have dynamic memory allocation be part of the language semantics (as opposed to being some sort of library like malloc), then you are mistaken.

And once we've accepted this, we're back to square one. It may not be called C at that point, but it's going to have the same problems: no run time types, no garbage collection, no memory management, no overflow protections...

Re:We really need a different language

[Tom7]

> Are you somehow recommending a kernel be written in something else than C??? Sure, not all systems software is kernel mode C,
> but you have to realize that unless the underlying infrastructure is built (on some low level language), you can't have high
> level languages... in other words, the bottom line is Assembly. You have to build your way to it.

I think he is claiming that a good goal is to minimize the amount of software written in dangerous languages like C.

Some of your kernel code needs to be unsafe, for sure. Linux is over 30 million lines, and there is no fucking way that all has to be in C. It would be possible to do bounds checking and even garbage collection in most parts the kernel. (Real-time garbage collection has been done!) Using a microkernel architecture, lots and lots of code (say, the filesystem) could be written in a high-level, safe language. Doing this has various tradeoffs--speed is one that might bother the slashdot audience. Personally, I'd love to use such a system, because I care more about my computer working correctly than working fast.

The kernel is the hardest place to argue against C. For the vast majority of computer software, especially network software where security holes are most disastrous, modern safe languages are better in almost every dimension: fewer security holes, more maintainable code, less code to verify, etc. Other than "legacy code" and "legacy programmers," it baffles me that C remains so popular.

Yes, it's impossible to get rid of all security problems in general applications with a language or tool (you could even prove this, once we had a definition of "security problem"). However, it's not unreasonable to take steps in the right direction---safe languages rule out a large class of common vulnerabilities automatically.

Re:We really need a different language

[defile]

I didn't say it was a drop in replacement, simply to try it. ;)

I suspect also that most people who know that they need fast execution speed know that they can take advantage of writing performance critical code in a lower-level language and easily link it from the python environment (it's super duper easy, possibly easier than doing it in any other language).

As for small? A "typical" Python environment is smaller than a typical Java environment for the same application, and they run at approximately the same speed (this may be due to simple JVM suckiness).

/JRE

That's not saying much about how Python compares to C/C++, but it says a lot about Python vs. Java.

Re:We really need a different language

It's not the language. The libraries matters. C would not be such a mess, if there were sane libraries for buffer manipulation. The invention of

strxxx

functions made C inherently harmfull.

The great thing with Java is the high level of standardization. Cryptography libraries, JSP server, EJB container, etc. are completetly exchangeable. So you can use the most secure implementation when you like. And you can use libraries that are checked by many users for security holes. On the C side, it's even difficult to hand a string from one library to another, because it's not clear which one is allowed to free the corresponding memory. So double free errors can easily occur.

Re:We really need a different language

[pVoid]

I agree with you. In fact, despite defending C to a point, I think it should not be used to develop applications.

That's the distinction I make, and you are right, I am fussy about speed and optimizations, for me it goes like this: any system component should or can be written in C. Any application should not be written in C.

But, there's still a but: I think C++ is semantically rich enough that you can write applications in it. In fact, for applications, I use C++ or scripting (Perl, ASP, JScript, AScript). None of that compiled VB, or Java (not that I'm bad-mouthing them).

Re:We really need a different language

[andreas]

I hold that C shouldn't be used to write system components either. This does include kernels.

Regarding the semantical richness of C++: once you've tasted the sweet aroma of closures, higher-order functions, multiple dispatch and dynamic typing, you wouldn't want to go back to C++ anymore. It feels like wearing a straightjacket.

Re:We really need a different language

[pVoid]

I have used LISP, and am aware of a bit of what you talk about, but I also must say once you've tasted the strength of templates you learn to appreciate C++ more for what it is. And I don't mean templates to define just a function that takes a float or an int... Tempaltes are much more powerful than people take them to be...

Re:We really need a different language

[andreas]

I don't see anything doable with templates that couldn't be done using macros and generic functions.

Of course templates are one of the tastier ingredients of C++. Still doesn't make the end result palatable to me.

Re:We really need a different language

[pVoid]

Hey don't get me wrong, I find LISP and the derivatives to be superior languages by far. In fact, I'm pretty convinced LISP *is* the most powerful language...

But life unfortunately is never that simple. C++ matured as a market product faster because it was easier to implement on simpler systems (8 bit, 16 bit)...

PS. There is one thing not doable using macros and generic functions, and that is only because it's simply two different beasts: templates are a compile-time construct, while class inheritance etc are runtime. I don't think there's a distinction in LISP of compile/runtime. But believe me, this provides at least a couple of nifty tricks... But again, LISP is more powerful, all hail the lisp =)

Re:We really need a different language

I don't see anything doable with templates that couldn't be done using macros and generic functions.

Typechecking

Re:We really need a different language

[andreas]

A concept that Dylan, as a part of the Lisp family, introcuced, is "sealing". Basically, you have fine-grained control over reduction of dynamism, like preventing a class from being further sub-classed by other libraries.

This allows the compiler to deduce certain information at compile-time, producing code whose efficiency matches that of C++ code. So the distinction between compile-time and runtime is there, it just happens behind your back in the compiler.

Re:We really need a different language

[mark-t]

"[Buffer overflows] happen because most code is written in C or C++"

While it's true that most code that has buffer overflow problems is written in either C or C++, your statement, which claims to indicate causality, is false.

Assembly language programmers are just as prone, if not more so, to buffer overflow problems as C and C++ programmers are. In fact, about the only *REAL* reason you might be less likely to find a buffer overflow problem in an asm program than one written in C is because assembly languagae programming is so tedious that the programs developed in it tend to be inherently simpler. Further, it's worth remembering that at one time, most programs *WERE* done in assembly, and once C was invented, one of the major factors that caused C to became so widespread was because it could feasably supplant a lot of assembly language programming, cutting development and maintenance costs. The relative ease with which C programs could be built compared to assembly programs led to ever more complex programs being developed, and this is where the buffer overflows started happening. The long and the short of it is that buffer overflows happened because of programmer oversight. Oversight not because C developers were bad programmers, but because prior to this their programs had never been complex enough for buffer overflows to be a real issue.

You can hardly blame C or C++ for this.

Re:We really need a different language

You know I'm kind of sick of this dangerous/safe/unsafe language propaganda. There are plenty of unsafe and dangerous things which you can do in OCaml, and plenty of safe things which you can do in C. Safety, at least from a security point of view, really should not be seen as a feature of a language. If you want to write more secure code then educate yourself about secure programming practices. I find it rather ridiculous to assume that you can just give someone a new programming language and thereby make the code they produce more secure. That said, I do think that there are real benefits to using languages like OCaml, SML/NJ, etc., and that more people should be using these languages. However, if you want security you are going to have to work for it, you won't get it just by switching languages.

Re:We really need a different language

Sorry to pick nits, but it's "Go back in your cave, troll."

The way you wrote it, you're telling them to return to the innards of their Cave Troll. icky.

-Tim, the AC Poster Child

Re:We really need a different language

[Nevyn]

Linux is over 30 million lines, and there is no fucking way that all has to be in C. It would be possible to do bounds checking and even garbage collection in most parts the kernel. (Real-time garbage collection has been done!) Using a microkernel architecture, lots and lots of code (say, the filesystem) could be written in a high-level, safe language. Doing this has various tradeoffs--speed is one that might bother the slashdot audience. Personally, I'd love to use such a system, because I care more about my computer working correctly than working fast.

And yet all of the "main" kernels are all in C or C++.

For the vast majority of computer software, especially network software where security holes are most disastrous, modern safe languages are better in almost every dimension: fewer security holes, more maintainable code, less code to verify, etc. Other than "legacy code" and "legacy programmers," it baffles me that C remains so popular.

But yet, if you want a box that has a database, web server, allows you to login (with crypto) and sends email then there are none, ZERO, nadda choices but C. Well maybe roxen web server counts, but that includes it's own interpreter ... so I'd say not.

Really if it were that simple, people would have written and used SMTP/HTTP/SSH servers in python or whatever. Maybe in a few years people will really not care about performance enough for it to happen, but that's certainly not the case now.

Re:We really need a different language

DJB and OpenBSD are examples which show that the rule is invalid. They certainly don't offer any proof for it.

Re:We really need a different language

[darkwing_bmf]

Ada is a strongly typed language. It's used for jet airplanes. It should be good enough for other things too. If only there were more support for it. Here's an additional link for our faithful viewers: www.adapower.com

Re:We really need a different language

[Tom7]

But yet, if you want a box that has a database, web server, allows you to login (with crypto) and sends email then there are none, ZERO, nadda choices but C. Well maybe roxen web server counts, but that includes it's own interpreter ... so I'd say not.

Yes indeed! But just because it is doesn't mean it ought to be. From a pragmatic point of view, there is a load of work to start any kernel project, so I don't expect it to happen soon. (And in fact, all the eyeballs and hero hackers working on the linux code results in a pretty damn good system after all. It just comes at the expense of a lot of work!)

Really if it were that simple, people would have written and used SMTP/HTTP/SSH servers in python or whatever.

This I don't agree with. In fact, in a couple weekends I rewrote ftpd in SML, because I got fed up with buffer overflows in wu_ftpd. It was really easy, and the code went from something like 24,000 lines to 3,500 (including an implementation of MD5 and MD5_crypt, and some other general server stuff that I reuse in other projects). I plan to rewrite others, especially sshd which has had a number of annoying vulnerabilities recently. I don't see any reason why a team of good hackers couldn't port the basic functionality of a number of standard services in a short period, and it would certainly help users sleep more soundly at night!

Re:We really need a different language

[Nevyn]

Really if it were that simple, people would have written and used SMTP/HTTP/SSH servers in python or whatever. This I don't agree with. In fact, in a couple weekends I rewrote ftpd in SML, because I got fed up with buffer overflows in wu_ftpd. It was really easy, and the code went from something like 24,000 lines to 3,500 (including an implementation of MD5 and MD5_crypt, and some other general server stuff that I reuse in other projects). I plan to rewrite others, especially sshd which has had a number of annoying vulnerabilities recently. I don't see any reason why a team of good hackers couldn't port the basic functionality of a number of standard services in a short period, and it would certainly help users sleep more soundly at night!

Well I might still need to use apache in some places due to the mod_* usage. But I'd pretty quickly change SMTP, DNS and SSH if someone did competetive versions that used either a real string library or ML (or dylan, or whatever -- so long as it's as free as python/perl).

However note the competetive attribute, I've seen a web server that was written in 569 lines of C ... and it even worked well enough that it was useful (it was _very_ easy to boot a quick version with a non-std. port to get around some DSL "security"). However it wasn't/isn't competitive, with apache. In the same vain, I'd want something at least as nice as exim/postfix for SMTP or vsftpd for FTP.

I'm not going to hold my breath, and I expect I'll get a version with a string library in C before you do one in ML ... but maybe you can prove me wrong :).

Re:We really need a different language

[Tom7]

Yeah, I know, apache is huge and has a lot of features that would be hard to copy, especially for a single guy who probably doesn't use most of them. Fortunately, apache has a pretty good security record despite being written in C. I think that most people use a very small number of features in SSHD, though, so that is why it is next on my list!

Re:We really need a different language

[qasama]

hmm... If I didn't already have a job, I'd ponder looking for a QA job where-ever you work cleaning up the mess.

Re:We really need a different language

[PhilHibbs]

Buffer overruns are only a security hole if the buffer is on the stack, where an overrun can overwrite the function's return address. If it's on the heap, overwriting the stack in a controlled way becomes immensely difficult at best, maybe even impossible depending on the architecture.

Re:We really need a different language

[slamb]

Buffer overruns are only a security hole if the buffer is on the stack, where an overrun can overwrite the function's return address.

That's not true. Google for security "heap overflow" and you'll see a lot of advisories and exploits for bugs of this nature.

If it's on the heap, overwriting the stack in a controlled way becomes immensely difficult at best, maybe even impossible depending on the architecture.

"Immensely difficult" isn't good enough; there are people who live for this stuff, as shown by the link above. Even impossible isn't good enough, because there's still a denial of service attack. The only even remotely secure thing is to not have a buffer overflow. There are dozens of languages in which this just isn't a concern.

Re:We really need a different language

[PhilHibbs]

Interesting, thanks for that. I agree that the DoS is a significant problem, but not a security problem.

Re:Speed issues aside

The really is no excuse to use a language like Java or C# to do your checking when you can do it yourself.

That is the most ridiculous argument ever. It is tantamount to embracing only the most basic building blocks of anything and claiming that any automation or pre-made combination of those blocks as wrong.

No, it is you who is wrong. Why do you use a computer instead of an abacus? Why do you use paper when you could carve notes into stone? Things progress, things get better, and things that once were boilerplate (like manual safety checking) are taken care of so you don't have to do any of the boilerplate stuff anymore.

Embrace the better technology. Don't cling to the past or you will be left behind.

Secure programming FAQ

[SystematicPsycho]

Or for a quick and free guide, you can download the secure programming faq from one of the oldest websites on the internet-
Securing Programming FAQ
--

Re:Secure programming FAQ

[viega]

This is not a very good (modern) guide. There are plenty of better guides (still free) to which we link on the web site, such as David Wheeler's HOWTO . The book is more about giving actual code examples on how to do things properly. And, oddly enough, all the code is also available for free on the web site.

Re:Secure programming FAQ

[Barnoid]

do you make money with that book?

just a random thought when reading some of your posts...;-)

barnoid

Re:Secure programming FAQ

[viega]

The authors split maybe $3 or $4 per book, and the book *might* sell 20,000 copies in its lifetime. Not bad, but not great, considering it's a 800 page book, and book-writing generally takes about 3-5 hours of work per page total. Let's just say that we didn't do it for the money...

Re:Secure programming FAQ

[Barnoid]

oops...didn't really look at your username & the authors of the book; my mistake.

in this case i hope you'll make a LOT of money ;-)
though i won't buy one because i use a language that is quite secure by design: oberon

I blame colleges

[Amsterdam+Vallon]

These degrees are handed out like toilet paper these days.

Let's teach future American programmers proper security before they graduate and start writing professional software.

There's no excuse for the fact that in order to write good, clean, secure code, our youngsters have to visit websites like secureprogramming.com in order to just get by.

What a disgrace.

Re:I blame colleges

[metallicagoaltender]

Blaming colleges is a complete copout - if colleges aren't teaching the proper skills, then employers should be rejecting applicants with inadequate skills.

The fact is, most companies couldn't give half a shit about security on a day-to-day basis, and therefore don't really care if people fresh out of college have a clue about secure programming, or even security in general.

The goal of college, in the context of our current society, is to prepare students to get a job - if employers aren't demanding it, then people aren't going to expect it to be part of a college curriculum.

Don't get me wrong, I fully agree it should be a core part of computer education right from the start, but until the technology industry recognizes it as a day-to-day need (other than the 2 weeks after you've been hacked), it won't be considered an important part of the educational process.

Re:I blame colleges

[m00nun1t]

As someone who occassionally hires college graduates, they have a LOT more to fix before teaching people secure programming (although that would be great!). How about a graduate who can tell me the difference between a development environment and a production environment? Or is even aware of the concept of a production environment? What they teach in University seems to have such limited applicability in the real world as to be almost useless. I hate hiring graduates, complete pain in the rear for the first few months.

Re:I blame colleges

[whereiswaldo]

How about a graduate who can tell me the difference between a development environment and a production environment?

Also:

- the importance of taking the time to do something right the first time as much as possible, instead of always the tiresome updates and tweaks.

- what version control software is and how it is essential to team development (hell, you'd be surprised how many senior programmers don't know about it or use it).

- how to take ownership of a task and see it through, not blaming someone else.

- how to keep busy when the current task is blocked. Find another task, stay busy.

- how to use your own head, and not ask questions about every single thing. If I have to give guidance on what colour your label should be, I might as well do the task myself.

- common design patterns and practical applications of them.

- performance optimization techniques, and why developing everything on a quad Xeon with gigabit ethernet is not always a good idea.

- how calling in sick every week is not acceptable in the real world (not at most places, anyway).

- how good organization techniques can save you a lot of time and keep you on target.

- error handling code should be hilighted more. Books always seem to omit error handling, and that's what students learn from. That leads to really buggy code.

Re:I blame colleges

[Ichijo]

The goal of college, in the context of our current society, is to prepare students to get a job - if employers aren't demanding it, then people aren't going to expect it to be part of a college curriculum.

I see this as a chicken-and-egg problem. Employers don't understand the importance of secure programming because it isn't taught in college. The only other way to learn is by experience, but that's the hard way.

There's really no excuse for teaching poor programming skills (or not teaching good programming skills) in a degree track that requires programming.

Re:I blame colleges

[mse61]

Speaking as a current CS student at a "major" university in the Midwest, I can honestly say that there is a HUGE lack of good programming practices taught. From the beginning you are taught to write code that is potentially buggy at best. I believe that it stems from the fact that a majority of people who are entering CS programs had little interaction with coding before their studies begin. It takes nearly 3 semesters of studies before the student is capable of writing correct, basic C++ code. By that time in their 4 year program they should be preparing to start, if they choose, their Junior co-op. They are for the most part still un-baptisied in the ways of algorithims and data structures and more advanced topics such as networks and operating systems. Within the next 4-5 semesters there is little time for them to learn how to write secure code, because of all the other nessary skills they need to learn before graduation so they are even marketable. It has been my experience that writing secure code is pushed aside, in the pursuit of getting the students in-and-out with the basic skills they need to get a low-level job. In some ways this is a copout because the case could be made that a student shouldn't have to learn what a business doesn't use in order to be marketable. However it should be the coders job to catch the security breaches, because after all it is their code. If the coder doen't know to watch out for a buffer overflow or other potential security breaches, because they never learned about it in their standard studies, then it becomes a problem. But that's just my take on it...

Re:I blame colleges

I agree with your point. As a student currently BSing his way through a degree at a major university, I can say that the university couldn't care less about how well I know anything. They are looking to churn students out as fast as possible, so that they can get a steady stream of incoming students (and thus a steady stream of incoming cash). To think that I could be competent in my field at the time I graduate, simply from coursework, is foolish. That's why I'm getting involved in as much as I can outside of school, while I'm still living in the 'safe haven' of college life. I need some practical skills before I get booted out the door 2 years from now.

Re:I blame colleges

[sigwinch]

These degrees are handed out like toilet paper these days.

Dude, that wasn't a university you spent four years in, it was a men's room. Oh, and that "Dean's Honor Roll" wasn't an award.

Re:I blame colleges

[Billly+Gates]

Does the industry want CS graduates who can only write hello world programs to be programmers?

Maybe that may be a slight exaguaration. But they learn mathmatics and physics, english, history or other humanities, and maybe 2 or 3 courses with real programming while the rest is theory and calculus.

The industry response was well lets look at India. These students there only focus on programming and not going to school and work for a 1/4th of the price!

Re:I blame colleges

[siddhartha03]

Why is the goal of college to prepare students for job? That sounds more like a trade school. College should be for the pursuit of academics.

Re:I blame colleges

The fact is that you shouldn't be hiring Computer Science graduates for an Engineering job.

In an ideal world, Computer Science would be a small department next to Math. All the wannabe corporate programmers would be graduating from a Software Engineering dept where they are introduced to real world development problems (including security), solution patterns, and a dose of project management.

It's the exact same reason that there's a difference between Physics and Mechanical/Civil Engineering. You don't hire some half-wit clone of Einstein to build a bridge.

Re:I blame colleges

[WhaDaYaKnow]

Let's teach future American programmers proper security before they graduate and start writing professional software.

Hmmm. You mean that:
Problem
Integer overflows can lead to allocating too little memory, which can often result in an exploitable buffer overflow.

Solution
Before each memory allocation, be sure to check the size you're allocating, to make sure it really is big enough to do what you need.

Should make you respond with 'Well, DUH!', before you get on the job?

I've no idea what 'to be' programmers study, but if this is news to them, than, YES, that's scarry...

Re:I blame colleges

[viega]

The solution may be obvious once you understand the problem, but the problem itself is incredibly non-obvious to most people who just go about allocating memory happily without ever thinking too deeply about the implications. Most developers are far more worried about getting the feature of the day working to "waste" a lot of cognitive effort on such things.

Re:I blame colleges

The way things should be and the way they really are usually two quite different things.

Re:I blame colleges

[BigBadBri]

It depends on how the wider society views universities.

If there is a will for enough people to be educated, and there aren't the trade schools, then unis will have to take up the slack.

If you want purity, then you'll have to change the whole idea of universities, and radically alter the sort of courses they're offering.

Re:I blame colleges

[master_p]

Why does anybody need to blame colleges for not doing some trivial things, like checking the input length if it can be doubled ? It's plain common sense. The reason for not doing this is programming lazyness, not a problem of education or of the programming languages.

Trivial checks are:

1) checking a pointer for being NULL
2) checking lengths against array bounds
3) checking for overflows
4) checking for input variable aliases
5) checking for validity of returned values
6) checking error codes

Generally, all the above come down to checking if the input parameters/result values are valid. It's only laziness that prevents from doing so.

Another problem is that project managers don't allocate time for proper black box and unit testing. In these kind of tests, every method/function should be checked against erroneous input, input close to the limits of each data type etc. But these tests mean allocating a person to do them, and these are usually ignored.

It's not colleges though.

P.S. I don't believe in "secure" languages like ADA, because they prevent experienced developers to do aggressive algorithmic optimizations (beyond those that the compiler can do). C/C++ is fine, as long as the above checks are performed.

Re:I blame colleges

[andreas]

So, you don't believe in secure languages, eh?

I fail to see how Ada would prevent algorithmic optimizations. Your claim is outright ridiculous. Maybe you can come up with an example?

And I think that doing tedious bookkeeping is something the computer should do for me. In case you haven't noticed, your average PC is between 10 to 100 times faster than needed for most applications, such as web and mail servers, file servers etc. But building a secure computer seems to be too hard for most people.

Point in fact: history has shown that all programmers, even the best ones, make mistakes. With C/C++, you end up with maximum penalty: remotely exploitable overflow.

Sure, even Ada-controlled rockets blow up. That's because it is hard enough to cope with the real problems. Being forced to think about buffer bounds, memory management etc. all of the time just distracts from the real problems.

Worse, you're not getting any benefit in return!

Re:I blame colleges

[Pedersen]

So, you don't believe in secure languages, eh?

I do! In fact, I'm one of the few people who actually likes Ada (I just hate the compile times). However, I also like to have my code work on multiple platforms, and have a GUI, and have better responsiveness than Java 1. So, until someone can show me two things, I'm sticking with C++. What two things?

1. An ada compiler which works identically on Windows (95, 98, 2K, XP, etc), MacOS X, and Linux. And I'm not sure gnat is there yet.
2. A GUI toolkit as comprehensive and useful as wxWindows for Ada

Please, show me that. I'll switch to Ada in a heartbeat for everything. Without those two items, though, I'm not budging. Especially since I know that Ada has gone OOP for a long time now.

1Yeah, yeah, I know that Java speed has gotten better for the GUI's. Sorry, but my little 1.3Ghz Athlon with 1G of ram still runs Java apps like a dog. And yes, I mean applications, not applets, and that's with Sun's JRE 1.4 on Linux with kernel rev 2.4. So go away unless you're going to tell me how to make these programs work at a good speed.

Re:I blame colleges

[master_p]

I fail to see how Ada would prevent algorithmic optimizations. Your claim is outright ridiculous. Maybe you can come up with an example?

Sure. For example, you have an OpenGL loop that iterates in an array of visible objects to draw every one 60th of a second. The objects amount to some thousand (because of the requirements). Why should the compiler check the boundaries on every array access ? it should not. It would be much faster to allow me to have a pointer to each entry of the array, and then increase the pointers.

One would say that if iterators were used, the compiler would figure out that the iteration is from first to last object, so it would remove the bounds check. And I would say that is is not possible, since iterators are not first class objects in any language. And it would prevent from using more than one iterator at the same time.

And I think that doing tedious bookkeeping is something the computer should do for me

Whatever bookkeeping the computer does, the error must be handled by the programmer. There is no difference in accessing a null pointer in C++ and in Java, except that in Java it will be detected faster, whereas in C++ it may go unnoticed for a couple of runs. And there is always the logical errors that the compiler can not detect. For example, if a function accepts two parameters A and B and the precondition is A less than B, this is not caught by any compiler: the programmer explicitely must check that A less than B.

With C/C++, you end up with maximum penalty: remotely exploitable overflow

I've never had such an incident in my code, because I always check the bounds of my memory. But only when needed!!! the compiler does not enforce me to use bounds checking every time. And there are classes that automatically do bounds checking, so I am happy with C++, because I have maximum amount of choices: I can use whatever way I want, bounds checked or not, according to the requirements!!!

Being forced to think about buffer bounds, memory management etc. all of the time just distracts from the real problems

This is because the phase of software design was ommitted!!! the 'real problems' that you mention, i.e. algorithmical problems that are not buffer bounds, memory management etc are solved at the design level. At the implementation level, you have many details to cope with, but not the actual algorithm.

Worse, you're not getting any benefit in return!

You get the flexibility of using checks only when needed. I don't understand your attitude: do you support the 'more choices are better' attitute or not ? If you don't, then you shouldn't support Linux. If you do, then what's wrong with being flexible enough to use checks only when needed ?

And the argument that "computers are fast enough today so as that everything could be checked on run-time" is not correct. There are many operations still left that optimization plays an important role.

Re:I blame colleges

Thank god, I am doing all those things.

But then; I am a University Computer Science dropout. The main reason for stopping my study was the lack of practical information.

I mean, what use are proving algorithms when you don't know sh*t about basic code maintainance? Maybe college would be slightly better, but what I've seen it's mostly just more easy going.

PS. This is the situation in the netherlands, dunno about US practices.

Re:I blame colleges

[espo812]

I see this as a chicken-and-egg problem. Employers don't understand the importance of secure programming because it isn't taught in college.

Oh please, employers don't need to take queues from colleges - they can figure out what is needed and what isn't very efficiently: look at sales. If security was worth wasting time over, they would be doing it now.

Employers don't understand the importance of secure programming because users don't care that products don't work properly and it is more difficult to code something well (secure or not) than it is to code something that mostly works.

I know users that get blue screens of death all the time. They ask why and I tell them poor programming. All they say is "oh." They don't say "Really? Maybe we should find a better product to replace this one." Never once have I heard this reasponse. Users just reboot and go on because they don't care/know any better.

Re:I blame colleges

[EastCoastSurfer]

What they teach in University seems to have such limited applicability in the real world as to be almost useless.

The problem is not what the university teaches, but rather who is doing the learning. I didn't go to college to learn a programming language, I can read books for that. I went to school to learn about computer science.

I understand your frustration with hiring fresh college graduates though. So many people went into CS because of the dotcom boom who really didn't have a love of technology. When I graduated(12/99) there was roughly a 50/50 split between people who just went and got a degree and people who lived technology and would be good at it.

Now that I'm back getting my MS(I would like to one day bring a "real world" experience class into my school) it frustrates me in class to see so many people who are just there for the degree. They don't really care about learning anything more than what is required. Seeing the local talent does keep me confident that I shouldn't have trouble finding a new job if the one I have ever goes belly up though :)

Re:I blame colleges

[andreas]

Sure. For example, you have an OpenGL loop that iterates in an array of visible objects to draw every one 60th of a second. The objects amount to some thousand (because of the requirements). Why should the compiler check the boundaries on every array access ? it should not. It would be much faster to allow me to have a pointer to each entry of the array, and then increase the pointers.

Well, according to measurements we have done, the bounds checking overhead is less than 0.1%. But in the case described by you, the compiler can do even better.

First of all, usage of pointer arithmetics instead of array subscripts in an iteration over a container doesn't buy you anything with modern compilers anymore. They do strength reduction, turning the multiplication of address calculation into an addition.

Next, the compiler can infer that for an iteration over your array your subscript will always be in range, by doing constraint propagation and loop invariant code motion. What you assume about compilers just isn't true anymore.

One would say that if iterators were used, the compiler would figure out that the iteration is from first to last object, so it would remove the bounds check. And I would say that is is not possible, since iterators are not first class objects in any language. And it would prevent from using more than one iterator at the same time.

Of course I cam talking about languages with first class iterators, and compilers smart enough to figure out this stuff. And of course you can have multiple iterators at the same time.

I've never had such an incident in my code, because I always check the bounds of my memory.

Well, I guess you never use other people's libraries then, but only stuff written by yourself. The point is: I have yet to see a programmer who consistently produces overflow-free code. DJB almost does, but his software has almost no features as a cause. Bounds checking is much too important to leave it to the programmer. In fact, *my* requirement would be to have everything bounds checked, unless proven safe not to by the compiler.

the 'real problems' that you mention, i.e. algorithmical problems that are not buffer bounds, memory management etc are solved at the design level.

Right, and I'd rather spend 100% of my scarce time on design issues, instead of implementation issues. A good programming language is almost invisible on the implementation level, and allows you to focus on design issues.

You get the flexibility of using checks only when needed.

No, I get the "flexibility" of omitting checks even though they are needed.

I don't understand your attitude: do you support the 'more choices are better' attitute or not?

If "more choices" means giving every moron who's barely able to write "Hello, World" the opportunity to screw the security of my system, the answer is a resounding "NO! RUN AWAY SCREAMING!". Sorry, the track record of existing programmers, as reflected by the Marine-Corps-Attitude "My code is buffer-overflow-free, because I am tougher than the weenies out there" is just too bad.

If you don't, then you shouldn't support Linux.

Well, the only reason I support Linux is that it comes with source, as opposed to that OS from Redmond. Technically, Linux is as bad as the language it is written in, and I'd rather get rid of it fast.

And the argument that "computers are fast enough today so as that everything could be checked on run-time" is not correct.

Oh yeah? Did you do research on the overhead of run-time-checks? Or on modern compiler technology for optimizations? I did, and let me tell you that for the monetary equivalent of the performance difference you don't even get an hour of a good programmer's time.

Re:I blame colleges

[linuxelf]

What are you talking about? There aren't any "Future American Programmers." They're all in India now, didn't you hear?

Re:I blame colleges

I went to college and, from what I've heard, it is way more practical than university. It was a valuable experience for me.

Re:I blame colleges

[pclminion]

You hit the nail on the head -- sorta.

The problem as I see it, is that too many people are studying Computer Science and then going out and programming for a living. These two things just don't mix. Computer Science isn't about programming, it's more about mathematics and algorithmic thinking. A computer science program doesn't teach software engineering -- as well it shouldn't.

The problem is there is no standardized Software Engineering curriculum anywhere. Programmers shouldn't be studying computer science, they should be studying engineering.

So yes, they should be teaching security concepts to programmers. But don't expect this to happen in computer science. CS shouldn't be coopted into some kind of engineering discipline, because that's not what it is. What we need are true Software Engineering schools.

Re:I blame colleges

[Nevyn]

Well, according to measurements we have done, the bounds checking overhead is less than 0.1%. But in the case described by you, the compiler can do even better.

You mean on Dylan, I find that hard to believe. What kind of workload was that?

Anyway that requires rewritting your application in a language that very few people have ever written anything in. The stats I've seen for adding bounds checking into C affect the performance by about 100x (10-15%) IIRC. Hell the performance of doing stack guard/pro-police like checks were in the 1-2% region.

As for the compiler is magic nowadays, well maybe your compiler ... but the ones I've used, for C, still have a long way to go just doing constant propagaion/cse/etc. to get inlining to be as good as a programer could.

In some analysis I've done on C String APIs you can get very close to "raw" C with good/secure dynamic string APIs ... and even better than the obvious approach in some cases. And I think it'll be somewhat easier to get C programers to learn a C API and take a very small performance hit in some cases than it will to get them all to write everything in dylan, or Java or python, etc.

Re:I blame colleges

[andreas]

It was a sieve of Erathostenes implementation that we did for several languages. Results are here.

The thing with new string libraries is that there's a lot of code out there that doesn't use them and which you need to use to get productive in C, and that there's not only strings, but also a lot of other kinds of arrays, vectors and buffers that need to be checked. Even if your own code is fine, a lot of third party code isn't, and will never be. And CPAN shows that it is entirely possible to implement a wide and useful range of libraries for a language different than C.

Re:I blame colleges

[Nevyn]

It was a sieve of Erathostenes implementation that we did for several languages. Results are here.

Ok, so I downloaded the code from cvs (it's in the examples directory for anyone else). This doesn't look even remotely like a valid test for C vs. Dylan (hell the linked to article even has "Rigged Benchmarks" as it's title).

The first thing that's needed is a test with some function calls and passed pointers, which is more like real life ... and at which point the bounds checking code will have to do less well.

Also it looks like the benchmark is blowing the cache on most CPUs.

But even with the rigged benchmark C is still 11% faster than Dylan with bounds checking (the fact that Dylan without bounds checking is still 10% slower than C doesn't mean that it costs only 1% or .4% (which is the percentage difference between the two Dylan results) for bounds checking.

The thing with new string libraries is that there's a lot of code out there that doesn't use them and which you need to use to get productive in C, and that there's not only strings, but also a lot of other kinds of arrays, vectors and buffers that need to be checked. Even if your own code is fine, a lot of third party code isn't, and will never be.

Sure even if you use a string library, the bits that aren't using a string library are still vulnerable ... Duh. Although I'd argue that vectors/arrays are generally easier to deal with (often are either easily limited or use something else like a linked list instead), and "buffers" is just another name for string.

However you seem to be implying that changing the string using parts of your app. to a string library is somehow harder than re-writting your application in a completely new language. Sorry, I don't believe it.

And CPAN shows that it is entirely possible to implement a wide and useful range of libraries for a language different than C.

And significant parts of CPAN are perl interfaces to C shared libraries.

Re:I blame colleges

[GMontag]

Why do you sound just like me?

Stupid /. lameness filter wants more characters. Whenever I type the approximate amount of characters as seen above, I get a random, non-informative, message amounting to "Slash ain't posting that", so I have to add crap like this to the end of short posts.

the first rule of secure programming club is

use a language that was specifically designed with security in mind
like say, Ada

oh yeah, let the negative moderation begin
because programmer can't stand being held by the hand
too big ego

Re:the first rule of secure programming club is

[Malcontent]

really why not?

Why is C or C++ some sort of a sacred cow. MS is throwing C away and going with C# why isn't the rest of the world throwing C away and going with Java or Python, or Eiffel or Lisp or whatever.

Write in python and then rewrite the critical sections in C if you must. You'll still be more productive in the long run.

Re:the first rule of secure programming club is

The rest of the world is.

Except for the Linux part, who still has a sentimental attachment to C, because that's all they had a short few years ago.

Re:the first rule of secure programming club is

[WasterDave]

Microsoft are not throwing C away. Get a grip. They are, however, marginalising it ... which is fine. Thrown away is VB. And that pseudo-Java abomination. Good riddance to them both.

Dave

Re:the first rule of secure programming club is

As far as I know, the point of the Microsoft Common Language Runtime is to replace everything by a pseud-Java abomination. And you can write code for it in different syntaxes! Never mind that the semantics are the same regardless of the syntax.

Re:the first rule of secure programming club is

[the+uNF+cola]

'cause. C is a simpler language to write a compiler for. :)

We already HAVE the different language.

[rjh]

It's called LISP.

(And before anyone says "... but you can't write a kernel in LISP!", there are several LISP Machines out there which beg to disagree with you.)

Re:We already HAVE the different language.

[dmiller]

It's called LISP.
(And before anyone says "... but you can't write a kernel in LISP!", there are several LISP Machines out there which beg to disagree with you.)

Yes, very true. "Several" is an excellent estimate of the number of LISP machines sold.

Re:We already HAVE the different language.

[the_2nd_coming]

yeah...and you aren't kidding, there are only several.

you do realise that the reason LISP is not used to program kernels in is because creating a machine that can operate LISP in a opimised and timely fassion is frigen expensive as hell as it is not even remotly related to the curent structure of computer achitecture.

Re:We already HAVE the different language.

I agree that they didn't sell that many Lisp machines (maybe a few tens of thousands?). But you are mistaken in your comment about architecture: the Lisp machines only ever had half a dozen instructions that made them different from mainstream CPUs. In fact one of the many reasons for the demise of Lisp machines was that Lisp compilers of mainstream architectures got good enough that they could compete with the Lisp-optimized machines. In principle there's no reason you couldn't run a Lisp kernel on a modern machine -- it's just that there would be no point when 99.9999% of available software is written in non-lisp languages.

Re:We already HAVE the different language.

[Raffaello]

This is just silly - existing commercial lisps compile to machine code, same as c, or fortran, or ada, etc. Current lisp implementations run on stock hardware, on all the major platforms - Windows (XP,ME, NT, 9x, Dos), Linux (ix86, sparc, ppc), Mac OS X (and Classic), and various Unices.

OS kernels are not written in lisp because Unix was written in C, so everyone mistakenly believed that C was *the* language for OS kernel implementation. However, this is simply not so. Any language compiler that can generate machine code can be used to write an OS kernel.

Re:We already HAVE the different language.

[MalleusEBHC]

(And before anyone says "... but you can't write a kernel in LISP!", there are several LISP Machines out there which beg to disagree with you.)

Who needs to write just a kernel in LISP when there is emacs, a complete OS written in LISP?

Re:We already HAVE the different language.

[andreas]

In fact, GNU Emacs is a weak clone of the Lisp Machine operating system. You might have meant that as a joke, but it isn't.

Re:We already HAVE the different language.

[GnuVince]

I wish I had mod points for you, Lisp is a great language for any task thanks to its great macro system.

Re:We already HAVE the different language.

[the_2nd_coming]

I never said that LISP could not make a kernel, Just that it would not run as well.

besides that, functional programming does not mesh well with the way a PC is set up. you can do things in C a lot faster and easier that you would have a bit More trouble writing in LISP.

besides, why would you want to write a kernel in a language developed to make it easy to process strings? Kernels process numbers a lot more than strings, though I guess memory addresses could be used as strings as well as other things like hard disk sectors and crap, but it is more work that is necessary.

then lets not forget, learning LISP is like learning Japanese when you were raised in the west.

Functional languages are nice, and may one day become the standard over imperative languages, but right now, we do not have the systems that can run them better than you can run an imperative program that does the same job.

Re:We already HAVE the different language.

[andreas]

I never said that LISP could not make a kernel, Just that it would not run as well. [...]you can do things in C a lot faster and easier that you would have a bit More trouble writing in LISP.

And that wouldn't be true. There's no reason, zero, zilch, nada, none, a Lisp kernel would do worse than a C kernel. It wouldn't be slower, and it would in fact be easier and faster to write code for such a system. It would even run more stable, since it would almost always give you a stack trace with a stable system afterwards, where Linux gives you a kernel oops and a reboot.

besides, why would you want to write a kernel in a language developed to make it easy to process strings?

You seem to have severe misconceptions about Lisp. It was designed to give you powerful abstractions, and make everything easier. It does happen to make string processing easier and more secure than in C, but that's just a side effect of vastly more powerful abstraction capabilities. It's the same capabilities that make operating systems easier to write, by allowing you to find powerful abstractions for addresses, disk blocks etc.

Just to give a example: on the Lisp machine, there were special data types for virtual addresses and physical addresses, with hardware type checking. Try to access physical memory with a virtual pointer, and you get an exception instead of a crash. The system enforces proper semantics here, and detects violations.

then lets not forget, learning LISP is like learning Japanese when you were raised in the west.

Well, languages like Python, Ruby and perl are closer to Lisp than you might imagine in a lot of aspects. If you mind the syntax, take a look at Dylan: it is basically Lisp with an Algol-like syntax, much more convenient to the average programmer, without sacrificing the power.

Re:We already HAVE the different language.

That's because they were so expensive, not because they weren't good machines. The Symbolics Lisp enviornment was a masterpiece.

Re:We already HAVE the different language.

[the_2nd_coming]

from what I have learned about LISP, it was developed to do natuarl language proccessing since at the time, FORTRAN was so horrable at doing that.

common LISP is a bit of a diffrent story as they added a lot to that language to make it a bit more useful for other things.

speaking of Python, I would like to see some one impliment a compiled Python, it is such a good language :-)

Re:We already HAVE the different language.

[andreas]

In fact, the application that McCarty thought about when designing Lisp was symbolic derivation. But Lisp always was a universal language.

Re:We already HAVE the different language.

[Bombcar]

But of course you can write a kernel in LISP. After all, there is an entire operating system!
:)

Re:Speed issues aside

[the_2nd_coming]

did anyone actualy ever use algol? when you look at it, Algol was just a development lab for features of modern programming.

Re:Speed issues aside

[quantum+bit]

No buffer overflows

Without throwing an exception and crashing the program.

No dereferencing of null pointers

Without crashing the program (java.lang.NullPointerException).

No object creation failures (all "new"s succeed)

Without crashing the program -- usually as spectacuarly as a C program since an out-of-memory condition will make Bad Things happen with the VM or JIT as well.

Sounds like a great candidate for writing an OS kernel in. Microsoft are you listening?

Schneier's book considered harmful, or passe

Viega's site disses Schneier's book, which everyone else seems to regard as gospel. What's up with that? I like a juicy feud as much as the next guy.

Re:Schneier's book considered harmful, or passe

[An+Onerous+Coward]

In "Secrets and Lies," Schneider admitted that back when he wrote AP, he had too high of hopes for secure systems, and that his enthusiasm rubbed off on too many. Now people seem to think that you can just sprinkle an application with "encryption," and make it ironclad.

Now his attitude is closer to "no system can ever be made secure, and that goes quadruple for systems which rely on the security practices of users." So Schneider himself isn't totally happy with AP.

Re:Schneier's book considered harmful, or passe

Schneier is not as smart as you think he is.

Enhance Linux Operating System with BOSS

[Dark+Coder]

IEEE Standards Associate, IEEE Information Assurance, IEEE Computer Society and IEEE Baseline Operating System Specification Working Group (BOSSWG) has initiated a call for definitions of a new operating systems intended to securely control nearly all aspect of the operating system (including root).

Kinda sounds like Common Criteria, doesn't it; hopefully better.

Re:Enhance Linux Operating System with BOSS

Kinda sounds like Common Criteria, doesn't it; hopefully better.

You do realize that BOSS is a (proposed) protection profile for use with the Common Criteria, don't you? It actually says this right at the beginning of the draft document.

Chapter 1

[Troll_Kamikaze]

The Secure Programming Cookbook for C and C++, Chapter 1: Find an Alternative to C and C++.

Seriously!

Re:Chapter 1

[viega]

If only it were that easy! Most of the stuff in the book applies to any language under the sun, but the examples are in C. If the book were just about protecting against buffer overflows, then it would have been 50 pages instead of 800. There's a ton of hands-on material on how to use cryptography correctly in an application. It's still amazing to me that about 90% of the time I see SSL/TLS integrated into an application, it's used in ways that are grossly insecure (e.g., a man-in-the-middle attack is easy). Also, we cover things like how to prevent common input validation problems that happen in any language (e.g., SQL injection).

Re:Chapter 1

[Brandybuck]

You're absolutely correct! Buffer overflows are the only kind of security hole there is. No one has ever found a security defect in Java, C#, Python or Haskell!

Re:Chapter 1

[__past__]

With C, you still have all the bugs you would have in a program written in a safer language, plus buffer overflows and format-string errors. Nobody said that all programs written in a language with, say, bounds-checking would automatically be completly safe (well, probably someone has, but still...), but removing one common source of bugs without introducing new ones simply is a good idea.

Re:Chapter 1

[Brandybuck]

You completely missed the point. Programmers cause security defects, not programming languages. Marketing a language as something "you can't make an error in" is a very dangerous attitude. Yet everytime C, C++ or security is brought up, hordes of slashdorks crawl out of the woodwork hyping their favorite language you can't write errors with.

Re:Speed issues aside

[endx7]

That is the most ridiculous argument ever. It is tantamount to embracing only the most basic building blocks of anything and claiming that any automation or pre-made combination of those blocks as wrong.

I was partially joking. But really, more complex blocks are more likely to be flawed, and this seems especially true when it comes to computers. And the worse part is, you'll never be able to throw away the basic building blocks anyway. After all, what do you think compilers will always end up generating? Machine Code!

By hiding the details behind a curtain, I think it is more likely problems will just get ignored, because "oh, the language is so secure". I would like to avoid that.

Re:Speed issues aside

[An+Onerous+Coward]

Lesson #2: No matter how obvious it is that you're trying to be funny, someone will mistake your comment for totally serious and sincere (or, in this case, totally sincere in sarcasm). Which leads to...

Lesson #3: Don't try and be funny. You'll just end up having to explain it, and--as the Heisenberg Principle attests--an explained joke ceases to be funny.

Seeing how the parent didn't specify which security issues were fixed by switching from C/C++ to Java, and the website is devoted to "secure programming" without regard for language, the parent gives the impression that switching to Java automatically renders an application completely secure.

Despite Java's safer memory usage, an application is still open to a wide variety of attacks. Such grandiose security claims about managed languages are worthless (except for the schmucks trying to get a contract to rewrite a critical application in Java or C#).

See? See how not-funny you made me?

Re:Speed issues aside

[RetroGeek]

Without throwing an exception and crashing the program.

Which makes it unavailable for hacking. No program, no access.

Yes, a DoS will occur, but your site is safe.

Besides, a properly written Java app WILL have a try/catch block at some basic level to do a last ditch effort to intercept (and deal with) a normally fatal exception.

Not just speed

[Sparks23]

It's more than just speed issues. Interpreted languages have better runtime checking and thus can avoid things like buffer overruns, yes. That's great for a lot of things, don't get me wrong. For backend programs, Java is an absolutely brilliant language, as it encourages some much better object-oriented design philosophies. Even Objective C handles some runtime checking far better than C or C++, though as it is a set of extensions to C it suffers from the same weaknesses in C code.

But what is the JVM written in? I guarantee you it isn't Java. :) Last I checked, the original Java Virtual Machine was written in C...after all, you can't run Java bytecode without something to interpret it. Similarly, I bet you most Just-in-Time Java compiler/interpreters are also written in C or C++. Even the programs which take Java code and turn it into a binary executable likely are linking it against a library which was written in C or C++.

Similarly, at my old job, I had to write low-level drivers for PCI hardware we were developing. Did I get to write these drivers in Java or C#? Of course not... you can't write low-level hardware calls such as Windows VXD files in an interpreted language; it'd really kill the performance of a system.

Just for a moment try to imagine someone writing, say, a new video driver for the Linux kernel in Python, or rewriting XFree86 in Java.

Ow. :)

Moreover, while Java makes it a great deal harder to, say, create a remote root exploit through a buffer overrun, it does not automatically fix problems of, say, cryptographic strength. Creating an encryption algorithm for some vital data which can be easily broken is as much a security hole and a flaw as a buffer overrun.

So while you're correct in some places -- Java and Python and C# and other interpreted languages that can do more stringent runtime checking of things really /do/ solve some problems which traditional lower-level languages are more vulnerable too -- modern interpreted are not a panacea for all programming ills. They aren't suitable for all types of programming, and even for the ones they are well-suited for, they don't automatically solve all security issues.

In general, the lower-level the language, the more easily you can mess it up; ASM is even easier to fry things in than C or C++. It becomes a tradeoff, with the lower-level languages giving you progressively greater efficiency and the ability to access things 'down on the metal', with higher level languages -- while slower and more abstracted -- able to shield you from more mistakes, and more portable between situations.

Each has their place. I wouldn't want to write a web-client that ran database queries in ASM, but Java works great. Conversely, I wouldn't want to write a driver for an AGP graphics card in Python, but ASM or C works pretty well right there. ;)

Re:Not just speed

So because the JVM is written in C then that makes your java code more vulnerable to exploits, because you are trusting the implementors of the JVM to have got it correct? By that logic you shouldn't be using a computer because you are trusting the manufacturer that implemented the computer hardware properly which runs an OS which runs the JVM which runs your java code (simply). Eventually your code no matter what it does has to trust someone elses implementation of something at some point in time of its execution.

Re:Not just speed

Avoiding buffer overruns isn't really about being compiled or interpreted. In any language that doesn't have C-style pointers it's relatively easy to write a compiler that provides automatic array checking with very little performance deterioration. (Strength reduction optimization makes it possible to move most array bounds checks out of loops.) The issue really is whether the language definition makes such a checking compiler easy, or a heroic undertaking. In the case of C and C++, a compiler that produces array-checking code is a heroic undertaking, and even then you have problems with libraries. Of course right now most libraries are written in C or C++ so you would have problems with buffer overruns in libraries regardless of the application language.

Re:Not just speed

Afaik, the Jikes RVM is written in Java.

Re: Not just speed

[Dodge+This]

Yes I agree that each language has its place. However I believe that C/C++ should have the biggest place in the IT environment. Aside from the fact that it's fast, there aren't too many languages that can match the flexibility of C/C++. I've found myself banging my head on the desk when I've used VB and (to a lesser extent) Delphi for certain projects.

My main point however is that I already believe that programmers in general are either too lazy or not competent enough to wright good code. If people come to rely on having all their code/bounds checking done by a compiler then the situation will become worse. The world will depend on a handful of elite programmers who are *still* able to write the compilers. What if an exploit is found in the compiler's compiled code???

Re: Not just speed

[Dodge+This]

okay, okay just ready what i'd put and before anyone else corrects me *I made a grammar mistake on the first sentence of the second paragraph*

Re: Not just speed

"... to wright good code"

That's not a grammatical error, it's a spelling mistake. "okay just ready what i'd put" contains a spelling mistake too.

Re:Not just speed

[varjag]

Interpreted languages have better runtime checking and thus can avoid things like buffer overruns, yes.

*SLAP*

There's no such thing as 'interpreted' or (compiled for that matter) language: particular language implementations are.

There are C interpreters and Java compilers around (check out GCJ, which compiles to native code).

And of course, any Turing-complete language interpreter/compiler can be written in any other Turing-complete language, so no, one don't have to implement compilers in C.

Re: Not just speed

[BigBadBri]

Not really - 'to wright good code' makes sense, in the original sense of 'wright', which is akin to 'craft'.

I thought it was a serendipitous and instructive typo.

Re:Not just speed

[Sparks23]

Very true, but the most common implementations of the Java, C#, Python, etc. languages are interpreted. Your average Java developer is, at least in my experience, not using GCJ.

Perhaps I misunderstood the original post which I was replying to, but the poster seemed to be making the point that Java and C# -- being interpreted -- fixed all security problems. I concede that an interpreted language fixes some problems because the nature of interpreted code makes it possible to catch some things at runtime (a benefit you lose to some extent when you use tools like GCJ), but I dispute that it fixes all security holes, or that Java and C# are suitable languages for all situations.

I stand by my statement that I would not want to write a low level VXD device driver in Java. (I'd prefer not to write one in C, either, but that's due to a general dislike of the Windows driver system, and neither here nor there.) :)

Re:Not just speed

[varjag]

I concede that an interpreted language ..

There are no interpreted languages :)

fixes some problems because the nature of interpreted code makes it possible to catch some things at runtime (a benefit you lose to some extent when you use tools like GCJ)

Bounds checks are a function of language's type system, and are completely orthogonal to whether a particular implementation is compiled or interpreted.

And no, you don't lose that benifit to any extent with GCJ.

I stand by my statement that I would not want to write a low level VXD device driver in Java.

In this domain other considerations become significant (e.g. the absence of real-time garbage collector in modern Java implementations, code footprint size, compiler optimisation quality, inherently C-oriented Windows API, etc.). This, however, says nothing about the language per se.

Re:Not just speed

[Sparks23]

I think this is perhaps a difference in terminology; I apologize for the confusion. :)

You're using language in the strictly correct sense. I.e., a language is solely the parser/lexer definition, and what's done with it afterwards is the rest of the compiler implementation. I.e., GCJ, javac, guavac and others are all 'Java', despite differing backend implementations.

I'm using language incorrectly, but largely out of habit trying to deal with folks who are not engineer-oriented. (After about the fourty-seventh time you've tried to explain the difference between 'language', 'compiler' and 'interpreter', you sort of give up.) And let's be honest, there are some languages -- such as Perl and, to be honest, Java -- where the most commonly-used implementations /are/ interpreted.

To rephrase in an attempt to bring this back on track...

The original poster I replied to made the claim that no one should use older languages, and that everyone should use Java and C# because they solved all problems.

My reply was intended to state that interpreted bytecode systems such as Sun's JVM implementation, the Perl interpreter most widely used, the Python interpreter, and others have some security benefits -- as the original poster I responded to claimed -- but that they do not solve all problems. The interpreted nature of the bytecode used by these interpreters allows the interpreter, while translating the bytecode, to perform at-runtime checks which are harder -- but not impossible -- to do in precompiled code, but it is not a magical solution to every problem. Java will not, for instance, analyze a encryption routine for you and determine if it's cryptographically secure.

Similarly, I would claim that interpreted systems -- such as Sun's JVM, the Python VM, the Perl interpreter and so on -- are not ideal for all applications, because an interpreted system is inefficient. Indeed, some of the inefficiency is caused by the same 'guard against security' which the first poster so lauded.

So, the original poster's apparent point was: Java and C# catch all your errors for you and solve all security problems, everyone should just use those.

My point in reply was: interpreted systems can do runtime error-checking for you in an effective way, but there are downsides.

Hopefully that makes the point I was originally trying to get across clearer, without muddying it in terminology.

(And for the record...if you want to nitpick that javac's a compiler that just happens to target a bytecode, I'm going to assume you only want to argue terminology rather than my actual, original point, and will not play. Yes, javac is a compiler that targets a bytecode. The bytecode is then interpreted by a VM, so I call the javac/JVM combination an interpreted system, dammit.) :)

Re:Not just speed

[varjag]

The original poster I replied to made the claim that no one should use older languages, and that everyone should use Java and C# because they solved all problems.

Well, that was of course an overstatement. However, while not all security issues can be addressed at language level, typesafe languages definitely eliminate a very broad class of security flaws (buffer overruns) that plagues modern applications. I think it is safe to say that 70-80% of vulnerabilites found in modern software relate to bad old buffer overflows, and the root cause for them is, indeed, the widespread use of C and C++. Such defects are often found in high-profile projects written by competent developers, so this clearly suggests that we have a problem with tools and not humans here. Hence, while existing Java and C# implementations may not be the best tools for writing sofware with, C/C++ definitely aren't any better.

The interpreted nature of the bytecode used by these interpreters allows the interpreter, while translating the bytecode, to perform at-runtime checks which are harder -- but not impossible -- to do in precompiled code, but it is not a magical solution to every problem.

Here I should note that proper type inference in compilers allows to mostly eliminate run-time type checking.

But yes, there's no silver bullet.

The bytecode is then interpreted by a VM, so I call the javac/JVM combination an interpreted system, dammit.

Well, on my Pentium, machine code instructions are interpreted by CPU microcode, so I guess all depends on your point of view :)

Re:Not just speed

[andreas]

You still seem to think that runtime type checking is a feature of interpreters. It is not. Common Lisp is compiled, Dylan is compiled, yet they provide runtime type checking. And of course, CL and Dylan compilers are written in CL and Dylan, respectively.

In precise terms, this is an issue of strong typing (Lisp, Dylan, ML, Java) vs. weak typing (C/C++).

Weak typing is dangerous.

Re:Not just speed

Perhaps more familiar examples would be Ada and Pascal. Both have been targeted and used in exactly the same kind of applications as C, and yet they can be easily compiled with array bounds checking. And in Ada the language standard explicitly gives you the option of unsafe pointer accesses via a cumbersome syntax when you really really need it. Both Ada and Pascal compile down to native machine types and operations, without any extra overhead such as found in higher-level garbage collected languages.

Re:Not just speed

My, you're a grade-A asshole. Do you slap people in real life when they disagree with you, or is your online behavior just a product of basking in the dim glow of a grubby monitor with one hand on a mountain dew and the other down your pants?

Re:Not just speed

[Sparks23]

Very true, that runtime type checking is an element of strong typing. However, again, I will note that an interpreter /can/ catch things which are harder at runtime; I am not merely discussing runtime type checking.

Assuming that runtime type checking is the the 'silver bullet' for fixing programming bugs is as much a fallacy as the original poster's assumption that Java and C# solve all programming languages.

It's not a simple and straightforward 'there is a single solution to everything' issue. To discuss the myriad potential problems, how particular language definitions can eliminate some, and how implementations of programming languages can eliminate others, and how still others can only be dealt with by the programmer, could fill a book or provide a topic for a website.

Wait, that was the original topic, and the original poster's claim was that Java and C# solve all your problems for you and therefore there's no need for such a website. This is not true. Some things -- such as buffer overruns -- are more easily solved in interpreted systems (or, being fair, runtime systems that do far, far more stringent length checking), but nothing -- not interpreted systems, not strongly typed languages, not some magical library you link against -- will solve all your problems for you.

I stand by my statement that no language, no compiler design, is a silver bullet that solves everything. I stand by my statement that the original poster is incorrect, and Java/C# are not the solution to everything; C still has its place, especially in low-level programming.

Argue terminology all you want with me, and I'll concede that I could've been clearer/more accurate on the terms I used, but I'm not going to be swayed enough to say that C# or Java solves all ills. I like Java, but it's not a genie. :)

Perhaps I misunderstood the original poster's point? His post has been moderated right off the comments list, unfortunately, so my original reply has rather lost its context. At this point, the original point I was trying to make has unfortunately been completely lost in a discussion of terminology, so I'll just bow out of the conversation. :/

Re:Not just speed

[andreas]

Again, you're confusing terminology: strong typing comes in two flavours: static typing and dynamic typing, and only the latter requires runtime type checks.

And you're still referring to systems with dynamic typing as "interpreted systems". This is wrong, dynamically typed systems can be compiled too.

I'm not saying this to win an argument with you, but to make sure people don't get misconceptions about alternatives to C.

You're right in saying that no language will magically solve all of the problems. But there are some classes of problems that we do have silver bullets for. Buffer overflows can be prevented by bounds checks, cast errors by strong typing, memory leaks and double frees by garbage collection.

And no, Java/C# are not the solution to everything. The Lisp family is much closer. So is OCaml for the statically typed folks.

And I see the place of C in the world dwindling.

Re:Not just speed

[Sparks23]

Yes, being an Objective-C user, I know some dynamic-typed languages are compiled rather than interpreted. (Of course, for all that I really like its object model, ObjC is a pretty lousy example as it inherits all of C's flaws.) :)

Though, also being an ObjC and Java user, I dispute the claim that garbage collection is a silver bullet for memory leaks. It's possible to mess up reference counts just as badly as malloc/free pairing. GC does nail double frees, and it makes memory leaks less likely, but it's still not a silver bullet to solve /all/ memory allocation related problems.

My point with C, also, was not specifically to stress C itself as still being useful but lower-level languages. Objective-C, for instance, is a great applications language. However, the runtime library which gives it many of the 'silver-bullet' features such as runtime garbage collection is a resource that needs to be taken into account; I'd never want to write a device driver in Objective C while linking in the support libraries and classes to provide runtime garbage collection, for instance.

Perhaps a /better/ way to put that part of my point is that systems which have runtime solutions to problems -- not just interpreted languages -- are great for the application layer, but low-level things, such as device drivers and system kernels, are more likely to be written in languages where you do not have a required support library to provide the features. This is a generalization, yes. Slashdot specializes in generalizations. ;)

So while C itself may not last forever, and while there are legitimately way better solutions for modern application programming, I think there will always be a place for /some/ language and compiler which requires the programmer to do most of the work. I.e., I doubt we'll ever see someone writing video card drivers in Visual Basic.

Re:Not just speed

[andreas]

And again I have to pick nits :). Reference counting is a weak form of garbage collection, and indeed has problems with collecting circular structures. There are algorithms like mark&sweep that don't have this problem. But you're right, there are still some problems to worry about, but far less than with manual memory management.

And regarding device drivers: on the Lisp machine, they were written in Lisp. As was the garbage collector, scheduler, compiler... everything. I even have written a video card driver in Dylan, just to drive home the point that this is entirely possible.

The fact that these days operating systems are written in C doesn't mean that this has to be the case.

Re:Speed issues aside

[An+Onerous+Coward]

On the upside, it really is better to have your programs crashing in a predictable manner.

/me slaps himself for reading this comment and spending a full twenty seconds trying to figure out how the Java VM would run without the OS.

Lisp and high level languages

This same argument is made by Paul Graham all the time when discussing Lisp. It still holds true.

High level languages allow you to do more with your programs because they provide means of doing repetitive things easily and allow the programmer to focus on the programming instead of worrying about the language.

Re:Speed issues aside

People still use JOVIAL, which as far as I can gather is a version of Algol that has been modified to include threads. In fact, there is an official Air Force website at Jovial Lives!. To quote from the website:

"Some of the more notable weapon systems using JOVIAL include (but are not limited too) the Advanced Cruise Missile, B-52, B-1, and B-2 Bombers, C-130, C-141, and C-17 Transport Aircraft, F-15, F-16, F-18, and F-117 Fighter Aircraft, LANTIRN, U-2 Aircraft, E-3 AWACS Aircraft, Special Operations Forces, Navy AEGIS Cruisers, Army Multiple Launch Rocket System, Army Blackhawk Helicopters, F100, F117, F119 Jet Engines, and RL-10 Rocket Engines."

That's a pretty impressive list of platforms for a language that was developed in the early 1960's!

So, maybe newer is NOT better after all.

A.R. Nemmer

Re:Speed issues aside

[viega]

This isn't true whatsoever. Only the most glaring issues are fixed. Currently, we're working on a Java Secure Programming Cookbook, and we'll get around to C# after that.

We do a lot of code auditing, and find about 4-5 serious security problems per thousand lines of code of C and C++ code. In languages like Java, we still usually find 1 or 2 such problems.

Re:Speed issues aside

Are these problems that you find inherent in the language itself (buffer overruns, etc) as in C/C++, or are they implementation problems that one would find in any bad implementation done in any language?

Re:Speed issues aside

[RetroGeek]

By hiding the details behind a curtain, I think it is more likely problems will just get ignored

So you, um, write software in machine code?

Higher level languages exist because it is tedious and error prone to need to code every last bit (pun intended) of instructon required by the CPU to do any work. The higher level the language, the more insulated you are from the machine code.

Assembler required you to know registers, C and C++ require you to free memory resouces. Java requires you to open/close files. SQL requires you to know table and column names. Each step up requires less and less knowledge of the underlying system. And each step up is safer overall.

But ANY language can be written so it is insecure and/or buggy.

We will reach a day when the Star Trek type of information retrieval and manipulation is done. We are not there yet.

Re:Speed issues aside

Fine, use Lisp, it is 100% secure as a consequence of its design and implementation, and you will understand why C/C++/C#/Java are not only crap (in every way imaginable) but also they are unnecessary crap. The problem with software is C and its derivatives.

Secure Coding resource

www.cgisecurity.com/lib large library of documents
Secure java development
Secure XML
Secure Web Services
.NET Security

Re:Speed issues aside

Sir, I have your other book "Building Secure Software", where you described the famous "CIA" security objectives as Confidentiality, Integrity and Authentication. AFAIK CIA has always been taught as Confidentiality, Integrity, and *Availability*. So what's up with A being Authentication?

Do *what* to get your way to the top?

"Now I'm just a lowly IT worker, managing web servers and crawling under desks"

Crawling under desks? I know admin'ing IIS servers is bad enough because of the security problems, but to have to blow your boss to keep your job?

Talk about getting fucked in both ends!

I blame porridge

[segment]

Blaming colleges is a complete copout - if colleges aren't teaching the proper skills, then employers should be rejecting applicants with inadequate skills.

Agreed. Most of the companies I've been at of course hire college grads I mean who wouldn't, but most of the time it's those of us without degrees who've actually DTFW (done the fscking work) who end up making the big bucks even if it's only temporarily. This is not to say that a college grad isn't skilled hell most would probably clean the floor with my ass (well most compsec students with BA's and better). It's a matter of adapting to where you're at, while one may lack on say programming, they may make up for in networking. Not everyone can know it all (except of course moi... kidding you know...) But for the most part I would blame companies for jumping on the paper bandwagon. Just because someone has a degree doesn't mean that person is going to understand the actual business infrastructure of a company. They may understand the underlying protocols but that shit doesn't impress me when you have to run to a colo @ 3:00am and get shit started yesterday. Nope sorry bookworms your school lessons will not save you.

The fact is, most companies couldn't give half a shit about security on a day-to-day basis, and therefore don't really care if people fresh out of college have a clue about secure programming, or even security in general.

True to an extent. More and more companies are taking compsec more serious, and it helps when the gov, and news agencies go overboard with their 'hacker' stories. Take a look around Dice dot com, or the Security Focus job list, you will see the biggest surge in years.

Re:Speed issues aside

[endx7]

So you, um, write software in machine code?

Higher level languages exist because it is tedious and error prone to need to code every last bit (pun intended) of instructon required by the CPU to do any work. The higher level the language, the more insulated you are from the machine code.

True, I like some insulation (it'd be difficult without it), but I like to avoid too much. In the very least, I think it's a good idea to know what's going on behind the magic curtain, and hiding what's going on to much could lead one to ignore what's going on completely.

C isn't always the best language, but it's the most versatile (at least I think so) without sacrificing too much. Hey, it's even somewhat portable (er...well...sometimes).

The site is pink.

[dtfinch]

However, since I already own at least one of your books I'll check it out.

Re:The site is pink.

[viega]

Even worse, my name is on a book that is pink. That's the reason for the current site color, BTW. Plus, I suppose we like torturing people at the same time we're trying to help them.

Re:The site is pink.

[aaron240]

Is it more pink than "MySQL Cookbook", "Learning the bash Shell", or "Learning the vi Editor"?

Re:Speed issues aside

[RetroGeek]

In the very least, I think it's a good idea to know what's going on behind the magic curtain...

Amen to that. I firmly believe that I am a better developer (not just coder) because at one time I DID write in machine code (it was a hardware computer course). I actually do know the major internals of a CPU, and how they react. Half-Adder anyone?

Re:Warding off the inevitable "switch to Java" com

[dmiller]

Tune in to Bugtraq some time to see a never-ending stream of web-app vulnerabilities. Most of these applications are not written in C.

Moral of the story: stupid programmers will be stupid in whatever language you give them.

At last!

[Capt'n+Hector]

Finally! A programming website that's SECURE! I am so tired of my favorite programming websites getting hacked all the time.

oh wait...

By the way, I can't believe nobody made that joke yet.

Re:At last!

[Catharz]

By the way, I can't believe nobody made that joke yet.

I can't beleive the script kiddies aren't attacking it yet. But now that you've given them the idea, I give it an hour before somebody tries something (even if it's a simple DOS attack).

It will be very embarassing if somebody succeeds.

Re:At last!

[viega]

I dunno about that. There's a lot of software being exposed on that server, just through apache. It wouldn't surprise me if there were some 0-day out there affecting one of those things.

Re:Speed issues aside

[viega]

Good question. They're generally problems that one would find in an implementation done in any language. However, there are plenty of language-specific problems for other programming languages. Some of the most glaring exist for PHP and Perl.

Also, note that many programming languages are implemented in C, and have had or might have security problems relating to that. I've seen such problems in several common scripting languages. It is like that there are plenty of other problems like that waiting to be found.

Re:Speed issues aside

I bet Lisp could solve world hunger!

Re:Speed issues aside

[n0nsensical]

Lesson #3: Don't try and be funny. You'll just end up having to explain it, and--as the Heisenberg Principle attests--an explained joke ceases to be funny.

Hey, the Heisenberg Principle states that it is not possible to determine the position and velocity of a particle at the same time! That has nothing to do with jokes! This is a troll!

Interepreted languages help, but aren't a cure-all

[harikiri]

Buffer overflows are arguably the most common vulnerabilities that occur in the wild, which in turn indicates that most of the network services attacked are being written in C.

Moving to interepreted languages mean that any dodgy user-supplied input will be detected at runtime, and will most likely result in some sort of a traceback (but no exploitable overflow).

This however does not eliminate the remaining classes of vulnerabilities, relating to default configurations (username/passwords), poor encryption mechanisms, Denial of Service attacks (minimised due to most popular interpreted languages having their own garbage collection), and more.

We need more developers to be putting on their black-hats, and looking at their code and wondering "what if I tried this? Could I break this code?".

2 tips from the hood

1. Create your own malloc/free new/delete heap. This heap should always have blocks of 0's interspersed throughout and a 1K walled block of 0's at the end of the heap. Any programming errors may result in garbage, but it won't result in injected code vulnerabilities.

2. No direct DB access technology on your web service front ends. If your web UI code has SQL in it, you're doing something wrong. Your Web GUI should access an intermediate layer, instead. UI is notoriously easy to compromise, and the best way to make SQL injection attacks is to not have SQL directly beneath the button your users are playing with.

Re:2 tips from the hood

[shic]

While I agree with point 2, I can only say that point 1 is at best misguided nonsense and at worst a troll. If an attacker is able to overrun a buffer by a few bytes, then they are likely able to over-run by more than the 1K for which you've allowed. This technique is likely to give a false sense of confidence in an implementation as well as cause bloat - hence negating at least some of the advantages of the costly decision to implement at a low level permitting pointer arithmetic. There are much better ways to tackle such problems. In many cases C/C++ programmers should take a leaf from Java programmers and avoid pointer arithmetic in mainline code. It is trivial to code an ADT for arrays/strings in C, and C++ programmers should really consider STL containers. Only extremely low level code ever need directly manipulate pointers - and the cost of interacting at this level should be a moral obligation to show, using appropriate techniques such as pre-condition/post-condition inductive proofs, that buffer overruns are not possible.

Re:2 tips from the hood

[plierhead]

Point 2 is bollocks as well.

No SQL in your UI code? Sure, good move. Instead, move all your SQL into a back end and then call into it from your UI code. This goes as follows:

1. You explain to your boss why all SQL should be done at the back end
2. Your boss asks you whether it is really worth it to write six time as much code as one would imagine would berequired, just for security
3. You say yes, trust me
4. Someone breaks in anyway, because your lame middleware layer allows intrusion through it, and the intruder gains access to the database ANYWAY
5. Your boss fires your sorry ass.

Re:2 tips from the hood

[Eponymous+Coward]

Why get out of bed in the morning? One day you're just going to die and what will be the point of anything you've done?

Re:2 tips from the hood

[the+uNF+cola]

Then explain to your boss why you have to write the same code MULTIPLE times, once for the web, once for say, a java two/three tier client, then command line utilities...

Let's not forget having to write the same query N times.

Re:2 tips from the hood

[shic]

I see where you are coming from, however I felt more forgiving about the second point - maybe because the recommendation was more vague. The original poster (grammar aside) suggested that SQL generation should be separated from UI interaction - and this is, IMHO, usually a very good idea. No-one suggested "all SQL should be done at the back end;" Only you seem to think that six times the volume of code would necessarily be required for such a separation; only you suggest that a boss would disagree - and I doubt, at this stage, anyone needs their "sorry ass" fired.

When considering complex systems, architecture is important. Sure, it is often possible to cut corners on trivial systems, but a good programmer will always remember that the system should be easily explicable in order for it to remain maintainable. While 3-tier architectures could be just as poorly implemented as single tier or client-server solutions, there is a wealth of empirical evidence to suggest that 3-tier designs have been a significant benefit in many complex systems. In my opinion, as a rule of thumb, it is a good idea to separate UI implementation from SQL interaction - particularly for applications to be used in adversarial environments. Even ignoring your distaste for the 3-tier paradigm (which I admit is by no means a cure-all design) there remain many other techniques to logically separate SQL generation from UI interactions. I have never in practice seen the need to expose all of the functionality of the often bloated and complex SQL implementations to code primarily concerned with UI interaction... I frequently see myriad benefits in encapsulation.

Re:2 tips from the hood

[dcam]

The parent poster is entirely correct on cutting out SQL from the FE.

The standard technique for avoiding SQL injection is to use prepared statements and stored procedures. For M$ platforms this means using the ADO Command object and stored procedures. Note that this is a comment on SQL injection, rather than any other security issues.

This also has a significant advantage in that it forces the code to be modularised. In other words data manipulation is moved to the database layer rather than the front end. In general I'd say that this will increase the code size will be matched by a decrease in errors.

Variable input == DOS attack hole

[tjstork]

The problem is not the language, it's our style of programming.

The whole reason that security issues have proliferated is our stubborn insistence on allowing for variable input. If all input and systems had hard wired capacities, then, there could be no denial of service attacks as program behavior would be bounded.

Even C# and Java have DOS issues becuase of their unbounded nature. A program that reads an input stream and stuffs a link lists will be just as supsectible to denial of service attacks as any others.

Some of us remember gravitating over to C from the old Pascal and FORTRAN and BASIC because of C's penchant for creating dynamic data structures. AS I look back on that era, I wonder if we didn't make something of a mistake.

I wonder if we might borrow some of the practices from that ancient era, and use dynamic allocation as the exception, rather than rule. Programs should have fixed numbers of objects. Programs should have fixed input sizes and maximum capacities. String fields should always have a maximum, fixed, size.

I should note that if we do have less variable length allocations, then, we less likely need programming languages that make variable length easy. A more conservative, almost retro programming technique could make for faster, more secure programming.

Re:Variable input == DOS attack hole

[Malcontent]

"I wonder if we might borrow some of the practices from that ancient era, and use dynamic allocation as the exception, rather than rule. Programs should have fixed numbers of objects. Programs should have fixed input sizes and maximum capacities. String fields should always have a maximum, fixed, size."

You know what really bug me? Almost all languages have assertions and yet almost nobody uses them. If you are dealing with dynamic elements you should have pre and post conditions as assertions.

Re:Variable input == DOS attack hole

First of all, if all we had to worry about was DOS attacks, we'd be in a wonderful era compared to today.

Second, I think you've only got half the story. The prevaling attitude is "accept variable input, push the consequences back on the user". That is, programmers were very willing to accept the power of dynamic inputs, but also very willing to share the responsibility.

Unix Culture in particular had the attitude of "Real Men provide Good Input, or Dump Core". In short, it was all the user's problem, and that was reflected almost everywhere.

With micros, it was "Hey, you're the only user. Just reboot!" Same story.

Neither culture mixes very well with a vast, untrusted network.

Re:Variable input == DOS attack hole

[miu]

I should note that if we do have less variable length allocations, then, we less likely need programming languages that make variable length easy. A more conservative, almost retro programming technique could make for faster, more secure programming.

This is my prefered method of programming - the problem lies in convincing users to accept arbitrary restrictions.

The next best thing is to wrap all dynamic allocations in protected functions with paranoid checks built right in. Asserts are not enough, they document programming decisions and can prevent a large number of programming errors, but are not suitable for catching runtime errors or abuse of the system.

Re:Variable input == DOS attack hole

[i_really_dont_care]

If all input and systems had hard wired capacities, then, there could be no denial of service attacks as program behavior would be bounded.

What a crap. Fixed-size working sets are a good idea sometimes (say, control systems), but don't solve the problem that you still have to work on the data.

Also, what's e.g. the use of a database that has a pre-allocated, fixed number of records and tables?

Re:Variable input == DOS attack hole

[BigBadBri]

I don't normally like AC posts, but this needs modding up.

The proliferation of single user machines has led to a loss of focus on security, and this post points it out perfectly.

Re:Variable input == DOS attack hole

[cheekyboy]

I guess you have never used C++ and STL.

Go to www.codeguru.com and learn a few tutes.

String class is very powerfull and has powerfull functions/limits/options.

Screw PASCAL

Re:Variable input == DOS attack hole

[plierhead]

You are right, this is the only solution. You need to specify that your interface expects, say, 10K hits per minute most of the time, and then specify that you are running a superbowl ad this weekend and it may burst real high, but just for a while.

It will take many eons before there is any better defece against DDOS attacks, and while the whole world seems to be laoded with poisoned/blasta'd machines just waiting to take part, this is the best that is possible with today's technology.

Re:Variable input == DOS attack hole

You are a fucking retard. Why don't you read the post before replying? Satan will pierce your asshole with his fiery barbed shaft before you have time to notice the fire and brimstone fuming from behind you.

Re:Variable input == DOS attack hole

ahaha, brilliant troll.

actual snippet

[gfody]

while(true)
{
try
{
...
}
catch()
{
//try again
}
}

Re:actual snippet

[dmiller]

In that spirit, my favourite was:

while ((var = malloc(sizeof(*var))) == NULL)
; /* Avoid allocation failures */

Re:actual snippet

[GooberToo]

LOL...it probably does avoid allocation failures... ;)

LOL

Strict mode for C++

[Animats]

I once wrote Strict mode for C++, to address this issue. After much struggling, I concluded that backwards compatibility was tough enough that it wouldn't be accepted. With the recent hightened interest in security, it may be time to look at this again. (I'd make some changes to the syntax proposed there, though.)

The basic idea is that everything is reference counted and subscript checked, but by doing some static analysis and type enforcement, most of the overhead for that is eliminated at compile time.

About 95% of subscript checks can be optimized out without too much effort. An optimizing compiler that can hoist expressions out of loops and strength-reduce them can move most subscript checks out of inner loops. Reference counts require more language support, but they, too, can be optimized.

As for pointer arithmetic, the solution is to use iterators, which are checkable, instead of pointers, which are not. Then optimize out the checks, as with subscript checks.

I proposed that there be a way to designate C++ code as "strict", turning on the enforcement. Privileged programs should be 100% strict; others need not be.

This is unlikely to happen, but it is technically possible.

Re:Strict mode for C++

[alien_blueprint]

Sounds like an interesting effort. I was just thinking the other day about how "profiles" of C++ might provide the safety and ease (eg. pointer checking, garbage collection) of Java or C#, without re-inventing the entire wheel.

As an alternative approach, I've had some success with this tool, which is basically a patch to gcc so that the code that is emitted on compilation contains bounds checking for each and every pointer arithmetic operation, including array indexing.

It works by finding the size of the block which is the target for the "base pointer" of any pointer arithmetic, and checking that the final result is within the bounds of that block.

The disadvantage is that it will slow your code down, but if security is important enough that becomes less important. However, it *doesn't* require any change to your code whatsoever.

I have not deployed code compiled with this extension, but I have used it when running unit tests over our existing code base, and it did find some subtle problems lurking in our code that had some of the real C language-lawyers around the place scurring to prove the tool was wrong and that their code was OK. After much argument, and referral to the C standard, it turned out the tool was exactly right in all cases. These were problems that didn't shown up at all in Purify! It really worked very well, and I didn't expect it be worthwhile at all.

I'm currently reading "Building Secure Software" (Addison-Wesley), and that's how I discovered this extension. This book seems quite good so far, despite the fact that I know a lot of it already. It doesn't just focus on prevention, but also talks about auditing and monitoring and other important deployment issues that are often ignored. You just can't assume that "nothing will go wrong" ...

It would be nice if every undergrad were to have read this book (or something like it) at some point.

My definition of "Secure Programming"...

[solarrhino]

... is any programming job that can't be exported to India!

Re:My definition of "Secure Programming"...

The following jobs are in that category:

1) Developing Chinese fonts
2) job that can be exported to Ireland
3) -ditto- Israel
4) ....

Vision of security isnt as bad as ./ make it

[nighty5]

Been in the security game for 10 years...

From all these posts, it seems that all programmers don't have a clue about programming in a secure manner. I disagree, its just that times have changed.

Surely, a few years ago this was the case. But certainly not as bad as now. Most PHB worth their weight usually know the security buzz words associated with an implementation are. If they don't give support to the developers to create a secure solution, they arent just lacking in security skills - they are lacking in overall management skills and an understanding of IT. Security has to be part of the overall process when in development, PHB's must invest *training* for programmers and develop standards to follow.

Previous posters saying that it should be manditory for all post grads to have indepth security skills is down right short sighted. Security is a bottomless pit with many variables, a general subject can be taught. However, security can't stem strictly by programming practices. It is a collection of standards from all types, from the network, operating system to the application level. Not to mention the usual deal of people, process and technology.

I've lost count of how many pen tests I've completed where the application design was rock solid, however they had a bad password on their admin portal.

Nuff said....

Re:Vision of security isnt as bad as ./ make it

[viega]

IMHO, if your admin portal is susceptible to a practical password guessing attack, then there is generally far more that you could have done in your application design. One of the most obvious things to do is to reject any password that is easy to guess. But then there are plenty of good authentication schemes that don't use passwords at all, or use them only as one factor in a multi-factor system (such as a private key encrypted with a key derived from a password).

I'd definitely say that it's impractical for most developers to have in-depth secure programming skills because there's just so much to know and keep in your head.

Re:Vision of security isnt as bad as ./ make it

like this one?

derivatives_control.finance.jpmorgan.com/admin/l og in.asp

gecko:greedisgood

Re:Vision of security isnt as bad as ./ make it

[viperblades]

Security in C /c++ isn't that hard from what i've seen (of course i haven't seen much). One of th things i did upon learning c++ was to write my own string class that you initialized with a limit. char1 *test; test = new char1(10); 10 is the limit on what that char will carry so if you do this test->set("testing this code"); test will be set to "testing thi" It's really all about thinking of a solution for each with security in mind. doing stuff such as real time of encryption of passwords in memory etc

/. effect1

[pimpinmonk]

no matter how good their secure coding is, they're no match for the ultimate overflow: the slashdot effect!

Re:/. effect1

[viega]

Yes, but not in the way you'd think. It wasn't bandwidth. The blog is being stupid and creating too many connections to the MySQL database, which eventually stops accepting more. Kicking MySQL is a reasonable stopgap measure.

Dead site...

If you are going to (almost) shamelessly promote your own site on slashdot, please make sure your "secureprograming" servers are...

NOT SLASHDOTable!!!!!!

Small error in the site

[nmoog]

I think I have spotted a small error in your otherwise excellent site.
I checked out the HTML source and the problem seems to be in the spc.css file.
There are several references to the value #BD3D89 and on the monitors I have here that value appears as a bright pink colour.

Just thought I'd let you know.

Looks fine to me

[mister_jpeg]

Simple black on white:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, mmessier@secureprogramming.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

-----------------

Apache/1.3.28 Server at www.secureprogramming.com Port 80

Google's Cache

Well, since it was slashdotted, I found the Google cache, the front page:

here.

Here's the full text

[Anonymous+Cowdog]

Just in case the site gets slashdotted, here's a cut-n-paste of the home page. Whew, glad I was able to get in to get this:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, mmessier@secureprogramming.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Apache/1.3.28 Server at www.secureprogramming.com Port 80

Computers Existed Before C

[Detritus]

20+ years ago I used an operating system that was written in Pascal. There have been commercial operating systems written in FORTRAN, PL/I, LISP and other languages.

Re:Speed issues aside

The only starving people here are the Lisp programmers.

Re:Speed issues aside

[holloway]

President of America: I will give you thirt..thirt... thirt... thirt... thirty million dollars for sustainable food resources in third world countries.

Reporter: 30 30 30 30 million... 810 trillion dollars?

President of America, embaressed, not wanting to admit defeat: Undoubtly yes.

Re:Warding off the inevitable "switch to Java" com

[Admiral+Burrito]

Buffer overruns are just one kind of problem you need to deal with when writing secure code.

Buffer overruns are one of the problems you don't need to deal with when writing secure code because modern languages (not C/C++) can detect that condition for you, leaving you to concentrate on the real bugs.

So much for "warding off". :p

It's About Time

[Lucas+Membrane]

There have been architectures (eg Burroughs etc) that had most exploits designed out back when diskette rhymed with biscuit. Good languages (e.g. Ada and Modula) go way back.

Right now, the most interesting of these better languages looks to be Cyclone (from Cornell) which has some chance of success because it is based on C. Certainly(?), next genration versions of C and C++ ought to prevent such problems unless the programmer explicitly permits them.

Re:Speed issues aside

Absolutely, I have predicted that the great slide of American Productivity (known observance where IT spending dramatically increased yet companies observed no dramatic improvements in productivity) from the mid-80s to the late 90s would be seen as a function of C (returning void).

And the second rule of secure programming club is

[devphil]

Quoting Bjarne Stroustrup when some moron tried to flame him for C++'s perceived lack of security, "I assume that a sufficiently skilled [cracker] will be able to do anything not explicitly forbidden by the hardware." (Emphasis mine.)

So, the second rule is, recognize that most "levels of protection" and "access controls" in programming languages are there to help realize a clean design and facilitate debugging. NOT to enforce some kind of real-world security.

The word "Security" is too big

[DaMeatGrinder]

"Security" is too big of a word. There is a difference between

1. a program enforcing a division of data,
2. ensuring a program doesn't let any bits slip through the cracks, and
3. creating a system where people can do only the things they are allowed to do.

"Security" to me is (3). Security is a social construct. You can't have security until there is someone who's not allowed access to something.

I see a lot of talk about cryptography, preventing buffer overflows, and so forth. But the combining of these technologies in the design of a real-world security application is seldom discussed. It's a hard messy problem.

I suspect if we had a better understanding of the social aspects of security, more secure technology would follow.

The other rules

[devphil]

Just because I watched the movie the other night and can therefore quote entire reams from memory:

• The 3rd rule of secure programming club is: some process yells SIGABRT, goes Z-state, taps out, the program is over.
• 4th rule, only one major process to a sandbox.
• 5th rule, only two sandboxes to a machine, fellas.
• 6th rule, no telnetd, no ftpd.
• 7th rule: debug sessions go on for as long as they have to.
• And the 8th and final rule, if this is your first night at secure programming club, you will be 0wn3d.

please don't abbreviate numbers

[DrSkwid]

hundreds of thousands isn't too much effort is it?

Feedback

[Twylite]

This site needs some way of posting comments or feedback. For example, I have issues with at least two of the recipes listed so far. Secure programming sites and recipes are no use if they aren't subject to peer review.

Re:Feedback

[viega]

Comments will go live when we have time to implement them (hopefully no more than a week... most of the infrastructure is done). Until then, feel free to email us... we'll actually respond and post changes / annotations if it makes sense.

Re:And the second rule of secure programming club

[Bodrius]

What about programming languages that define their own virtual hardware (VMs) ?

wrong assumptions abound

[linuxislandsucks]

Guys check the 9/15 th post

Not only does the author disspove his own conclusion..in fact switching to java does accidently make a program more secure ..why do you think MS switched to state machienes in MS .NET..its ecure, duh!

But other wrong assumptions abound..

Be very carefull of reading the book the author has written if its ful of the same assumptions..you might get burned..

Re:wrong assumptions abound

[viega]

You clearly have reading comprehension problems. The article clearly states that, while other languages are indeed more secure than C and C++, the difference isn't as bad as most people think, because other languages aren't as secure as people seem to think.

The point of the article was NOT to say "C and C++ are more secure than you think." If anything, they're less secure than most people imagine. So are all other languages, though.

Re:wrong assumptions abound

[Fefe]

I have not read your book, and I don't think I will.

How can you write a book about secure programming if you are obviously not even capable of understanding the difference between a language ("C") and a run-time environment ("libc", sprintf and strcpy and friends).

C and C++ are not insecure at all. C does not force anyone to use C strings and functions using format strings. If you do, and you don't know what you are doing, you will probably create buggy and insecure code. That's not C's fault. If you don't know what you are doing, you shouldn't be doing brain surgery or repairs on the space shuttle either.

I'm appalled at the flood of bad security and crypto books lately. Having the few good books diluted by a torrent of bad books is worse than having no books on the topic at all. Frankly, your review of Applied Cryptography speaks volumes. I'm not interested in security advice from people who complain about "all those difficult math symbols". Now please go back to Visual Basic, thank you very much.

Re:wrong assumptions abound

[viega]

Nice troll. Don't get pedantic about things that are obvious verbal shortcuts, otherwise you'll never learn anything (hint... since the standard library is part of the C standard, it's quite common and proper to call it part of C).

The problem *is* the core language's fault, though, and not the library's fault, because it doesn't do bounds checking. If it did, the library calls could be as shoddily written as you'd like. C makes it easy to write code with exploitable buffer overflows in it. In most other languages, it isn't even possible.

You seem to think I reviewed "Applied Cryptography" on the web site. I didn't. I briefly discussed it when reviewing another book. There are NO "difficult math symbols" in Applied Crypto. Modern Crypto has math, it just makes it accessible (contrast to the HAC, which is a phenomenal resource as well, but too mathy for many developers. Why you think I'm afraid of the math because I realize other people don't care for it is beyond me).

Finally, if you think that I'm an idiot just because I cite a flaw in Applied Crypto instead of bowing at the temple of Schneier, then you need to reevaluate your own religious decisions, because Schneier himself makes the same fundamental claims about his book in Secrets and Lies as well as Practical Cryptography.

Re:wrong assumptions abound

[andreas]

Oh, your very own web page cites 5 bugs per 1000 LOC for C/C++, and 1 for Java. That's a factor of 5!

The biggest problem that makes C/C++ less secure than other languages is the fact that errors are not contained locally. Every single line of C/C++ in your project can break any other line of your code, violating all security assumptions.

Sure, you have STL. And what does that buy you when there is a buffer overflow in a third party library you're using?

Right, nothing.

Besides, readable and maintainable code is a security feature in itself, which C/C++ just doesn't have. It lacks a lot of abstraction facilities.

Not seeing C/C++ as a source of many of our security problems is a state of denial.

Re:wrong assumptions abound

[viega]

You're clearly a troll, since I have said quite clearly several times that C and C++ make security problems easier to introduce. That is, I don't disagree with a single thing you say, nor has anything that I've written disagreed, yet you still are arguing as if I said "C++ is the most secure language ever!"

If you have a reading comprehension problem, and are not a troll, then try to understand that the point of the article was to show that other languages are less secure than people believe. People can take this information and still choose another language, or they can choose to use mitigation strategies in C or C++. If they do the later, let them know the risks going into it, because it surely is more risky. But there's no stopping some people, particularly those people developing operating systems.

Re:wrong assumptions abound

[andreas]

I'm not trolling. You're very own words further up in the thread make it sound like the security win with different languages isn't that big, and probably not big enough to warrant a switch.

I am sorry if I am mis-reading you, but that is probably what most people see when reading your words. I think it is essential to tell people that using C/C++ is a huge security risk, and that they should only use it when there are no alternatives. Often enough, there are.

And I haven't seen a convincing argument yet why operating systems have to be written in C. In fact, I have a proof-of-concept OS written in Dylan.

Re:wrong assumptions abound

[viega]

It's easier to eke speed out of C, largely because there's no pesky security ;-)

Re:wrong assumptions abound

[andreas]

Oh, we have some pseudo-scientific measurements in this regard. Gwydion Dylan comes with a Dylan-to-C-translator. Average performance loss when compared wo writing directly in C is between 10 and 30%, and that's mainly due to garbage collection overhead and some register lossage (we have to pass an extra stack pointer to the generated C functions).

Bounds checking is nearly free on modern CPUs. Branch prediction and superscalar execution buys us that. Measurements show the overhead to be less than 0.1%, for sieve of Erathostenes, which does array access all of the time.

And OCaml shows that you can even beat C in terms of performance once you can do global optimizations like deciding which registers to save and which not on a per-function basis.

Last, but not least, having a real high-level language available means it is easier to implement funky algorithms that reduce algorithmic complexity. It's most often the brain and not the muscle that makes software run fast.

Re:wrong assumptions abound

[Tom7]

> C and C++ are not insecure at all.

They surely are. Especially take C++; this code, which is entirely within the language and not any library, has an exploitable security hole (depending on its context).

/* double-free */
delete x;
delete x;

as does, perhaps,

/* integer overflow */
char * z = new char[16 + size];

Any loop that might overrun array bounds is similarly vulnerable. Most recent exploitable code has not used the unsafe C string functions, since those were so easy to find in 1994 with the 'grep' method!

Of course, the C library is written mostly in C (including printf and the C string functions), so that makes it hard to argue that C is not insecure.

Now, you imply that such bugs are only the result of poor programmers being allowed to touch a computer. Nonetheless, we see the same security problems over and over in almost every application: Linux, OpenBSD, OpenSSH, MySQL, every version of Windows, Quake III, Half-Life, Perl, etc. etc. etc. Is it possible that all of these hero programmers actually just don't know what they're doing? I don't think so. Anyway, whether they do or not is unimportant: the fact is that even the best programmers create security holes, and when those holes can be avoided by switching to a language in which they're impossible, we're crazy to not do so!

Re:wrong assumptions abound

[MikeBabcock]

There is a huge difference between a bug and a security issue. In some cases they are the same thing, but in many they are not.

You could have a very buggy program that crashes all the time (think Windows) but is still secure (Windows analogy loses traction).

A security problem may not be a 'bug' at all depending on your definition, like allowing key sizes down to 2 bits or letting users specify blank passwords, etc. These are policy problems that programmers need to take care of.

Re:wrong assumptions abound

[andreas]

Of course you're entirely right (although a crash is always very suspect of being exploitable, and thus a security issue).

My point is, that there's an entire class of bugs that are security issues, which are closely related to the language C/C++, and that by getting rid of them by getting rid of C/C++, software will become more secure.

Re:wrong assumptions abound

[quigonn]

Of course, the C library is written mostly in C (including printf and the C string functions), so that makes it hard to argue that C is not insecure.

In fact, the problem is that K&R didn't know how to properly design a secure standard for the programming language C. Just because the standard C library is flawed security-wise, it doesn't mean that other libraries are flawed, too. A good example for a compact library implementing an API that makes it easier to write secure applications (especially when it's about string handling) is libowfat. Of course, programmers still have to think, but libowfat makes it easier for them to e.g. compute buffer sizes.

Re:wrong assumptions abound

[MikeBabcock]

I agree with you in principle, but in practice, I disagree.

That is to say, it is easier to write more secure software in languages like JAVA, Python and the like if and only if you measure the security of a product by the number of security issues it has.

If however, you measure security by the weakest link, that is to say, any exploit in the program makes it insecure, then this is no longer true.

It is still (perhaps) true that it is easier for a programmer to reach this Nirvana of secure software by using a language that allows him or her to ignore previous caveats in languages like C and its derivatives, but insecure logic will still be insecure.

For example, PERL has for a long time allowed programs to have "tainting". This is a feature I'd love in Python; to say that a variable was user-specified or brought in from an external shell, etc. so that I as the programmer am made aware that I need to *not* trust its contents.

In Python, for example, I make use of casts everywhere; I get told they look ugly, but they keep input values from being out of bounds or incorrectly interpreted. For example:

class SomeClass:
def __init__(self):
self._value2 = 4
def MultiplyValues(self, value):
return int(value) * self._value2
def SetValue2(self, value):
self._value2 = int(value)

... I set the value of self._value2 myself, so an explicit cast isn't necessary to my way of thinking in MultiplyValues, but I accept "value" from the outside and don't want return "Hello Mr. Programmer" self._value2 times.

Without programming with security in mind, you can and will have that one security flaw that makes your program insecure.

Re:SHORTCUT TO C:\ FOR SELL ON EBAY N@ RESERVE!! L

Wow, thanks, things like those sell away quickly, I better go get a payday loan and bid on that item as much as I can.

Re:Interepreted languages help, but aren't a cure-

[andreas]

It amazes me that all people can think of when talking about "alternatives to C" is interpreted languages.

Folks, compilers for real languages have been available for ages. Dylan, Common Lisp, OCaml is probably the top of tools these days.

Re:Speed issues aside

[BigBadBri]

the programmer in question is too lazy to learn newer and better ways to program.

Lazy?

It's far easier to program in Java, but you never know what's happening in the interpreter.

At least with C/C++ you are talking directly to the machine, and it's your fault if it screws up.

What if you're really lazy, and rely on a JVM that you have no control over to provide your safety blanket?

Noone uses assembley any more (except for kudos purposes), but the closer you are to the hardware, the more care you have to take to make things right - interpreted languages make people lazy, and that must be a bad thing.

Re. I blame the workplace...

[JaredOfEuropa]

University courses on programming do teach something about security, or good programming standards in general.

However, the student who starts working after college often finds himself in an environment without good work practices, standards and guidelines, tight deadlines, and disinterested co-workers. In that environment, his knowledge about programming practices will not be reinforced, it will be forgotten. The problem is not that he hasn't been taught properly, but if no-one is practicing or even interested in the standard of coding, is he going to bother?

Writing good software is something that's hard to teach anyway. Good programmers are made by experience, not by taking courses. However, junior programmers can learn how to produce quality code quickly... with your help. Training up junior staff is not something that you senior techs should do just if you feel like it... it should be part of your freakin' job description!. A seniour tech who does not pass on his knowledge is a dysfunctional employee.

You may want to check that you practice what you preach. Set a good example. Encourage your peers to do likewise.

- Teach: Do you see where a junior (or even senior) team member is slipping, and not applying proper practices? Chances are others have the same problem. Organise a short (1 hour) session and explain things. How to use the source control system. Where to find project documentation (you'd be surprised how often this is neglected). Take a piece of bad code, and explain why it is bad, and how to improve it (Don't haul out the poor guy who wrote it out in front, and remove his initials from any comments).

- Train: You got 2 junior C programmers assigned to your team? The best thing for them would be to receive a short course (give by you!) in Intermediate C programming techniques. This is knowledge straight from the horse's mouth, that they can apply immediately in their everyday work. Use the project as example, and they'll be brought up to speed on the important project aspects as a bonus. Besides giving a list of further reading at the end of the course, give them the actual books that you yourself have found to be beneficial to the subject.

- Coach: Take your time with the junior team members. Write code with them instead of correcting their mistakes after they have written it. Try pair programming with them. Personally I have found the time I spent with senior programmers (when I was the junior) to be the times when I learned most.

- Awareness: Never stop to instill the importance of good coding practices into your team members. Do not ever pass a bit of bad coding; make sure it is corrected. Got a tight deadline? Do not pass bad code anyway. As the team becomes better used to coding in a proper manner, you'll see less bad code and less bugs to boot, and you might end up saving time.

I've worked both in teams writing slipshod code, and teams producing tight code to rigid procedures, with a hard-ass technical manager making sure everything was up to standards. Guess which team was more fun to work in?

Re:Speed issues aside

[Moraelin]

Unfortunately, in a real world situation (as opposed to the dreams of someone walled in their own ivory tower), a program that crashes regularly is just short of useless. A program which malfunctions in the middle of writing data -- because half the logic got shortcircuited by a RuntimeException that cut straight through the last ditch "catch (Throwable all)" block -- is worse than useless.

For a geek, crashing early might be good coding practice. For a user, it's one e-commerce site they'll never visit again. (Yes, in a recent study, the main criticisms were stuff like the web site having a brain fart AFTER it swallowed the credit card number, leaving the user with no clue as to whether the order was processed or not.) Congrats, your site wasn't hacked, but the company is losing money hand over fist anyway.

Don't get me wrong, I'm not against Java, and I _do_ understand its advantages.

_But_ if using Java is your _only_ security, then you're doing it awfully wrong.

In Java, like in any other language, you _still_ have to do your own checks, and make some effort that the program will still work when confronted with malformed input. Especially when such input is not even a hacking attempt, but some hapless user typing "Jan 23, 74" instead of "23/01/1974" as you would like him to. Or he's included spaces in the credit card number (which causes Long.parseLong() to throw an exception.) Or whatever.

You do _not_ want the program to crash early and safe on the user, you want it to display a clear error message, and give the user plenty of clue as to how to correct the problem. And a chance to do so.

You also have to account for such user deviations as "what if he opens a link in a separate page, so now we have TWO pages sharing the same session id. And the user is doing different things in each." That's absolutely _deadly_ for brain-dead sites which store everything in the session. Just because Java's servlet interface makes it easy to store stuff in the session, doesn't mean it's also _safe_ to do so.

I've seen at least one e-commerce site which ended with products flagged "new user" and users flagged as "sold", because they relied on the session in the wrong way. Yes, noone took over their site, but the cost of that screw-up was very high nevertheless.

Briefly: again, just programming in Java doesn't automatically make your programs bullet-proof. There is no auto-magic substitute for good coding and design.

Re:Speed issues aside

[leandrod]

> These security problems are fixed by switching to a modern language

Agreed...

> like Java or C#

These are *not* really modern languages... they are too much of procedural kludges to do OO, their runtimes are too big and they are too complex. They end up creating many problems.

If you want good languages, not just popular ones, go functional (Lisp, ML or their dialects) or pure OO like Smalltalk.

COBOL BABY!!!!

[maddogdelta]

I wanna be just like dust puppy and code Erwin in COBOL!!

--

Wow...

[kashmirzoso]

Looks like I found the first site to visit in the morning in order to wake me up...jesus...is it safe to open my eyes yet?

Re:Lesson #1: Don't use C or C++ for Secure Progra

[BlueLabel]

To start, the parent comment should be modded back up. The parent poster isn't a troll; (s)he just has strong opinions.

Onto the post ...

• 
  

  Geez, how hard can this be? C and C++ are the only two major languages
  on the market nowadays which allow array overflows, pointer dereferencing
  into code, free creation of unsafe code, and other fun stupidities. As such,
  they are easily the WORST LANGUAGES on the market for secure
  programming.

  
  

This is a common programming fallacy. It's not the programming language that makes it easier to create a secure program; it's the programmer with a thorough understanding of security that makes the (infinitely approaching) secure program.

• 
  

  Sure, people will say oh, yeah, but you can be insecure in any
  language. These people should have their CS degrees revoked.

  
  

They're right (and if you had your way, I'd have my piddly degree revoked in a few seconds :P)!

There are dozens of popular programs written in C/C++ in which security holes haven't been found, programs that are written carefully and thoroughly debugged by programmers that understand security. Programming languages like Python, Ruby, LISP, [... ad nauseum] make it easier to avoid common pitfalls (i.e. buffer overflows), but there are plenty of security holes that can be introduced into programs written in those languages.

Don't get me wrong. I'm a Python zealot, I like Ruby, and I think Modula-3 has (had?) the potential to be one of the best systems programming languages available (if not for the lack of tools associated with Modula-3). However, that doesn't change the fact that there are great C/C++ programmers out there that will write less buggy code in their lifetimes than many Python/Java/Ruby/[insert your favorite language of convenience] programmers that don't know the first thing about computer security.

I could apply your logic to language interpreters/compilers for some of the languages you mentioned (i.e. Java, Python, Ruby, etc.). Is the Python interpreter less secure than a Python program because the interpreter was written in C? If the interpreter is insecure, then what does that say about Python programs when they're being interpreted by the interpreter? A program is secure if it's behavior is predictable, given a certain set of actions.

Good site with good content

and ugly colors!
Darn.. how much do we have to pay for a different color scheme?

Re:Lesson #1: Don't use C or C++ for Secure Progra

[BlueLabel]

Ack ... I meant to preview that post. Apologies for the (accidental) lack of spatial consideration.

Re:Speed issues aside

And a blind guy would find even fewer security holes in assembly codes. So, let's hire only blind people to do assembly programming, and we'll have no security problems.

Re:Speed issues aside

[dkf]

You'll just end up having to explain it, and--as the Heisenberg Principle attests--an explained joke ceases to be funny.

That only applies to Heisenjokes. (OTOH, I'd much rather deal with those than Heisenbugs. For the uninitiated, they are where a bug goes away when you attach any bug hunting machinery to a program...)

Arrrghh, My Eyeballs....

PINK, Pink, pink, PiNk, pInK,

*** PINK ***

pink.

Yep. The site is *pink*. This is what happens when you do color picking on a monochromatic monitor...

Articles like this don't make me want to use C/C++

[GnuVince]

When I read articles in which they explain hundreds of coding techniques to make code secure, I really don't want to get involved with such languages. I am not a very good coder and for this reason, my favorite languages are Lisp, Python and O'Caml, all three languages have garbage collectors which frees me from a lot of work that has nothing to do with the task at hand. I know that I can't (and don't want to) deal with memory problems, so I use modern languages which think the programmer's time is more important than the computer's. Seriously, let's say I write an application to manage a little local computer store, why should I use C and potentially ship a lot of memory-related bugs with my app when I can use something like Lisp or Python or O'Caml which all are stable, complete and powerful languages in which that task would be easy and would result in a better application?

Security should be part of the design

[Orion+Blastar]

Last few places I worked at didn't care about security. They thought it only slowed down production and they wanted us to write code as fast as possible. I wasn't fast enough, so I got let go.

I tried to get into that website on security programming, and it said my user name already existed. How many Orion_Blastar accounts are there in the world, or is it a spoofer? So then I thought maybe I joined before and forgot about it, so I went to "Forgot Password" and got an error screen when I submitted it. Secure but buggy.

OK, I blame the managers, then :-)

[Anonymous+Brave+Guy]

Let's teach future American programmers proper security before they graduate and start writing professional software.

I hate to break this to you, but expecting a newly graduated kid to be a solid performer from day one is unrealistic. They never have been. You weren't. I wasn't. The kids going through now won't be.

Software development hasn't (yet?) developed any sort of "apprenticeship" framework for the new kids on the block to learn practical, real-world skills from old hands. Their knowledge is, inevitably, mostly theoretical. They won't understand everything that was in their course properly, and even if they do understand something in theory, they won't necessarily appreciate the practical implications. The best you can hope for is someone who enjoys their subject, and thus has developed good general knowledge of the field and perhaps done some relevant part-time or summer job work.

If you're taking people on who aren't up to the standards you require at the time, and you're suffering bugs down the line as a result, then you need to review your recruitment process with HR, and you need to review your training process with the line managers responsible for overseeing new starters. Failure to do this is just plain bad management, and bitching about how degrees are worthless "these days" is a rather pathetic attempt to pass the buck. In reality, the blame rests squarely on the shoulders of the managers who haven't developed their resources effectively, and addressing that basic problem is the only way you're going to improve the situation.

Virus Alert when browsing secureprogramming.com

Upon reading the post I visited their site. But immediately received this warning from my Antivirus program (Norton). Is it just some Windows misinterpretation or what...

Virus Found!
Date found: Mon Sep 15 15:09:59 2003
C:\WINNT\Temporary Internet Files\Content.IE5\SPCX87YZ\secureprogramming[2].ht ml appears to be infected with Virus name: Unix.Penguin

Please send report from the "bulp" on the intranet portal
(Danish: "el-paeren" - Swedish: "glodlampa" - Norwegian: "lyspaeren").

Problem type Virus.

Leave the machine switched on but don't use it for other purposes.

Re:Speed issues aside

[the_2nd_coming]

yes, I know the airforce still uses JOVIAL, but that is the only group that did, and it was a modified version of ALGOL, so you could say that it is a specialised language that borows a lot from ALGOL.

Microsoft book

[Shaklee39]

How does this book compare to the Microsoft book on writing secure code? MS jokes aside, this would be helpful in deciding which to puchase.

Re:Microsoft book

[bingbong]

the microsoft book focuses almost solely on programming in MS based enviroments, such at .net. whereas the viega/messier book looks at coding practices and recipes in the generic view. they apply to both the MS world and the Open Source world.

i'd go with Viega/Messier. I have them both on my desk, and the cookbook is the one i use.

Re:Microsoft book

[Shaklee39]

thanks

So, in this case ...

[russh347]

a slashdotting improved a site.

Re:Speed issues aside

[quantum+bit]

Besides, a properly written Java app WILL have a try/catch block at some basic level to do a last ditch effort to intercept (and deal with) a normally fatal exception.

Ah, thanks for making my point for me. I can't count the number of times I've seen a Java app crash with a NullPointerException. I'm not talking about Billy's discount water-effects Applet, I mean the big stuff -- ERP systems and other critical things that are supposed to be written very carefully.

Not handling or badly handling exceptions in Java is caused by the same thing that causes buffer overflows in C: laziness. They crash because the programmer didn't think it was possible for something to go wrong there. Garbage in-garbage out applies no matter what language you use.

Take Java. Imagine an application that is set up to handle exceptions at the highest level, but the underpaid contractor who handled the authentication code didn't bother to do any of their own. So an exception gets thrown when verifying the user's password and gets caught by the upper level handler. That handler tries its best to recover from the fault, and ends up happily bypassing the authencation.

Ok, so that example is a bit contrived, but my point is that no language will save you from bad programming and the logic errors that result. What is needed is a mindset that anything can go wrong at any time and you need to be prepared for that.

The right tool for the task applies here too. I agree that for a GUI frontend, something like C++ or wxPython is probably a good idea. But for an OS or a database server or other things that can't afford the bloat, well-commented low-level code that is written defensively can be just as safe.

direct SQL

[brlewis]

If you validate and/or escape your inputs, there's no security issue with having SQL right there in your web front end. The problem is that most languages people use for web front ends do not make it convenient to do this. See my map demo for a one-page SQL app with a view source link. The same idea that makes it secure can make a large app secure.

One Word

[Lemmeoutada+Collecti]

Unsinkable.

Re:Articles like this don't make me want to use C/

I think you are misunderstood. No one is going to do a basic GUI app with database backend using C. Thats just plain stupid nowadays. I'm not partial to Microsoft and I'm sure there is RAD tools for Linux and Mac, but for example, using VB and an small database you could virtually create a computer store management tool in 2 hours from start to finish if your decent with VB.

But that doesn't negate the value of C and C++ for other tasks. Use what is best for the job. I love C for my network programming projects where I can manipulate data at a lower level and more "nitty gritty" which is fun. But I'm also loving the idea I can quickly drag, drop, code a few lines and BAM I have a nice little GUI app done with VB.

Re:Articles like this don't make me want to use C/

[plcurechax]

Seriously, let's say I write an application to manage a little local computer store, why should I use C and potentially ship a lot of memory-related bugs with my app when I can use something like Lisp or Python or O'Caml which all are stable, complete and powerful languages in which that task would be easy and would result in a better application?

So you don't want to have memory allocation and pointer issues. Fine. That does not make your programs secure which is the end goal of secure programming in ____.

You still have issues of data/input validation, principle of least priviledges, secure (confidential and/or authenticated and robust) communications, sanitizing the enviornment, dropping unnecessary priviledges (and designing the program so it can drop priviledges early on before user/network client interaction), race conditions, error handling, and many many other tedious yet important issues.

Re:Articles like this don't make me want to use C/

If your a lousy programmer why program? Maybe instead of looking for languages that can tolerate your inept skills you should seek a new career?

safe =/= interpreted

[Tom7]

"safe" and "compiled" aren't mutually exclusive. For instance, O'Caml and SML are both compiled languages that have safety (impossible to have buffer overflows, integer overflows, double-free, printf-bugs, and most other common security problems). They are very fast, so don't deserve the "interpreted" stigma. Java can even be compiled and run safely outside a VM.

Otherwise, I agree with you. Languages can't possibly fix every security hole. But if you look at the majority of holes that affect us daily (like the MySQL overflow on the front page of slashdot, or the numerous recent RPC holes in Windows), those would be gone, period.

Yet languages make a big difference

[Tom7]

> and those that think they're safe merely by using a particular programming language are in for a nasty surprise.

That's true, of course, but nonetheless languages make a huge difference.

In applications, buffer overflows, along with (recently) integer overflows, double-free bugs, and printf formatting bugs, are the most common source of exploitable holes by far. (Case in point: the MySQL buffer overflow currently on slashdot's main page, the several recent RPC vulnerabilities in XP, the recent OpenBSD hole, etc.)

All of these errors would be impossible to make in a safe language.

Yes, we still need security-conscious developers, and there are still many things to worry about. But if we can get rid of the vast majority of problems, automatically (and as a side benefit get to program in a modern high-level language, which makes many other things easier), why not switch? Just because it's not a complete solution?

Re:Yet languages make a big difference

[Nevyn]

In applications, buffer overflows, along with (recently) integer overflows, double-free bugs, and printf formatting bugs, are the most common source of exploitable holes by far. (Case in point: the MySQL buffer overflow currently on slashdot's main page, the several recent RPC vulnerabilities in XP, the recent OpenBSD hole, etc.) All of these errors would be impossible to make in a safe language.

Of all the Remote Security Vulnerabilities that Red Hat has released over the last year over 50% are are impossible to make with dynamic string APIs in C. The rest are almost all cross site scripting, various DOS attacks and temporary file vulnerabilities which affect python/perl/etc. programs just as much.

Really, you don't need to buy a new car because the one you have has a tape deck and not a CD p0layer. Language doesn't matter in this way.

Re:Yet languages make a big difference

[Tom7]

By over 50%, you mean, 43%? Also, this figure assumes that the string library will be used correctly, which,

> The rest are almost all cross site scripting, various DOS attacks and temporary file vulnerabilities which affect
> python/perl/etc. programs just as much.

I don't agree, but here there's no figure for "almost all" to contend with. Anyway, I am not suggesting python or perl for writing applications, because those have their own language-based security issues, too. To be concrete, I will suggest SML or O'Caml, but there are other appropriate choices as well.

Perhaps using a new API will give some security benefit if you use it correctly. But it's still C, with all its temptations. (No doubt you can convert to char * and back when the library didn't forsee what you're doing.) If you're doing a lot of string manipulation, you might as well use a language with strings built in (vstr looks pretty painful), and if you care about security, you might as well get total protection along with protection against integer overflow and double-frees for free (by using a safe language) as well!

Re:Yet languages make a big difference

[Tom7]

By over 50%, you mean, 43%? Also, this figure assumes that the string library will be used correctly, which,

I meant to say: ... which I think is a big assumption, especially given the size of the API.

Re:Yet languages make a big difference

[Nevyn]

By over 50%, you mean, 43%? Also, this figure assumes that the string library will be used correctly, which,

Well it obviously changes with each security errata released. For instance it'll go up a little today due to the second ssh problem that could have been avoided by use of a real string library.

But yes it's was at 43%, for any half ok string library, when you looked. So possible around 50% would have been better wording. However if you classify the problems with a severity level (not finished, but something I'm going to do for that page). You see that almost all the ones that allow the attacker to control your machine go away (the other being DOS attacks, or things like the w3m XSS problem ... which I could happily ignore for weeks.

Perhaps using a new API will give some security benefit if you use it correctly.

The security benifit isn't just that some attacks don't do anything, it's that other attacks (like integer overflows -- if they happen) go from overflowing the heap/stack so the attacker can control your application to being plain DOS attacks. The former is something I/everyone have to maddly rush around applying patches/work arounds for (like I'm currently madly turning ssh off on a bunch of boxes until RH release an errata), the later is something that I can wait for. Big difference.

typing "security" in MicroSoft Word

[peter303]

returns
"Dictionary_exception_error: word not found" :-)

Re:Speed issues aside

[Moraelin]

I would like to say that maybe focusing on buffer overflows and exceptions is missing half the security problems in the first place. I've seen problems (written by consultants from a BIG company, I might add) along the lines of:

- assuming that "surely if we only created links to the valid data, all parameters on the destination page will only be valid ones. No need to check anything again."

The result? If the user was willing to edit the URL, they could edit the administrator's password instead of theirs. Effectively _anyone_ could take over the site without exploiting any buffer overflows or null pointers, just a little URL editing.

- Assuming that "if we said 'description' in the input field's label, surely noone will try to input something else."

The result? Effectively anyone was able to input JavaScript or VB Script code, which would execute in an admin's browser, when said admin reviewed the user's application.

- Failing to even think about non-repudiation and accountability.

E.g., when a user cancelled their account, all data about that user was instantly wiped out. It was like that user had never existed, and most traces of their activity were lost for ever.

And so on, and so forth.

Basically I won't argue against your argument that "Java is _more_ secure than C++". That is true. Some problems you can avoid easier in Java.

But I would strongly advise anyone against extrapolating that to mean "we use Java, therefore we are automatically 100% secure." That's not true. The number of problem that Java protects you against, is barely the tip of the proverbial iceberg.

And even the parts where Java does protect you, retarded enough coding can turn those mechanisms into liabilities, instead of advantages. Retarded enough handling of RuntimeExceptions can bypass important code paths, and leave the system and/or its stored data in an inconsistent state. Sometimes an exploitable state, even.

Regardless of whether you program in Java or C or Assembly, you _still_ must carefully consider your options, assess threats, do code audits, and so on. Anyone who fails to do so, will have some very nasty surprises down the line.

securecoding.org

Mark G. Graff and Kenneth R. Van Wyk have tackled this subject in a great book Secure Coding. Rather than just a cookbook, it deals more with the steps developing and maintaing the actual code.

Agreed: C is no holy grail of speed

[Tom7]

Amen. Most people's experience with modern languages ends with Java running on a VM, and yes, that is pretty slow. But not all safe languages run in a VM, and not all have as much overhead as Java. For instance, I often find ML to be as fast as or faster than C, and the code is much nicer.

C is nothing special when it comes to speed, and as processors become less and less like the machine model that C was designed against, it will continue to lose its hold. ML programmers will simply change the implementation of 'map' to do pipelining, parallelization, while C programmers will have to learn the magic way to write their 'for' loops so that the compiler can recognize that they are writing 'map'.

Though certain software really needs every last cycle squeezed out of it (Doom III?) manually, nobody wants to or needs to do that for an entire application. The vast majority of software should be written in a nice language where the compiler can do the tedious work for you, and leave the hard parts to you!

Microsoft'

[bl8n8r]

A great article on threat modeling by Microsoft's software security guru.

micro kernel via the type system could be possible

Are you somehow recommending a kernel be written in something else than C???

This could perhaps be neccessary. Current micro kernel architectures isolate their parts using different adress spaces. The implementation is similar to unix processes and so quite easy, but commnuication is very expensive.

Java/.NET/etc. isolate "processes" (e.g. applets) via the type system. This idea could be brought to kernel space. When Java loads a class file, first the bytecode is checked. After that, the JIT-Compiler generates the corresponding machine code. This code is run directly by the processor. Although a Java programm is translated into machine code, it cannot break out of the VM, because it is checked by the verifyer in the first place.

There already exists a kind of verifyer for the Linux kernel, it's called kernel mode linux. Baesd on this technology a micro kernel like architecture would be possible, where all the servers are runnig in the same adress space and so can communicate very cheap (sending a message is just a procedure call in the same adress space). Security will be enforced completely by a sound type system. And this is the point, where a object oriented language would be neccessary.

The main problem for performance would be the code checker. But using the TPM chip, it could be possible to check the code once during installation, compile it to machine code and then digitally seal it. So open source and TCPA could finally profit from each other.

Re:Microsoft's security guru?

[bl8n8r]

if mozilla would have let me finish....

"A great article on threat modeling by Microsoft's
software security guru."

Wouldn't this imply that Microsoft actively
practices security? ...practicing, and
implementing are two differnt things however.

if (STL) { should_use_interpreted_language(); }

[tjstork]

If you do need string and all that fun STL stuff, and don't want to worry about memory allocation, I think you need to use a language that is designed to do memory allocation for you, like Perl, Java, C#, Python, VB, etc...

I always thought the whole point of C++ was that you got to impose a somewhat object oriented look at a total control of memory and hardware, not to be an end all be all object oriented system. That is, C++ is the way it is because it is a systems and hardware language first, and an application language second. If you don't want to worry about memory, or worry about hardware, then you should not be using C++. C++ is if you are worried about hardware. Simply using STL and saying it will be fast because it is C++ ought to be the quintessential test for programming incompetence.

STL doesn't really offer any advantages, particularly for server side or performance programming. It's based on new, which is globally specific, not, context specific. That f--- the whole language up right there, because without some new context you don't have an elegant way to do thread specific allocators, etc, and out goes your speed right out the window because you have all these blocking heaps. To get these blocking heaps, you make your design even harder to debug. All of these thread intermingled allocations make it difficult to track down real leaks and bugs.

For me, in Commodity Server, I used a much different tack. I gave each thread a set of virtual memory backed structures. For the most part a vm vector works but I do use skip lists quite a bit, each with their own allocation context which is typically a thread.

For the most part, I don't really even --need--- a good old "string" that much. So, while STL makes it easier to have a set of bugs to do something, I think, it's better still to have a design where the bugs could not be introduced at all.

STL's sole reasons for existence is to solve people problems, not technological ones. If two developers are in a fight over whose collection template to use, STL is the dummy default.

PS: std::cout / std::cin are a silly workaround for real problem of fprintf (argument lists in C++ do not have a length!).

SafeStr library

[octogen]

Funny, I had pretty much the same idea... I use my own C library (which is called "secureStrings") for my programs for some time now (about one year), because it has always been my opinion, that things like strcpy() and strcat should become forbidden ;-). SecureStrings works on Unix, VMS and OS/400; i didn't try, but it probably also works on NT...

C or C++ is probably great, for writing very special code, such as kernel modules to support new hardware, or scientific software and such.
However, I think there should be a more secure programming language than C for commercial and for networking software.

Implementing things like a webserver, a data warehouse, accounting software, etc. in C/C++ can be extremly dangerous, and experience shows, that most programmers just can't do it the right way with C/C++.

On Mainframes and AS/400s most commercial applications are written in COBOL, and this is probably one of many reasons, why these systems usually don't get hacked.

However, COBOL is somehow unhandy (unconventional syntax)

On Unix you can hardly get something else than a C/C++- or a Java-compiler; there should be an Ada- or a Pascal-Compiler available for every Unix derivate.

Scripting languages have problems, too ...

[Tom7]

Yeah, just imagine if those applications were written in C with printf, malloc, and strcpy!!! Though scripting languages do lower the "barrier to entry," meaning that a lot more novice programmers can start writing code, I think we'd be a lot worse off if we had those same folks writing CGI apps in C.

Anyway, I do read bugtraq, and I find that most of these bugs actually are language-based. SQL injection attacks come because the API for issuing queries works on strings, instead of query data structures. If your where clause was

And(Equaln("ID", n), Equal("Password", p)) .. instead of ..

"id=" + n.toString() + " and password=" + p .. that would pretty much get rid of SQL injection problems, and make code easier to write and read, too.

Most scripting langauges, like perl, have similar problems in their system shell commands, since these usually use strings as the API intermediate rather than data structures. (Ie, perl lets you open a process by using "|" as the first character of the filename.) If the shell command had you pass a list of unescaped arguments, rather than forcing you to do the escaping yourself, this wouldn't be a problem.

PHP has some number of design bugs, like the ability to include headers from the internet (???) and treating undeclared variables as input from the query string. These often lead to bugs.

There are lots of other bugs to be made (XSS is not that serious unless you are using cookies for secure data, which you shouldn't), some of which are in the language and some of which aren't. Also, it is difficult to forsee what these stumbling blocks will be when designing a language. (Though I think I've outlined one general principle above: use common data structures in APIs, not unparsing and parsing of strings.) But, language is still an important issue in addressing the source of all sorts of bugs, be it C or PHP.

Re:Scripting languages have problems, too ...

[dmelomed]

There are nice string libraries to avoid buffer overruns in C, it's just people decide to stay wit standard C library due to lack of awareness.

Re:Scripting languages have problems, too ...

[Tom7]

Sure. And there are languages that avoid buffer overruns (and double-frees, something which C can't really protect against without doing garbage collection, and format string bugs, and integer overflows), too, and people stick with C due to lack of awareness.

Re:Scripting languages have problems, too ...

[Nevyn]

Sure. And there are languages that avoid buffer overruns (and double-frees, something which C can't really protect against without doing garbage collection, and format string bugs, and integer overflows), too, and people stick with C due to lack of awareness.

Getting people to use a string library is much easier than getting the to rewrite all their code in a new language, or even create new code in a language they haven't used much before.

And to reiterate there has been a single double free security errata for Red Hat this year. There is also one free while in use security errata (but that was in a printf() function that apache has no business implementing IMO, so the fact it's broken in more than just std. conformance doesn't supprise me).

IIRC there was a single double free from last year too, in zlib, however I don't have stats for that yet.

Re:Scripting languages have problems, too ...

[Tom7]

> Getting people to use a string library is much easier than getting the to rewrite all their code in a new language, or
> even create new code in a language they haven't used much before.

Is it? At least in a language with string primitives, I can just say (SML):

let
val s1 = "Hello" ^ " " ^ "World\n"
in
print s1
end

Whereas with the vstr library I write (no kidding, this is from their tutorial):

Vstr_base *s1 = NULL;

if (!vstr_init())
exit (EXIT_FAILURE);

s1 = vstr_make_base(NULL);
if (!s1)
exit (EXIT_FAILURE);

/* BEG: hello world ex2 */
vstr_add_cstr_ptr(s1, s1->len, "Hello");
vstr_add_cstr_ptr(s1, s1->len, " ");
vstr_add_cstr_ptr(s1, s1->len, "World\n");
/* END: hello world ex2 */

/* check for failure of any of the above additions */
if (s1->conf->malloc_bad)
exit (EXIT_FAILURE);

while (s1->len) /* assumes POSIX */
if (!vstr_sc_write_fd(s1, 1, s1->len, 1, NULL))
{
if ((errno != EAGAIN) && (errno != EINTR))
exit (EXIT_FAILURE);
}

vstr_free_base(s1);

vstr_exit();

I mean, yikes. Security is not the only reason to use a high-level language; ease in expressing your ideas is another. It allows you to spend time thinking about the difficult questions in security instead of repeating tedious details.

Re:Scripting languages have problems, too ...

[Nevyn]

I mean, yikes. Security is not the only reason to use a high-level language; ease in expressing your ideas is another. It allows you to spend time thinking about the difficult questions in security instead of repeating tedious details.

Sure, that's true. But most programs are bigger than "hello world". And as the tutorial says, the actual meat of the Vstr version (Ie. the bit you'd have to actually write most of the time) is...

/* BEG: hello world ex2 */ vstr_add_cstr_ptr(s1, s1->len, "Hello"); vstr_add_cstr_ptr(s1, s1->len, " "); vstr_add_cstr_ptr(s1, s1->len, "World\n"); /* END: hello world ex2 */

Which is still longer than doing perl -e '$a = "hello" . " " . "world\n";', but the vstr code also does something very different internally which can reduce memory overhead and CPU cycles in many cases. There are also other APIs which are much closer to the implementation of perl strings. And it is also much easier to put into a C program (where you've chosen the language based on other reasons than just how to handle a string concatenation at one point).

I'm not saying that using other languages are bad, just that this mantra of saying you get buffer overflows from using strcpy() in C so everyone should use another language is misguided. It just means that everyone ignores everyone else.

Re:Scripting languages have problems, too ...

[Tom7]

where you've chosen the language based on other reasons than just how to handle a string concatenation at one point

Well, I can't reasonably argue that everyone should drop his current project and rewrite the whole thing in ML! But there is not such an incredible barrier to entry that a new project, especially one designed with security in mind, couldn't pick tools that have certain kinds of security built in. Picking a library for C is a good step, but using a safe language will take you farther and also make it less of a chore!

Re:Scripting languages have problems, too ...

[dmelomed]

> Picking a library for C is a good step, but using a safe language will take you farther and also make it less of a chore!

Depends on a task at hand.

Re:And the second rule of secure programming club

[Tom7]

> "I assume that a sufficiently skilled [cracker] will be able to do anything not explicitly forbidden by the hardware."

Yes, hardware has a much better track record at being correct than software. I blame Stroustrup in part!

> So, the second rule is, recognize that most "levels of protection" and "access controls" in programming languages

If you mean "private" vs. "public," that's not what we're talking about. We're talking about your language having properties like safety, which means that the only person who gets to write code is the developer (not the remote user uploading shellcode!).

what a crock

[Jerf]

If there is anything we've learned over the past 50 years, it's that programmers aren't Gods, and can not predict all the uses their programs will be put to.

Programming with dynamic structures in C may be challenging, but the alternative is to create a program that is much, much, much, much less useful. Who going to use a "grep" that limits at 1024 chars per line nowadays? Who's going to use a "sort" that allocates 64KB per line, making even relatively small files overload the system memory and flop out to swap?

This sort of suggestion sounds all wonderful and stuff until you remember (or learn, if you never did before) that in the general case, static buffers means either extreme memory wastage or overflowing the buffers anyhow, and possibly both. Plus static buffers gets you nothing in C, because static or dynamic you still need to check whether you're overflowing it!

Folks, I'm pretty sure this was a Troll, not an Insightful post, and quite a lot of you got taken. You think this is such a wonderful programming style, why don't you try using it for a real program. You'll see why it's useless in short order. If you're lucky you'll still have a job after that little experiment.

(And finally, dynamic programming doesn't have to be hard. I write in Perl and Python and the last time I worried about a buffer's size explicitly was when we were concerned about how much disk it would take to serialize a data structure and keep it around. Use a real language and this concern goes away. Study up on optimization techniques and you'll see that you don't necessarily even have to pay a huge processor penalty, those are just artefacts of relatively naive implementations. (Note "naive" here does not imply "bad", it's just a descriptive adverb.))

Re:what a crock

> Note "naive" here does not imply "bad", it's just a descriptive adverb.

Grammar Nazi says: *bzzzzzzzzzzzzzzzt* Try again.

Re:what a crock

[Jerf]

Grammar Nazi is a moron (definition #1, of all things...).

(Note this is a reply to an Anonymous Coward which is probably being filtered out for you; in this case, justly so.)

Re:micro kernel via the type system could be possi

[pVoid]

Security will be enforced completely by a sound type system

That's not really security then is it? It's kind of like the oxymoron that was "cooperative multitasking".

assert (AutomaticMemoryAllocation Interpreted)

[Haeleth]

...although the converse is admittedly true AFAIK.

Re:Speed issues aside

[mr_mischief]

You're worried about runtime size and you're recommending Smalltalk? Furrfu! What about OCaml or Eiffel? Heck, even Perl has a smaller memory footprint in some instances than Smalltalk -- and you can do OO in Perl, although it doesn't force you to.

Lisp and Python are compilers AND interpreters

[axxackall]

I am reminding from time to time also:

Lisp and Python has both byte-compilation and interactive-loop interpretation. If you haven't tried yet the interpretation mode in Lisp that doesn't mean it doesn't exist in Lisp. It's even described in most of Lisp books I've seen. It's very convinient when you need a sort of interractive debug mode.

I agree that Python byte-compiled code is still not as fast as C. However, in most of application (if they are not mission critical kernel drivers or DB engines) you don't really need to squeeze that performance. But I would not say that Python bytecode is always THAT slower than Lisp bytecode.

Re:Lisp and Python are compilers AND interpreters

[andreas]

Well, don't confuse "interpreted" and "interactive" here. The two are related, but different concepts.

You can have compiled, interactive implementations (some Common Lisp implementations), and you can have interpreted, non-interactive implementations (your typical Java VM). Some implementations even mix-and-match, giving you both a compiler and an interpreter at runtime, and interaction with both.

And Python performance was a serious show-stopper for the MojoNation project, so it does matter in the end.

Re:Lisp and Python are compilers AND interpreters

[axxackall]

You can have compiled, interactive implementations (some Common Lisp implementations), and you can have interpreted, non-interactive implementations (your typical Java VM).

Interesting. Any links or your own words explaining it in deeper details? Thank you in advance.

Re:Lisp and Python are compilers AND interpreters

[andreas]

Uh, throw the words into google, there's lots of information out there. "Interactive" basically means that you can type language expressions into a running executable, and they get executed in that context. "Non-interactive" is your familiar edit-compile-run-crash development cycle.

"Compiled" means that the program components are translated into machine instructions, whereas "interpreted" means there is an intermediate representation, usually byte code, and a driver loop that interprets those byte codes.

Compilation is a performance feature, and interaction is a development convenience feature.

Re:Articles like this don't make me want to use C/

[GnuVince]

Because I like to solve programming problems, I like to program. Trying to figure out why my program has a memory leak is not fun. Doing stuff is. If your definition of a programmer is someone who writes C code and loaths other programming languages because you can't shoot yourself and the whole world in the foot with it, well stay an anonymous coward and go back to writing crappy software loaded with bugs

SafeStr is a totally broken API.

[Ninja+Programmer]

SafeStr is one of the technologies these guys have pointed out on their front page. Its just a string library with a number of interesting safety features. However, the fundamental architecture is completely broken:

1. Since the library automatically resizes its strings including the base pointer, that means if you have multiple refs of a string, then manipulations of one of them may leave others in an undefined state. For example:

safestr_t t;
/* ... */
s.name = t;
safestr_append (t, SAFESTR_TEMP ("tail."));
/* Now, while t is well defined, s.name
may or may not be well defined. */

2. The use of SAFESTR_TEMP() (a string that automatically disappears after being passed to any safestr function) is clever but necessarily prevents any of the SafeStr functions from accepting const parameters. This has an additional problem that if you write a function which accepts a safestr_t, then if you pass it to
one safestr function its reference might become undefined (you can't know.) For example:

int c3 (safestr_t s, safestr_t t, safestr_t u) {
safestr_append (s, t); /* s might now be undefined */
safestr_append (s, u);
return strlen (s);
}

********

If you want to use an actually usefully architected string library try mine here:

http://bstring.sf.net/

In a direct comparison with safeStr, it should be pointed out that bstrlib doesn't have any concept of a "tainted" string. However, it does support read-only strings. bstrlib does not have any of the basic architectural weaknesses described above. It also has numerous other important features which are summarized here:

http://bstring.sf.net/features.html

Re:SafeStr is a totally broken API.

[Matt+Messier]

To say that SafeStr is a totally broken API is severely overstating the flaws you describe. No string implementation for C/C++ can be perfect, as I'm sure you well realize, having written one yourself. Any possible implementation is going to involve trade-offs. It's unavoidable.

You are correct in saying that any string that is modified with references may cause the other references to be left in an undefined state. Unfortunately, this is a problem with any sort of reference counting in C unless you abstract away the pointer and replace it with a handle (a la Win32) or something similar. If you're holding references to an object (whether it's a SafeStr string or something else entirely), do not modify the object. SafeStr does not prevent against doing this, but making the changes to cause SafeStr to throw an exception are minor, and we may very well do so in the next release.

You are also correct with your second point; however, this is a limitation that is clearly documented. The solution is simple: temporarily bump the reference count, perform your operations, and decrement the reference count. You can use XXL to facilitate this process by saving the string as an asset inside of an asset block.

Both of these problems are minor, obvious issues that aren't a big deal in practice. As I said, there are going to be trade-offs, no matter what, and we believe that SafeStr offers people a good set of them. SafeStr is *a* solution, but it is not intended to be *the* solution. Its trade-offs may not be acceptable to everyone, whereas those offered by bstring or other string implementations may be instead.

Re:SafeStr is a totally broken API.

[Ninja+Programmer]

No string implementation for C/C++ can be perfect, as I'm sure you well realize, having written one yourself.

Well, it would be a stretch for me to call bstrlib perfect, however it does significantly raise the bar in terms of safety, speed and usefulness. It solves all the major problems of string manipulations in the C library without introducing any new ones. I would argue that SafeStr does not accomplish this same thing.

If you're holding references to an object (whether it's a SafeStr string or something else entirely), do not modify the object.

Why not? You see, you are making the same mistake that the designers of the original C library are making. You are creating a sematic restriction that is not reflected as a syntactical restriction. This is exactly what buffer overflows are all about -- careless programmers write code that is syntactically ok, and works according to some mediocre testing and some defective model they have in their head about how their program is supposed to behave. Programmers will always make this mistake. The job of someone who is trying to make a "safe" library is to reduce or eliminate the amount of damage that can happen as a result of incorrect programming by reducing or eliminating the number of ways that the programmer can go wrong. Your implicit restriction here, which can only be supported by diligent programming and reading the manual, is precisely where the problem is.

You are correct in saying that any string that is modified with references may cause the other references to be left in an undefined state. Unfortunately, this is a problem with any sort of reference counting in C unless you abstract away the pointer and replace it with a handle (a la Win32) or something similar.

Right ... so why didn't you abstract away the pointer with a handle like everyone else does? The justification you give in your documentation kind of rings hollow if you compare it to the way bstrlib does it. Interoperability with char * buffer libraries is important (and well supported with bstrlib semantics) but enforcing that your base type actually be essentially a char * is not a necessary consequence.

You are also correct with your second point; however, this is a limitation that is clearly documented.

Well ... all of the C libraries weakness are also well documented. That doesn't seem to prevent programmers from ignoring the documentation and doing the wrong thing anyway.

Both of these problems are minor, obvious issues that aren't a big deal in practice.

Sorry, but I'm going to have to highly disagree here. In *PRACTICE* I like using the "const" decorator on function parameters -- something you can't effectively do with SafeStr. The idea of obtaining a reference to something asynchronously with it contents is also a useful programming concept that's been with us for decades.

SafeStr is *a* solution, but it is not intended to be *the* solution. Its trade-offs may not be acceptable to everyone, whereas those offered by bstring or other string implementations may be instead.

If there are "trade-offs" in bstrlib, I am unaware of them.

Re:Warding off the inevitable "switch to Java" com

[dmelomed]

Half-truths. Both C and C++ can support strings without buffer overflows through nice string libraries. It's just people don't use them as often as they should. Standard C library is a piece of crap as far as strings and type safety are concerned, not the whole language.

Run-time subscript checking

[Animats]

That's a very useful approach. But the way it is implemented requires too much run time work. Lookup of memory areas is done at run time, requiring a tree structure.

With more compile-time analysis, pointers can be automatically assigned attributes, like

• No pointer arithmetic ever.
• Always points to the heap.
• Always points to the stack.
• Always points to a static variable.
• Never null.

With information like that, more optimizations are possible.

Another key optimization is that the compiler needs to know that it's OK to detect a subscript error early. If a loop will overflow an array on the last iteration, but that overflow is inevitable at loop entrance, that error should be reported before the loop starts. To do this, the compiler needs to be able to hoist checks out of loops, even though that may change when the program aborts. This is key to getting the checks out of of inner loops.

With more work in this area, it would be quite possible to reach the point where trusted C and C++ software was running with full checking but only 20% or so additional overhead. It was done for Pascal in the 1980s, after all.

Re:Speed issues aside

[leandrod]

> You're worried about runtime size and you're recommending Smalltalk?

There are slim Smalltalk implementations, but the real issue is that Smalltalk is conceptually clean. You could take Oberon or whatever; just don't take an ugly hack of a language.

> you can do OO in Perl, although it doesn't force you to.

OO in a procedural language is an ugly hack... that's why Smalltalk or functional languages are so much better.

Re:And the second rule of secure programming club

[devphil]

I see very little difference, to be honest.

Re:And the second rule of secure programming club

[devphil]

If you mean "private" vs. "public," that's not what we're talking about. We're talking about your language having properties like safety, which means that the only person who gets to write code is the developer (not the remote user uploading shellcode!).

I don't mean just private-vs-public (although some misguided folk wish those were security related). Attempts like "safety properties" strike me as just giving a warm fuzzy feeling without doing much beyond security-through-obscurity. How does a piece of software know I'm a developer rather than an intruder? If I poke bits into the proper places in memory, software will believe anything I tell it to believe.

I'm not advocating avoiding such research, but I have yet to see anything that isn't just being touted as "this silver bullet will make your problems all go away".

Re:Interepreted languages help, but aren't a cure-

[Nevyn]

Buffer overflows are arguably the most common vulnerabilities that occur in the wild, which in turn indicates that most of the network services attacked are being written in C.

No, it's not arguable, here's some stats. However it doesn't require a new language to solve this problem.

We need more developers to be putting on their black-hats, and looking at their code and wondering "what if I tried this? Could I break this code?".

This is very true, if only Universityies offered something like "CS 104 - Thinking like an adversary", which is a bit different from how programmers normally think about their code. Ahh. well, someday.

Insightful, not a troll

[tjstork]

grep / sort bad examples
if (little file) memory_map_it.

That's one allocation. And you would do an allocation per line? Boy that's silly. In this scheme, there is no overflow.

If the file is too big or over a threshold, probably should require some extra priviledges to sort.

swap file argument red herring
Most applications have no control over when the O/S swaps out a physical page. I will tell you that if you are doing stuff with the VM, you are going to know exactly at least the locality of things getting swapped out.

dynamic optimization
I love this. The argument is that dynamic allocation does not pay a huge processor penalty. By definition each allocation is a search. If you have a perfectly sorted heat, then your time is O( log n ). That is, you program's performance decays with the amount of data. If, on the other hand, I do a clever thing and get an O( 1 ) serach, then, as I would if my next free block were a simple pointer addition, then, I pay little CPU tax at all.

Now granted, I program in Perl myself, and C#. And, again, I made the point that if you program in a language that supports dynamic programming, then, go for it. But, the discussion was about C++ and my point is that if you are going to program in C++, then go for fixed size records.

PS. If you program in Perl and are just doing while , then, you've opened yourself to a DOS attack. Duh.

Re:Insightful, not a troll

[Jerf]

Dear God, you were serious. I hope I never have to use any of your programs! I remember the days of fixed memory records limitations being exposed to the actual users. I do not miss them in the slightest.

That's one allocation. And you would do an allocation per line? Boy that's silly. In this scheme, there is no overflow.

Uh, mmap is great, but it means you're dealing directly with dynamic record sizes, since you can make no guarentees about how long the records are in the file. In fact mmap is exactly the right answer and exactly what you should do, but in a static allocation world, you can't.

If the file is too big or over a threshold, probably should require some extra priviledges to sort.

"I'm too stupid as a programmer to handle dynamic records, so I'm going to ask the user to jump through hoops to do things with large files." Yes, shift the burden to the user, THAT will make them love you. Damn it, the users are here to service the programmers, not the other way around!

swap file argument red herring
Most applications have no control over when the O/S swaps out a physical page. I will tell you that if you are doing stuff with the VM, you are going to know exactly at least the locality of things getting swapped out.

Sorry, but this comment makes it quite clear you didn't understand what I was saying. At all.

You seemed to have switched from "fixed record sizes are easier and therefore safer", as in

The whole reason that security issues have proliferated is our stubborn insistence on allowing for variable input. If all input and systems had hard wired capacities, then, there could be no denial of service attacks as program behavior would be bounded.

(which incidentally, as I said, is still wrong since you still have to check if you're overflowing the buffer, be it static or dynamic!)

to, rather suddenly, "dynamic allocation is expensive" as in

If, on the other hand, I do a clever thing and get an O( 1 ) serach, then, as I would if my next free block were a simple pointer addition, then, I pay little CPU tax at all.

where your first message has nothing about CPU costs at all.

But on that topic... you're still wrong. If you're wastefully allocating space in your static buffers for real processing tasks like "string processing" your program will get hosed because it will go to swap long before a program that only allocates the necessary space will. Your (proposed) style of programming is only appropriate on processors so small we stick them in digital watches and for things that never have variable input, like sensors. You couldn't even write a web server with your philosophy, at least not one that would be thorougly trounced in any real performance test.

Eh, why do I bother; you're clearly pretty clueless about computers anyhow, as your persistent and rather odd belief that you don't have to check static buffers when dealing with variable input (and the variable input isn't going away, buddy) shows. That DOS crack on the last line was oddly pointless too; yeah, I suppose your "I just shut the program off if the input is too large" or "the user should use a DIFFERENT program to work with the input that's too large" does avoid DOS attacks; programs that don't do anything useful worth mentioning can't be DOSed, but who cares?

"What, a megabyte-plus-one of data? Fuck you, user, that's too large. I'm crashing now!"or "What, a megabyte-plus-one of data? Fuck you, user, you should know to use PROCESS_MEGABYTE_THROUGH_TWO_MEGABYTES, not PROCESS_UP_TO_MEGABYTE. Duh!"

Re:And the second rule of secure programming club

[Tom7]

Attempts like "safety properties" strike me as just giving a warm fuzzy feeling without doing much beyond security-through-obscurity.

Like well-designed hardware, a language can provide you with an abstraction that you can depend on. In particular, safe languages can do things like guarantee the sanctity of an abstract type, or assure you that your program has no "undefined behavior" (i.e., a security hole). These are impossible in C, and are often what underlies security holes, and indeed, many bugs in general. It's not security through obscurity; it's security through security.

but I have yet to see anything that isn't just being touted as "this silver bullet will make your problems all go away".

Well, you've called on two catch phrases, but you haven't explained how they apply to languages. In what sense don't languages like SML (or, hell-- Java, Dylan, ADA, Lisp, or any of the other safe languages proposed by slashdot posters) solve all of your buffer overflow problems? (And double-free, integer overflow, etc. problems) Have you even used such languages?

Re:And the second rule of secure programming club

[devphil]

or assure you that your program has no "undefined behavior" (i.e., a security hole). These are impossible in C,

Because they're impossible in general. See "halting problem, the".

In what sense don't languages like SML (or, hell-- Java, Dylan, ADA, Lisp, or any of the other safe languages proposed by slashdot posters) solve all of your buffer overflow problems?

In the sense that the VM is just another piece of software, capable of being attacked and exploited. Like I said previously, these languages are great in and of themselves, and certainly help solve common programming errors, but they're still not the end-all-be-all solution.

Re:And the second rule of secure programming club

[Tom7]

• or assure you that your program has no "undefined behavior" (i.e., a security hole). These are impossible in C,

Because they're impossible in general. See "halting problem, the".

Uh, what? Yes, most properties of programs are undecidable. Nonetheless it's simple to have a language that guarantees various properties, it just can't be exact. ML and other languages with static safety properties work by excluding all of the programs that are unsafe -- and then some others. The others are typically programs you don't want to write (because their correctness depends on some unclear criteria). At the expense of excluding some strange programs, you get a decidable property that IMPLIES the relevant safety properties.

Anyway, properties like not writing outside the bounds of an array are checked dynamically in almost every safe language. Those properties are guaranteed exactly, because they are semidecidable. You don't need decidability if you catch them at run-time. (On the other hand, you don't know if your program has such a bug until it's triggered.)

In the sense that the VM is just another piece of software, capable of being attacked and exploited.

Half of those languages don't even run in a VM. They are compiled like C, thus subject to the same set of "system" security holes (hardware bugs, kernel bugs, compiler bugs, and system library bugs).

You're jumping to (incorrect) conclusions a lot. I recommend you open your mind and try some new languages!

Re:And the second rule of secure programming club

[devphil]

I think we were using different definitions of undefined behavior. I don't necessarily disagree with you, but it seems you're talking about a different problem domain than I am. And that's okay.

As far as conclusion jumping, closed minds, and needing to try those languages, sorry, you're flat wrong. :-) I've already tried those languages, and just wasn't impressed. They're useful, but I think we get more security by focusing our attentions elsewhere.

Re:Speed issues aside, Jovail used by ATC

Also, I think Jovial is used by the current Air Traffic Control system, so it's not only the Air Force that's using it.

Re:And the second rule of secure programming club

[Bodrius]

What I was hoping to suggest is that languages that define their own hardware (through VMs, or potentially through a hardware implementation of that VM) have more of a chance to enforce a concept of "security" not easily broken by the developer's code running inside the VM.

That is, security could be actually enforced, rather than being just a conceptual help.

I'm not saying VM-based languages enforce "real security", whatever that means in each context.

But that would blur the conceptual barrier suggested in the quote, that any such security requires dedicated hardware.

LISP's origins

[rjh]

LISP was designed by McCarthy not for natural language processing--that wasn't even a field of study back in the '50s when he invented LISP--but purely for academic research. Here's the thing: while the Universal Turing Machine is a complete model of computation, it sucks for anything outside of toy theoretical problems. The UTM is simply too awkward and kludgy a model. Is it complete? Yes. Is it accurate? Yes. Is it unspeakably gross? Yes.

Alonzo Church developed a competing computational theory called the lambda calculus. The lambda calculus is a complete computational model, and it's breathtakingly simple and elegant. Really; going from the UTM to the lambda calculus is like going from darkness into light.

So in the '50s, the lambda calculus was still reasonably new. McCarthy decided to make a totally theoretical language--one which was never intended to be implemented--to allow algorithms to be expressed in lambda form, the better to analyze them for correctness, runtime analysis, etc.

Not long after McCarthy wrote the language description, an enterprising graduate student actually figured out a way to implement LISP on real hardware. And thus, McCarthy's LISP was born (aka LISP 1.5).

Natural language processing came along much later, in the '80s. AI researchers used LISP extensively not because LISP was designed for AI, but because LISP had the greatest flexibility and power of any language of the day.

In fact, I'd be hard-pressed to name any languages today which can beat LISP in power and flexibility. There are a few worthy contenders, but almost all of the worthy contenders build on LISP's heritage instead of representing entirely new directions in computer science.

Before you go about slamming a language, you may wish to learn the language's history.

Re:Speed issues aside

[bodan]

The really is no excuse to use a language like Java or C# to do your checking when you can do it yourself. Except of course, laziness >:P

There really is no excuse to use a language like C or C++ to do your programs when you can do it yourself. Using assembler, or a hex-editor. Or flip-switches. I love flip-switches. Except of course, if you're lazy.

Re:And the second rule of secure programming club

[Tom7]

I've already tried those languages, and just wasn't impressed.

You did? Then why did you think they ran in a VM? Why did you not know what kind of security properties they have?

Message to METAMODS

[Anonvmous+Coward]

I'd like to know who the moderators were that modded this as flamebait and troll. That was classic!

Re:And the second rule of secure programming club

[devphil]

i don't believe i said that.

i also don't believe there's a point to this conversation. and i've just started usksing a pressure-sensitive touchpad instead of a normal keyboard, so i'm not going ti waste an time startging a flamewar while relearning how to type.

Re:And the second rule of secure programming club

[Tom7]

i don't believe i said that.

You said it in this post.

i also don't believe there's a point to this conversation.

Well, I didn't mean for it to be a flamewar, but, ok.