Blame Bad Security on Sloppy Programming

CowboyRobot writes "ACM Queue has an article that blames security flaws on poor programming, rather than any inherent problems with particular languages. From the article: 'Remember Ada? ... we tried getting everyone to switch to a 'sandboxed' environment with Java in the late 1990s... Java worked so well, Microsoft responded with ActiveX, which bypasses security entirely by making it easy to blame the user for authorizing bad code to execute.'"

Uhh..

[cbrocious]

Does anyone feel that this is just publicizing what every GOOD developer has been saying for the last 10-15 years?

Re:Uhh..

[strictnein]

Yeah, no shit... This is news? Bad programming = security issues. Wow... we learn something new every day on slashdot.

Here's a tip editor boys: if group A says statement A and you post it as a news item, great. But when group B, C, D, E, F, G, and H all say the same statement A, it's not news. It's redundant (remember that modifier you put in? -1 Redundant? That's what it is).

Re:Uhh..

[Short+Circuit]

Unfortunately, unless someone as big as Microsoft (ha!) or IBM gets behind the message, you're not going to see much come of it.

It's too cheap to quickly pump out code, then run it by QA. You don't even need a shoddy programmer to do it...just pile too many high-priority near-deadline tasks on a good programmer. (Which is all too likely...if you build a reputation for getting things done, you'll get landed with a workload that would put a tech-support guy in a funny farm.)

Re:Uhh..

[kfg]

Don't play with matches. Dont' run with scissors. If you push it hard enough it will fall over.

Some things you just have to keep saying over and over. People are dense, and by the time one group gets it there's a whole new litter coming up from behind.

You, for instance, who thinks we've only been saying that for 10-15 years, wheras, in reality, 10-15 years ago you heard that from someone who'd already been saying it for 10-15 years.

Now it's your turn to smack your forhead and say "Oy".

KFG

Re:Uhh..

[C.Batt]

As one of those "good" programmers with a reputation for getting things done, I must concur with your statement. In fact I've observed that the first thing cut from most project budgets, if it's even included in the first place, seems to be adequate technical QA. There's lots of emphasis on meeting business requirements/application feature goals, but very little on engineering quality under the hood.

Part of the problem is that enforcing best practices and doing techincal QA is both time consuming, and expensive, not to mention boring as all heck. So there isn't much motivation to do it. Bad, bad attitude and we're paying the price.

Re:Uhh..

[ackthpt]

Yeah, no shit... This is news? Bad programming = security issues. Wow... we learn something new every day on slashdot.

Here's a tip editor boys: if group A says statement A and you post it as a news item, great. But when group B, C, D, E, F, G, and H all say the same statement A, it's not news. It's redundant (remember that modifier you put in? -1 Redundant? That's what it is).

Here's a clue: Not everyone started programming at the same time, back in the enlightened age of limited resources and cautious programming. When I saw some jerk writing login spoofs on a PDP 11, back in the early 80's I worked out a few ways to spot these running and suspend them. (Also pass information on to Campus Police to have the perpetrator evicted from the grounds.) People are still learning to program and it's not uncommon for them to take idiot-proofing for granted, unless one of two things took place: 1) They had a good instructor who warned them of the consequences untrapped errors 2) There's a directive where they work which they must follow. I expect even Microsoft must be able to backtrack to the person who wrote leaky code. Problem also is two or more departments whose products must interface, but pass the buck on who is responsible for trapping errors, etc. That role should be filled by a management group responsible for the work between groups.

Microsoft responded with ActiveX, which bypasses security entirely by making it easy to blame the user for authorizing bad code to execute.'"

When's the tenth anniversary of the Win95 bug which allowed people to hack Quicken?

Re:Uhh..

[fatphil]

I'm sure I'm not the only one who's learnt that:

Fatal error: Call to undefined function: message_die() in /var/www/acmqueue.com/htdocs/db/db.php on line 88

is indicative of bad programming. Thanks ACM Queue for an enlightening 2-line article!

FP.

ActiveX a response to Java?

[SilentChris]

"Microsoft responded with ActiveX, which bypasses security entirely by making it easy to blame the user for authorizing bad code to execute"

Uh, not quite. ActiveX was more a response to JavaScript/Flash/et al. Anything that created a lightweight web app. .NET is their response to Java (and, for all intents and purposes, .NET is miles ahead of anything MS has ever created in terms of security).

Re:ActiveX a response to Java?

[tcopeland]

> ActiveX was more a response
> to JavaScript/Flash/et al.

Right on... I thought the "ActiveX was a response to Java" was a bit of a stretch too. Also, the author says

> "everyone complained about wanting to
> bypass the "sandbox" to get file-level
> access to the local host.".

I'm not sure that was why applets were not a big hit... I'd blame the slow JVM startup time for that one.

Re:ActiveX a response to Java?

[StephenLegge]

I think the writer meant ActiveX was Microsoft's response to Java *Applets*.

Java Applets had a well-defined and flexible security API that provided fine-grained set of privaleges for what an Applet could do on the user's system.

To combat Applets, Microsoft implemented ActiveX with brain-dead all-or-nothing approach that is still used today ("Do you want to trust whoever wrote this to do anything they want to your system? Yes / No"). Then Microsoft forced Java Applets to work the same brain-dead all-or-nothing way in IE.

SLL

The human factor

[SIGALRM]

Anything we do to improve software security must work without the programmer having to switch languages

I agree; it's not so much the language--or the tools--each developer on a project must be personally aware of vulnerabilities and exploits. Using "managed code" does not "secure" your projects. These days, a C programmer ignoring the dangers of gets(), for example, is incompetent and should not be trusted. It's not, as the article reads, "sloppy"... it's ignorance pure and simple.

Also, relying on tools like an updated gcc, gprof, or splint--helpful as they are--without experience and education in writing secure code... is asking for trouble also.

Re:The human factor

[Short+Circuit]

...it's ignorance pure and simple.

No, it's not. You try being a programmer with a six-digit salary, a mortage, and a workload Hercules couldn't metaphorically shoulder.

Fast, good, cheap. Companies have chosen to drop "good" in favor of fitting more products through the pipeline.

Re:The human factor

[leerpm]

you could argue, though, that 'good' saves you time in the long run because you don't have to patch and patch and patch and eventually scrap it and redesign.

Try arguing that to the CEO, who is seeing his marketshare drop by 25% to his competitors, because his development team needs 2 extra months to ensure the security is top-notch. The reality is until the market and customer start demanding that security be a priority, there isn't going to much of a change from the status quo.

That is part of the reason why Microsoft is so successful, they listen to what the customers want. Up until now their customers wanted features, features, and more features. Now their customers have started to realize that security can have a significant impact on their bottom line. So they are wising up to the situation and demanding that software vendors (not just Microsoft) start making security a priority too.

The bad ol' days...

[mratitude]

I remember the bad ol' days when security was a matter of what you did or didn't do rather than what you didn't know was occurring without your knowledge!

Abstracting the user from programmatic events wasn't supposed to make your use of the computer a crap-shoot.

Well duh/

[grub]

That's why OpenBSD's continuous code auditing makes for good security. Everything but the kitchen sink != better.
That all said, a sandbox environment allows the developer to make sloppy mistakes, not program better.

Especially True in PHP

[Dozix007]

The same is especially true in PHP. The short learning curve for getting started in the language allows for a great deal of insecure coding on the internet. I run a site that promotes secure programming, and is running a security challenge for writing scripts as well. The URL is http://www.uberhacker.com

Developing for a prototype

[prostoalex]

A lot of the production code that gets written nowadays is created by college graduates who have learned to develop in a quick-and-dirty way to roll out the prototype for their home assignment as soon as possible.

When you're in college, the graders are not trying to break into your application, they're just evaluating the source code and give you points for correct stack and linked list implementation. Thus giving a false assurance that the real-world development is pretty much the same - friendly and non-threatening environment, no need to check and validate input, no need to resort to minimum security permissions and so on.

I think Caustictech said it better than I can:

PrototypeProductionMan come to the ObjectFools team after successful stints at the Unemployment Office and the basement in his parents home. PrototypeProductionMan's talent is making sure that barely functional prototype mockups get rolled out into production. Exception management, security, separation of concerns between business logic and UI code, thread safety, resource management...these are all things you could say good-bye to with PrototypeProductionMan on site! With a mentality like that, it's no surprise that every production deployment ObjectFools has been involved with has turned into a completely fucking unmitigated disaster! At the end of the day, our clients should really thank PrototypeProductionMan as the reason we need to charge them a fucking arm and leg for post-rollout support and maintenance.

As the saying goes...

[fiannaFailMan]

a bad workman always blames his tools.

Fuck no.

[Mongoose+Disciple]

Are you crazy?

Anyone who's worked on a software project of any size (especially in terms of number of people on the project) can tell you that the person who takes the official blame for a development flaw is almost never the person actually responsible for it.

Maybe if we had a programmers union and I could strike if I was ever asked to implement bad design or put out someone else's fire... maybe. But as things stand? You'd drive a lot of good developers out of the field because they're not skilled enough at office politicking to avoid being made scapegoats for the messes of others, and can't afford to bear the direct financial burden of it.

Warnings

[dekashizl]

The final and main point the author makes in the article is to suggest that compilers start getting smarter and generate warnings for security problems (such as the "gets()" warnings put in many compilers not too long ago. But:

These tools have existed for years but are not popular. Why? Because they generate a lot of warnings, and, as countless software engineers have pointed out, it's time-consuming to sift through the spurious warnings looking for the ones that really matter. I've got news for them: there is no such thing as a warning that doesn't matter. That's why it warns you.

I can't agree more. Almost every large project I've worked on with multiple programmers has tons of warnings throughout development. I mean BOTH compiler warnings AND runtime warnings in the log files. Sometimes you can track one down and find out "I forgot to tell you that you need to change XXX in your config file", but most of the time you don't even see the new warnings amid a sea of "acceptable" ones, and the rest of the time, it's more of a "I don't know why that's happening, but it seems to work anyway" type of response.

If you see a warning, get rid of it right away! Once you slack off a bit, it becomes like dirty dishes piling up in the kitchen sink. Nobody wants to touch them, and everybody feels like most of them are the other roommate's anyway.

Ada's strengths, Ada's problems

Ada as a language roughly equivalent to C++ in form and expressiveness. Ada goes beyond C++ in that it allows one to more tightly specify constraints on data and to have these constraints automatically checked and enforced. That is the basic strength of Ada.

The weakness of Ada is its woefully outdated standard libraries which are more oriented to a 1960s mainframe view of the world. There are no containers, no STL, no general algorithms. That is the weakness of Ada.

If Ada had the powerful standard libraries which C++ has, that combined the safety of Ada would make it a first choice for many programming tasks. Ada can still deliver on bug free programming. But it lacks the scaffolding needed for 21st century projects.

Boost is working on a replacement for C strings

[Animats]

Over in the Boost sandbox, some of us are working on C++ classes to replace C strings in existing code. The usual C string operations (sprintf, strcat) work, but they're all protected against overflow. The idea is that you replace just the declarations, and the code either becomes safe or won't compile. So

• char s1[80];
  ...
  void foo(char* out, char* in)
  { sprintf(s,"In = %s\n",in); }
  

which has a risk of buffer overflow, becomes

• char_string<80> s1;
  ...
  void foo(char_string_base& s)
  { sprintf(s,"In = %s\n",in); }
  

which will truncate the string at the specified length. Note that the "sprintf" line hasn't changed. So you don't have to rewrite complex formatting code. Changing the declarations does the job.

The new "sprintf" is actually an overload on fixed_string.

The author simply doesn't get it

[javajedi]

"We need to be realistic in recognizing that we're stuck with a set of languages and environments that are not susceptible to a massive change."
This is a huge cop-out. Buffer overflows simply can not happen in Java. The same goes for almost all of the security problems that are turned into exploits these days. Instead of applying patches to compilers and yelling at ignorant developers, how about just switching to a development language and runtime environment (e.g. Java and its Virtual Machine) that simply doesn't allow these kinds of mistakes to be made?

Where in the world is my ActiveX?

[hummassa]

Ummm gosh, the only ActiveX applets I ever saw was right after it was released. Heh, I often say Java is dead on the web (though I know it isn't completely) but now ActiveX is entirely dead except for like the applet on Windows Update :-P

You are a Holy Person, sir/madam.

Go find some pr0n and you'll see a lot of activeX thingies trying to install. Lucky me I use Moz.

I only read the first page...

[zogger]

..and there he said it was (paraphrasing here) common for programmers to sorta ignore error flags and just code out the warnings about memory leaks and arcane whatnot like that, like that made the problem "fixed". No warnings-no problems! On to the next project.....

probably more stuff too, that's all I read though.....

Not a coder here, so I have *no* idea if this is common or not, or true or not, but I *have* noticed on slashdot NO ONE writes bad code,or has written bad code, or thought about bad code, and *everyone* has personally corrected every other coder they ever met on their code, and no one has ever had a boss who knew what he was doing or could read so much as a grocery list without speaking the big words out loud, and only the *other guys* someplace else write bad code, and they always use the wrong language and editor to boot, like on bizarro dotslash forum or something. It's ALL "their" fault that there's ANY of this alleged "bad code" that causes buffer overflows and like acne and flat tires and girls who say no.. Them dang guys "over there", buncha no-good slackers....let's hang 'em!

Re:They have

[johnnyb]

Actually, you can continue to use C/C++ and just use a garbage collector with them. I don't know why more people don't do this. You don't even need to change your code, as Boehm's garbage collector translates malloc() to it's own allocation routine, and free() does nothing.

In fact, even better, if you have Boehm GC installed anywhere on your system you can do this for already compiled programs using LD_PRELOAD.

Just do:

export LD_PRELOAD=/path/to/libgc.so
/path/to/program

and I'm automagically using a garbage-collected runtime for the program, even if it was compiled to use the standard malloc()/free() calls.