Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Know Your Code is Secure?

Posted by ryuzaki0 on from the batten-down-the-hatches-mates dept.

bvc writes "Marucs Ranum notes that 'It's really hard to tell the difference between a program that works and one that just appears to work.' He explains that he just recently found a buffer overflow in Firewall Toolkit (FWTK), code that he wrote back in 1994. How do you go about making sure your code is secure? Especially if you have to write in a language like C or C++?"

19 of 349 comments (clear)

  1. You don't by CockMonster · · Score: 5, Funny

    Just get others to formally review it so if anything is found, there's collective responsibilty

    1. Re:You don't by Anonymous Coward · · Score: 2, Funny
      Prophylactic: A preventive measure. The word comes from the Greek for "an advance guard," an apt term for a measure taken to fend off a disease or another unwanted consequence.


      Sorry CockMonster, with today's DNA testing, getting others to participate in your virgin sacrifice wouldn't save you if you had a buffer overflow.

      *Warning* as appropriate as prophylactic might seem under its definition for use in the computer industry when talking about firewalls, sandboxes, etc, please keep in mind that some female is probably going to holler sexual harassment when they hear it. Just as they would if you mentioned their stack overflow.
  2. Verified by Anonymous Coward · · Score: 5, Funny

    I get mine verified by microsoft

  3. Shovel method by dangitman · · Score: 4, Funny

    I hit it with a shovel. If the code doesn't fall apart, I know it's pretty securely attached to my computer. If not, I add more epoxy glue.

    --
    ... and then they built the supercollider.
  4. Easy by $pearhead · · Score: 5, Funny
    Just make sure your buffers are really really REALLY big:

    char nooverflowbuffer[234523400];

    sprintf("Enter something:");
    scanf("%s", nooverflowbuffer);
    ... or maybe not ...
    1. Re:Easy by gnasher719 · · Score: 3, Funny

      The second version seems more secure, because it doesn't compile.
      The first version seems to be quite secure as well, because it is likely to crash immediately, and obvious crashes will usually get fixed quickly.

      Hint: What is the format string in >> sprintf("Enter something: "); and where will the output go?

  5. Re:What's the matter with C/C++? by Anonymous Coward · · Score: 5, Funny

    'It's not that C/C++ is so insecure by itself'

    yeah a gun by itself is not insecure either....
    try giving it to a baby.....
    well I prefer a baby with a knife...I can still run faster than him...

  6. Re:Some possibilities by zCyl · · Score: 5, Funny
    You cannot know for sure (unless you want to develop code by mathematical proof

    In the words of the great Donald Knuth, "Beware of bugs in the above code; I have only proved it correct, not tried it."
  7. Don't let them use it where it matters by Anonymous Coward · · Score: 5, Funny

    I let my code have evident, gaping security flaws and make them well known. This way people will never use it in situations where security matters.

    regards,
    The author of sendmail

  8. Half a solution by DoofusOfDeath · · Score: 3, Funny
    How Do You Know Your Code is Secure?

    Make it part of the critical path in music DRM. Then you know it's not secure.

    Not sure about the flip-side, though.

  9. Re:Don't use C++ as if it was only "C with classes by orangeyoda · · Score: 2, Funny

    Which is a good thing, Ada was awful to learn and worse to debug. I've seen the light, no more c++ spending hours to decode meglomaniac's tempalates , no more java exception hell , bye bye vb6 error unhandling . Hello C#

  10. If it compiles... by GroovBird · · Score: 2, Funny

    ...you can ship it.

    It's that simple!

  11. Re:Assume failure by TheRaven64 · · Score: 4, Funny

    Fuck off, private functions below the public API should never have to check their input. I completely agree. There are no bugs in my code, just in the code of people calling my code.
    --
    I am TheRaven on Soylent News
  12. You know you're a geek when... by ruiner13 · · Score: 4, Funny
    You say things like:

    Mistakes will come back to byte you. without even flinching.
    --

    today is spelling optional day.

  13. Re:Same way you hunt bugs by autocracy · · Score: 2, Funny
    Yes, please continue to implement your own security.

    Especially focus on validating usernames and passwords against an SQL database. That's my favorite.

    --
    SIG: HUP
  14. I doubt this guy's a security expert by ianalis · · Score: 2, Funny

    He's compiling as root :p

  15. Re:The only sure way I know of: Lambda calculus by SheeEttin · · Score: 2, Funny
    You can't prove, for example, whether a lambda program will terminate (Halting Problem)
    If you're running Windows, no problem. It'll terminate within the first few hours.
  16. Re:What's the matter with C/C++? by Anonymous Coward · · Score: 1, Funny

    "with great power come great responsabilities" Spiderman's Uncle - 2002

  17. Re:I don't. by peepleperson · · Score: 2, Funny

    Of course, everybody knows that yffect isn't a word. It's a small village in Wales.