Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Know Your Code is Secure?

Posted by ryuzaki0 on from the batten-down-the-hatches-mates dept.

bvc writes "Marucs Ranum notes that 'It's really hard to tell the difference between a program that works and one that just appears to work.' He explains that he just recently found a buffer overflow in Firewall Toolkit (FWTK), code that he wrote back in 1994. How do you go about making sure your code is secure? Especially if you have to write in a language like C or C++?"

13 of 349 comments (clear)

  1. You don't by CockMonster · · Score: 5, Funny

    Just get others to formally review it so if anything is found, there's collective responsibilty

  2. Verified by Anonymous Coward · · Score: 5, Funny

    I get mine verified by microsoft

  3. Easy by $pearhead · · Score: 5, Funny
    Just make sure your buffers are really really REALLY big:

    char nooverflowbuffer[234523400];

    sprintf("Enter something:");
    scanf("%s", nooverflowbuffer);
    ... or maybe not ...
  4. Same way you hunt bugs by Llywelyn · · Score: 5, Informative

    0) Don't "roll your own" security unless absolutely necessary. Find someone else's implementations and work with those.

    1) Design the code for security, code to that design. I've seen of security bugs creep into code because it was never designed to be secure.

    2) Use static code checkers--such as Splint for C/C++ and FindBugs for Java--that look for security vulnerabilities.

    3) Peer reviews/code audits. Sit down with your code (and have others who know how to look for security vulnerabilities sit down with your code) and do a full review.

    Nothing is foolproof, but every little bit helps. It should be noted that all of the above also improve the overall quality of the code and reduce the number of overall bugs: Finding existent implementations of features that can be used can reduce maintenance and reduce bugs; Designing the code and putting it through a proper design review can catch a lot of logic problems and ensure that the code fits the requirements list--I've seen a huge number of synchronization bugs in Java simply because the author didn't know how to use synchronization properly; static code checkers find a lot more than just security bugs; and Peer Reviews/Code Audits can help isolate a variety of problems.

    --
    Integrate Keynote and LaTeX
  5. Re:What's the matter with C/C++? by Anonymous Coward · · Score: 5, Funny

    'It's not that C/C++ is so insecure by itself'

    yeah a gun by itself is not insecure either....
    try giving it to a baby.....
    well I prefer a baby with a knife...I can still run faster than him...

  6. Valgrind by chatgris · · Score: 5, Informative

    By using valgrind. It's a virtual machine of sorts that runs your code and checks for any memory problems at all, including use of uninitialized memory. Combine that with thorough test cases, and you can be virtually assured that you have no memory errors in your C/C++ code.

    However, security is a lot more than buffer overflows... but at least it brings you up to the relative security of Java, with speed to boot.

    --
    Open Your Mind. Open Your Source.
  7. Assume failure by zCyl · · Score: 5, Insightful

    Every function should be designed with the assumption that its input is faulty, and should have safe failure modes for every possible value and all possible content. Any unsafe external libraries must be wrapped in handlers which verify the data being passed to them with a similar mindset. Do not EVER presume data will be of a certain form, or that a function will be used a certain way. If sequential routines are becoming long such that you cannot verify the accurate function or the absence of a buffer overflow immediately in your head, then stop and look for a way to break it down into smaller abstract pieces.

    Combine this mentality with the usage of safe classes as datatypes whenever possible, so that you can wrap your input verification into the functionality of the classes. If prudent, wrap external library routines in classes which manage the interaction with them, and which verify the data content being passed.

    Use test suites to test every component of your program, and be sure to include invalid and pathologically insane input in your test suites.

    Do not trade security for efficiency. And don't forget to cross your fingers.

  8. Re:Avoid direct memory access by ojQj · · Score: 5, Informative

    Unfortunately stl isn't binary compatible. That means you have to make sure you've compiled with exactly the same version of the stl with all the components of your program which accept and pass strings. This in turn makes it impossible to release different parts of your program separately from each other if you are using the stl at the interface between your components.

    There are a couple of solutions to this problem:

    1.) Pass character arrays at the interfaces between your components and immediately put those character arrays under the control of your library once they come in.
    2.) Write or find your own string library and pass that string class between program components. Be careful when doing this. Mistakes will come back to byte you.

    All of it's kind of nasty. It'd be nice if C++ could standardize their binary representation, even if it's only a standard valid per platform.

    Then there's also:

    3.) Choose a language which unlike C++ already has a standardized binary representation for strings, or a system global interpreter for a varying binary representation. This is just an extension of the "higher-level library which does the memory management for you" option really.

    Don't get me wrong -- I'm agreeing with the parent post. I'm just adding a caveat.

  9. Re:I don't. by Anonymous Coward · · Score: 5, Informative

    Grammar tip: "Effect" is a verb. "Affect" is a noun.

    Um, how's that?

    Your poor grammar has a chilling effect on me. If I were you, I'd find a way to effect an improvement in your knowledge. Luckily it affects me only a little. But the fact that so few seem to understand that these two words are both verb and noun leaves me of sad affect.

  10. Re:Some possibilities by zCyl · · Score: 5, Funny
    You cannot know for sure (unless you want to develop code by mathematical proof

    In the words of the great Donald Knuth, "Beware of bugs in the above code; I have only proved it correct, not tried it."
  11. Don't let them use it where it matters by Anonymous Coward · · Score: 5, Funny

    I let my code have evident, gaping security flaws and make them well known. This way people will never use it in situations where security matters.

    regards,
    The author of sendmail

  12. SPARK by Rod+Chapman · · Score: 5, Insightful

    For high-integrity stuff, we use SPARK (http://www.sparkada.com/) - a design-by-contract subset of Ada95 that is entirely designed-from-scratch for verification purposes.
    The verification system implements Hoare-logic and is supported by a theorem prover. Buffer Overflow is only one of many basic correctness properties that can be verified. Properties that can be verified are only limited to what can be expressed as an assertion in first-order logic.
    SPARK is a small language (compared to C++ or Java...) but the depth and soundness of verification is unmatched by anything like FindBugs, SPLINT, ESC/Java or any of the other tools for the "popular" languages.
    (If you don't know or care what soundness is in the context of static analysis, then you've probably missed the point of this post... :-) )
    - Rod Chapman, Praxis

  13. Re:Avoid direct memory access by rucs_hack · · Score: 5, Insightful

    I code predominasntly in C, and I find very few problems with allocating my own string buffers and so on. Doing your own memory allocation/deallocation does not instantly mean you have a program full of buffer overflows and security holes, although many people seem to assume this is the case.

    What does that is rushed code, poor design and inadequate testing. These feature heavily in the vast majority of commercially produced code I've seen. Frankly most of what I've seen is horrifically bad. With code of such low quality, C should be avoided, but that's not C's fault, it's crap house coding rules. C is elegent, minimal, and mindbendingly fast. This does not mark it as ideal for enterprise tools, but it does have a place there, for time intensive operations.

    It is extremely easy to ensure buffers in C have a strictly limited inputs, and do not encounter overflows. It's also easy to not do this, and thus faster. That I suspect, is where most of the problems come from.

    Open source code used in the enterprise seems nowadays to be starting to suffer from similer problems to the commercial code I've seen, although commenting schemes are better. The problem seems to me to be a feeling that things must be pushed forward to compete. That isn't a good plan. Slower development, more testing before actual deployment, and less feature creep are what is needed.