Slashdot Mirror
NULL Pointer Exploit Excites Researchers
Da Massive writes "Mark Dowd's paper "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" has alarmed researchers. It points out techniques that promise to open up a class of exploits and vulnerability research previously thought to be prohibitively difficult. Already, the small but growing group of Information Security experts who have had the chance to read and digest the contents of the paper are expressing an excited concern depending on how they are interpreting it. While the Flash vulnerability described in the paper[PDF] has been patched by Adobe, the presentation of a reliable exploit for NULL pointer dereferencing has the researchers who have read the paper fascinated. Thomas Ptacek has an explanation of Dowd's work, and Nathan McFeters at ZDNet is 'stunned by the technical details.'"
So you CAN get something from nothing!
Summation 2
"...Not this time. Flash forgets to check that allocation failed, a ludicrously common error. It then uses that pointer with an offset controlled by the attacker. NULL isn't valid. NULL plus 1024 isn't valud. But NULL + 0x8f71ba90 is, as is NULL + N for any N that addresses valid memory.
...The net result of this silliness is that it's hard to do what attackers normally do with a write32 vulnerability, which is to clobber a function's address with a pointer back to their buffer, so that their shellcode is called when the clobbered function is called. So Dowd's exploit takes things in a different direction, and manipulates the ActionScript bytecode state.
To this address, controlled by attackers via wild offset, Flash writes a value that is also controlled by the attacker. This is the write32 pattern: a vulnerability that gives the attacker the means to set any one value in memory to a value of their choosing. Game over.
The exploit doesn't actually get to offset an arbitrary number of bytes from 0. A complicated set of conditions constrains the address it writes to and the value it gives it.
The the actual write occurs via a structure offset. Flash is hardcoded to translate your offset into another number. Working offsets, as it turns out, will be greater than 0x80000000, and will be evenly divisible by 12 after 4 is added to them. Note: I thought I was hardcore when I wrote shellcode with no lowercase letters for the IMAP vulnerability in the '90s.
That's not all. The value that Flash will write to the wild pointer isn't totally controlled by the attacker either. It's cast up from a 16 bit integer to a 32 bit integer, and has another variable subtracted to it. This is the point in the report that I started giggling uncontrollably, embarassing myself at the coffee shop...
To wit: his exploit must (because he's messing with us) corrupt the Flash runtime, rewrite it to execute his trojan, and leave it running steady as if nothing had happened. Meaning:
--His modification to the verifier can't break existing instructions. --His bytecode has to swap values into the stack instead of clobbering them directly. --Portions of his shellcode have to run as both Flash bytecode and an X86 first-stage shellcode boot.
Two fun details:
First, even though IE and Firefox use different Flash builds, the addressing inside them is compatible. The exploit works in both places.
Second, Flash isn't compiled with ASLR. So the attack works on Vista.
Mass casualty. Go Flash!"
Some years ago I had many binary proprietary blobs on my computer: SUN Java browser plugin (now OSS), Adobe Acrobat (don't need it any more, OSS alternatives are equal now), nVidia driver (still needed but solution is on the way -> looking forward to switch to ATI as soon as GPL drivers get there), MS media codecs (don't need it any more, Flash ate MS' streaming video pie). Now, only Flash player remains that I don't see replacement in OSS world in foreseeable future. Add to it security concerns, 64-bit version and it clearly becomes major PITA of Linux desktop users. Doesn't look it will change any time soon.
839*929
NULL to see here, move along to 0x80000001 please...
(book by Dowd, McDonald, Schuh) is well worth a look: http://taossa.com/index.php/author/mark/
"It doesn't cost enough, and it makes too much sense."
FTA: "is not far off being cross platform "
Err , I'm sorry but how exactly do they expect x86 code to run on Sparc, or PA-RISC or PPC? etc etc. Even on the same architecture but a different OS all the interrupt vectors and API address calls will be different. Sounds like they're got a bit over excited to me. Or maybe I've missed some complex details of the exploit.
The moral of the story is a point that many of us have already been making for years: check the return value of malloc. I've had lots of arguments over whether or not it's okay to omit that and let your program crash for the poor sap who hasn't got any heap left. Unfortuantely a common attitude is, "the program is screwed anyway at that point, so who cares?"
The fact that Flash is doing all of these bytecode things also of course makes it more interesting. The first article linked seems to suggest that that makes the exploit really difficult (probably true), but it sounds like it also made it... well... possible.
This interesting because he's exploiting a malloc fail. The gory details of exploiting ActionScript is also cool because it has a bytecode verifier and he manages to get around it. It really is a lot more high tech than a typical stack buffer smash against a badly written C application, and that is important because everyone should hopefully have updated that sort of code to be exploit free by now. And stack checked binaries and data execute prevention, AMD's "Not Execute" bit, make those more likely to end in process death than arbitrary code execution.
Finally because it works on both IE and Firefox and Flash has such a huge installation base it should be able to target a very high percentage of current machines. Larry Osterman called it "The way the world (wide web]) ends"
Mind you, if Address Space Layout Randomisation was turned on in the Flash executable on Vista, exploiting this hole would most likely (255 times out of 256) lead to a browser crash rather than arbitrary code execution, so it's not like the last few years work on security has been totally wasted. At the moment it's not and you will get owned reliably. Adobe have published an update, so it's a good idea to download it.
http://www.adobe.com/support/security/bulletins/apsb08-11.html
Back when I was reading about security someone said that buffer overflows that execute code on the stack were first generation exploits. Second generation would be more subtle stuff like this.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
It can run anything. If you read the paper, it explains that once you desynchronize the interpreter from the validator, you are running x86 instructions. One might have to tailor the exploit to work differently on Linux/Unix than on Windows due to the different executable addressing schemes, but once that is determined you are in business.
null pointer's are very common errors in software, but are extremely hard to exploit. It almost never happens. This is why it's interesting.
It's an impressive hack, or series of hacks rather, so I wouldn't say boring. The interest is not that the exploits are anything new (they aren't), but in the difficulty of pulling it off.
finally a decent opportunity to ask...
"does it run Linux?"
or in other words from TFA Win32 Firefox/IE prone to this technique, I'm assuming the code injection would only work on the target OS, no? I mean the CPU is specific, but also to work seamlessly you need to script it to to the target app. So it does not work on another processor (PPC etc) but also it would not work on any other application - so as the Linux binary is different then you are safe (until that one is attacked, but part of the security of Linux relies on the smaller audience is not so attractive a target). But what if it worked on a Win32 DLL that was being emulated under Linux such as some of the codecs? Any thoughts? correct me!
And, just out of curiosity, I'm kinda wondering how long it took Mark to work this one out.
The stuff we geeks get excited about... *sigh* We're hopeless, aren't we?
Insert witty comment here
...you'll need a little Viagra first.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Thankfully the flashblock addon was just updated to support firefox 3 beta 5. Since I only allow flash to run from a few sites, I'm not worried about any such exploit.
I've been a big fan of flashblock, ever since realizing that most flash developers assume 100% volume is mid range, and I assume 50%, and every flash website without volume controls rips through my ears like a buzzsaw.
That's what the aliens get for abducting Bill Gates and basing their Mothership's OS on values obtained while probing his anus..
which is totally what she said
Many explits in cross platform systems can run anything if you shove the correct binary down the pipe to the exploit. Why is this news?
null pointers exploiting excited researchers? it all sounds a little goatse to me...
This is more like a cat up a tree armed with a sniper rifle, picking off any emergency service personnel that get too close while his buddies rob a bank.
which is totally what she said
You might need to dumb this down a shade for me, but from what I (think I) understand of it, it sounds like 0x8000000 is used as a kind of internal salt during bytecode compilation/execution for structure offsets so that the unchecked user code can't arbitrarily access structures?
If so... why would they do that? Why not simply ensure that offsets can't go above, say, 0xffff, and then make sure program code/data is well above that?
The paper specifically talks about the ActionScript virtual machine, i.e. the Flash player VM. There is nothing in there about Java. Why the Java icon? Why the Java tag?
When it comes a day after this flamebait article you have to start to wonder if the Slashdot editors are busy with some massive FUD campaign against Sun or if they are just really ignorant.
Being bitter is drinking poison and hoping someone else will die
The NX bit doesn't get rid of the problem entirely, though. To use this example, it sounds like an exploit can be written pretty much entirely in ActionScript bytecode. Also, just because the stack is non-executable, what's to stop me from replacing the return address to point at, say, libc's system(), placing a nasty shell script on the stack?
Actually, it is a big deal, as you'd know if you'd read the article(s). But you're too lazy for that, so here's the short summary:
Lots of interesting (and important) security problems revolve around figuring out a way to take an error in a program, and turn it into a way to have that program execute arbitrary code of your choice. Traditionally, NULL pointer exceptions have not been fruitful ground for this because, well, a NULL pointer is NULL -- there's nothing on the other end of the pointer for the unsuspecting program to read or execute, so it simply crashes. And merely crashing the program isn't really all that interesting, since at best it lets you execute a denial-of-service. But this guy (Dowd) found what would have been a run-of-the-mill NULL pointer exception in Flash and parlayed it into full-scale arbitrary code execution through a series of fairly impressive tricks. You really should go read Ptacek's summary, because it has all the gory details and will, if nothing else, make you realize what an amazing hack this is.
How on Earth this is Java related and tagged with 'java' keyword?
Comment removed based on user account deletion
You don't have to come across this exploit for your browser to crash in Vista, normal browsing does that just fine.
Wake me when something new happens.
Seriously, who in this day and age doesn't check the return codes of library routines when writing software that will be deployed on millions of computers?
...you'll need a pointer first.
No, it cant mess around with the browser.
It can mess around with Flash and execute arbitrary code with either browser but not mess with the browser its self.
Comment removed based on user account deletion
explain this event in terms that a person with a sex life not involving the Internet could understand?
"And now, Frank N. Furter, your time has come. Say 'goodbye' to all of this, and 'hello'... to oblivion!"
NULL is the name of a macro in C. Null is the name of the value which it (and the integral constant 0) put into a pointer; it's a regular noun with no capital letters (except when at the beginning of a sentence, of course).
Because it can probably be made to work cross-version, cross-platform and cross-architecture?
Because everyone has Flash installed?
Because it opens up a whole class of common bugs previously thought to be unexploitable?
Because the way he does it is nothing short of godlike?
This is HUGE.
Null is a four letter void.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
Plugins Tab
:)
Switch on Forbid Macromedia Flash
Switch on Apply these restrictions to trusted sites too
Click OK.
Say goodbye to YouTube
FYI: you can type about:plugins in the address bar, when you need to know anything about plugins.
If you want to know something about the config, you type about:config and get to the super duper advanced settings page.
While you can determine this easily for any given architecture/Linux distro pair, determining what particular distro and architecture are present from remote is problematic at best.
Furthermore, if I'm not mistaken, there are certain SELinux rules you can use to prevent shell scripts from doing nasty things.
My blog
True, but if ASLR was enabled system() would be at a different address each boot.
But I don't think any of these things are foolproof on their own. Even the combination of them can be exploited if you have the right sort of bad code. But ASLR+Running processes with low privilege levels+stack canaries+NX does stop a lot of exploits.
In this case if ASLR had been enabled in the flash binary it would not have been possible to execute arbitrary code.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
If you find that it is possible that a wheel can fall off your car, do you fix the problem because:
... what?
a) if the wheel falls off at just the right time, your car can swerve into oncoming traffic and kill an entire bus full of precious children,
or
b) wheels coming off cars are a generally bad thing.
?
Rephrasing the question: do we fix a NULL pointer problems because
1) some clever guy with time to waste might be able to figure out how to convert the problem into the erroneous detonation of a nuclear warhead,
or,
2) because it is just an easy-to-fix stupid bug, and bugs are just bad in general?
My assessment of this situation is that far too much analysis was undertaken. Rather than piecing together some careful exploit, this guy could have spent the time looking for other bugs in the code instead. NULL pointer dereferences are among the easiest bugs to find and fix. Report it, fix it, and move on. Filling the net with manifest useless fear while you try and prove your cleverness accomplishes
solves the problems on Ubuntu boxes as of this moment, so someone at Ubuntu is paying attention. Don't know about Debian, because I don't run Flash on any of my Debian machines.
I'm old enough to remember when discussions on Slashdot were well informed.
about:plugins is what you want. Why this isn't linked or otherwise brought to light, I don't know. I discovered this by trial/error and/or boredom.
On mine, I see this:
Shockwave Flash
File name: NPSWF32.dll
Shockwave Flash 9.0 r47
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
It can't be the best analogy of the day.......there were no cars mentioned in it.
Layne
You're aware this site is News for Nerds, right? If this sort of thing is boring to you, maybe you're on the wrong site.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Is it just a coincidence that the daily Dilbert cartoon has gone Flash-only today?
I have never liked Flash, mainly because it was used as a distracting and irritating advertisement medium, but also because of the arrogant assumption that the Flash page author should be in control of what my machine does. I don't want my browsing experience reduced to some funereal pace at the whim of a marketing drone who thinks his tedious animation should occupy my time.
I was reconsidering my decision to give up reading Dilbert because of the switch to Flash, but now that I have read about this exploit I think I will stick to my No-Flash policy.
Yes I know, this exploit has been fixed in some version of Flash to which I may have upgraded but what about the next one?
this post of yours shows your lack of understanding about code execution,
how many stories have you read abou IE running code it shouldn't with admin privs.
installing active x?
maybe not on vista, but i don't know vista well enough to say anything about it.
I heard vista was made to stop your browser from doing this, however firefox
installed side by side IE opens up yet another vulnerability that I think might work on vista...
if my memory serves correctly.
I've read the article (the topic is always interesting, and Ptacek is well-known in the security world). I must have missed something, because I still see the problem as a combination of really lousy programming* from the Flash guys, plus a bunch of cute hacks from Dowd to overcome the exploit limitations.
From the article:
"It then uses that pointer [the NULL pointer] with an offset controlled by the attacker."
Well, what's left to say? If you allow extraneous information to set the offset of an address in memory, you're dead meat, period.
Best,
*I definitely agree with Ptacek's comment on how malloc() should always be checked. I still think that the default one should remain unsafe (too much old code may depend on this), and instead libraries should provide a safe_malloc() that punts on failure.
One thing that is overlooked. They include the arbitrary code in the flash file and then use this exploit to run it. If you've got no-execute enabled for data and stack, this will crash and not do anything.
Anything involving misbehaving NULLs excites old LISP programmers.
It's news because it's a general method for code execution from a common class of NULL pointer dereferences. He turned something that most people consider a crash bug into a code execution bug. Here's a simpler example from Dowd's blog: http://taossa.com/index.php/2007/04/15/bored-games/
The other reason why it's news is that his method for exploiting Flash in this case is technically brilliant. I can understand if you don't appreciate it, but any security people out there are just overwhelmed.
I think that a better write-up may have made that more clear. The one that was actually posted on the Slashdot front page is pretty weak.
What's ironic is that this exploit DOESN'T crash the browser! That's the whole ever-fuckin point.
...oh, hell...nevermind
A browser crash is what's SUPPOSED to happen here to prevent the exploit from deploying its payload. I mean, in this case, a crash is the DESIRED behavior. An uncaught exception should be thrown.
So... just walk with me here... maybe Windows isn't just unreliable and unstable. MAYBE it's the most secure application stack ever devised.
Segmentation Fault (core dumped)
Comment removed based on user account deletion
Anyone who assumes this has never done cross-platform work. You don't know what's on the other end of NULL; you're only guaranteed that you can tell a NULL pointer from any other other pointer.
I've always worked under the assumption that my code might someday be ported to an architecture where NULL pointed to the routines involving the launch of nuclear missiles...
This is not the first NULL pointer exploit, not by a long shot. Not to say it's not very clever and all, but the "OMG! Not checking pointers for NULL is dangerous?!?! Who knew?!" reaction is frightening. Anyone who doesn't know that checking pointers for NULL is necessary, should please delete any C or C++ compilers on their machine.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Actually the researcher specifically crafted his exploit demo so it wouldn't crash the browser. Maybe if I intentionally get infected, Vista won't suck as much!
It should be illegal to say that freedom of speech should be limited.
If this isn't news for nerds, then I don't know what is.
The flash interepreter is loaded as a dynamic library by the browser. Ergo , if it has control of the flash interpreter memory space it has control of the whole process memory space which includes the browser. On unix anyway, can't speak for windows.
Attitudes like yours are the reason people keep getting owned. There tons of ways to get around NX. You could do the pwn to own thing and use something like Java to allocate an executable range. Or you can use a return to libc style attack. There's so much crap running in a browser that you have nothing but options.
The original article already has Russian trackbacks on it.
In Soviet Russia, trackback adds article to you.
Yes, it's easily patchable once you realize it's there, and yes, it should have been easy to check for. This isn't as revolutionary as the summary might suggest, but it is still interesting. The way Dowd jumps through a bunch of hoops to achieve the exploit is interesting to learn from, in the same way a perfect shot in pool or pitching a no-hitter might be to a sports fan. Dowd showed an amazing amount of technical skill by putting together all the pieces, and people are reacting to that more than the specific bug(s) that allowed it, though those are interesting as well in some ways.
Well, until now it was generally consdiered an un-exploitable error. Now it's not. That changes things.
Mind you, if Address Space Layout Randomisation was turned on in the Flash executable on Vista, exploiting this hole would most likely (255 times out of 256) lead to a browser crash rather than arbitrary code execution
Are you sure about that? My skimming gave me the impression that all addressing used in this exploit was relative, which means address space randomization wouldn't have helped. Randomization just randomly places dynamically linked libraries, the start of the heap, and the stack, but that doesn't affect exploits on blobs of memory addressed using a relative offset.
Higher Logics: where programming meets science.
The NULL pointer dereferencing uses an absolute address, well a relative one from 0 which is the same thing. E.g. it does this
....
http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/
Not this time. Flash forgets to check that allocation failed, a ludicrously common error. It then uses that pointer with an offset controlled by the attacker. NULL isn't valid. NULL plus 1024 isnâ(TM)t valid. But NULL + 0x8f71ba90 is, as is NULL + N for any N that addresses valid memory.
To this address, controlled by attackers via wild offset, Flash writes a value that is also controlled by the attacker. This is the write32 pattern: a vulnerability that gives the attacker the means to set any one value in memory to a value of their choosing. Game over.
Except not quite.
The exploit doesn't actually get to offset an arbitrary number of bytes from 0. A complicated set of conditions constrains the address it writes to and the value it gives it.
The the actual write occurs via a structure offset. Flash is hardcoded to translate your offset into another number. Working offsets, as it turns out, will be greater than 0x80000000, and will be evenly divisible by 12 after 4 is added to them. Note: I thought I was hardcore when I wrote shellcode with no lowercase letters for the IMAP vulnerability in the â(TM)90s
Two fun details.
First, even though IE and Firefox use different Flash builds, the addressing inside them is compatible. The exploit works in both places.
Second, Flash isn't compiled with ASLR. So the attack works on Vista.
Mass casualty. Go Flash!
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
I have not checked, however I think the chances are that Flash would link to one or more calls you could use as a stepping stone to get the calls you need.
For example, the attacker being able to take the function addresses from the fixed up imports somewhere within the unrelocated Flash binary, rather than trying to call the function directly.
Cute. Read the actual paper from IBM, not the blogodreck. The same attack works on IE and Firefox, on XP and Vista. An attack for Firefox on Linux is probably possible.
This is easy to fix; it's a one line bug in Flash. But it will take years to replace all the bad versions of Flash out there.
We can only hope that with an exploit against a target with such an enormous installed base, opening up multiple platforms to remote code execution will lead to enough press that other vendors realise the steps they need to take sooner rather than later.
Let's hope more vendors than just Adobe learn their lessons from this one!
Anyone know what the right thing to run browsers with reduced privelegs on Linux actually is? Is this a feature of SELinux?
What kind of title is that?
Swedish?
This is a Flash plugin problem, not java problem.
Why on earth is it under Java section and with Java tag?
--Coder
A program (flash player) allows to write to an uncheked addres, that's all. Add a simple check, and the problem is gone. It's the end of the world as we know-it?
What's in a sig?
but with Firefox's noscript and flashblock plugins, how likely is it that this is a problem? Not very.
The cesspool just got a check and balance.
In a "different" world, the default behavior for a failed system API call would cause the operating system to terminate the application. To override this behavior, the application author would have to explicitly tell the system API that it would handle the error condition.
The current method rewards the programmer for not adding the additional required code to handle an error. The reward is a simple, runnable, program, but one that contains a hidden time bomb just waiting for the right error condition.
The exception (catch/try) model is another way to handle these types of errors, if the system APIs would throw the exceptions.
The problem however that the cat is out of the bag so to speak. The major systems out there (Windows, Unix, Linux) have been built with a basic assumption that coders are performing due diligence by programming defensively.
Slashdot articles are all submitted by users.
So...
The fact that it's a bug and needs to be fixed hasn't changed. Its priority come debugging time just jumped up quite a bit because it went from a stability issue to a security issue.
Debugging is generally handled in a triage fashion. The first bugs to fix are easily exploitable remote exploits that allow arbitrary code execution with elevated privileges. Then come those that allow easy remote exploitation and arbitrary code execution at the user's restricted level. It goes on like that all the way down to a bug equivalent to "sometimes on platform X the last character of output sometimes is an extra newline that gets appended which is unnecessary".
If you have the time to make sure every piece of software you write is entirely and certifiably bug free, then that's great. Somehow, though, I imagine maintenance programming for the rest of us will probably still be prioritized based on severity.
But isn't it just a bug in Flash? Fix that bug, and this whole story goes away. What am I not getting? I mean, I get how the installed base for this bug happens to be large, but it's not like this really opened a bigger can of worms than that, is it? Failed mallocs are still something that will be rarely exploitable.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Didn't look that brilliant to me. A clever hack but not genius. As for security people being overwhelmed? Oh please.
(And yes I did RTFA and the relevant bits of the paper.)
Most of the patches I see popping up in Ubuntu's update notifier seem to involve buffer overflows. Now there is this exploit because someone didn't check a pointer (failed malloc()/new/etc?).
When I taught CS, back when dinosaurs ruled the earth, I would have given a homework assignment with anything like that a D or an F.
I mean WTF, fast forward a few eons and people are still writing code like this??? What do we have to do - shoot them???
A programmer not checking for a null pointer return or a buffer overflow is the equivalent of... geez, I don't know... a surgeon forgetting to wash his hands before operating?
The tyrant will always find a pretext for his tyranny - Aesop
One hacked ad server and you've pwn3d thousands upon thousands of users. And they'd be none the wiser.
Program Intellivision!
First, I don't think anyone seriously considers that Silverlight is *probably* more secure than flash - just people have had less time to analyze it for exploits. Though, it is possible, I suppose, that it might be more secure.
Second, *even* if we allowed the hypothesis, for argument's sake, that Microsoft is acting to promote public awareness of this problem to promote it's own agenda, so what? Either this bug/exploit exists, or it doesn't exist, and it doesn't make it any more true or false just because Microsoft happens to be helping the problem to get attention (not that I am agreeing that is the case). If Microsoft *is* publicizing this, great - the more people that are aware of this, the more that will, hopefully, upgrade to a patched version of Flash and avoid getting Pwned.
Wise men have commented that difference between a bug and a vulnerability lies only in the skill of the exploiter.
Media that can be recorded and distributed can be recorded and distributed.
-kfg
Pretty simple eh? I mean overwhelmingly simple. Sometimes brilliance isn't in the complexity of the pudding, but the fact that no one had thought or even begun to think of the recipe before.
I believe at least some versions of Linux have adress space randomization turned on by default, so it's generally not possible to know where system() is beforehand.
Those who would give up liberty to obtain working drivers, deserve neither liberty nor working drivers.
"A programmer not checking for a null pointer return or a buffer overflow is the equivalent of... geez, I don't know... a surgeon forgetting to wash his hands before operating?"
Sorry but that conjures up a picture of Dilbert's PHB: "I'm giving you an under-performer rating on your last project Dilbert. I shouldn't have to hire someone to test your work.".
The biggest overflow culprit is probably strcpy() or a similar library function. Most proprietary and open source application code I have seen over the last couple of decades do not explicitly check buffer lengths before calling strcpy, etc. What most applications do (if anything) is focus on input validation and then blindly throw the validated data at library calls or lower level parts of the application code. What you were asking the students to do is act like every bit of code is paranoid interface or library code but the vast bulk of code out there is not written that way, nor should it be.
Writing and to a lesser extent using library code is always a trade off between saftey, speed, and the number of hours in a day. This is why writing a general purpose library/interface that adds something usefull to the art or science is difficult for vetrans let alone students.
I also taught programming to 1st and 2nd year CS students in the early 90's, in my experience many students found it difficult to fully grasp the concept of pointers even after two years with several different explainations from different presenters using different programming languages. Asking them to write bullet proof (sloth like) code is a waste of time. Sure, make them aware of defensive programing techniques, work it into assignments and award points it. However in an educational setting, well commeted and readable code that makes a decent attempt at the assigned problem and it's constraints is far more important than passing the keyboard bashing test and grades should reflect that.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Yeah, that's what I was trying to say.
But all it takes to prevent this is fixing the original flash bug of marching on even in the face of a malloc failure.
For pete sake people, get a grip.
Flash people can learn to code defensively, like everybody else in the industry.
Until they do, we can all de-install flash and live in a world were every web page actually does not assault your sensibilities with annoying ads.
The value of flash is highly over-rated, and now it is revealed that the code base is as well.
Flash delivers garbage to my screen.
Not surprisingly, it turns out that its made of garbage code.
Gee, what a revelation.
Sig Battery depleted. Reverting to safe mode.
Yup, I'd have to agree with you. Whilst Mark's work here is neat, it's hardly earth-shattering. It's a pretty standard reverse engineering of a VM to understand it's internals, discovering an absolutely pathetic memory protection scheme, and writing what is finally a relatively simple exploit. Generally speaking, security professionals are more likely to b bemused by the lack of a secure memory model for the ActionScript VM. Implementing the VM stack on the CPU's stack? Now there's an idiot security breach just waiting to happen. I imagine they did it for performance reasons, but good grief, Adobe has only themselves to blame if ever anybody uses this exploit for evil.
I think that a better write-up may have made that more clear. The one that was actually posted on the Slashdot front page is pretty weak.
Just click on TFA. It explains it well.
rd
Well, unless your straming pr0n has viruses in it, yeah, you're 100% safe. Malware only happens in advertisements these days.
Making laws based on opinions that stem up from false informations leads to witch hunts.
Sorry but you are not part of the solution, you are part of the problem.
Having code testers is no excuse for the original programmer being sloppy.
What most applications do (if anything) is focus on input validation and then blindly throw the validated data at library calls or lower level parts of the application code.
Which you appear to endorse. And which is also the cause of the many buffer overflow bugs, exploits and fixes thereof.
What you were asking the students to do is...
What I was asking the students, and any programmer, to do is this: do not copy a block of memory to another block of memory unless you know the destination block is large enough to contain the data you are copying.
Anyone who does not get why that is necessary should not be allowed near a computer.
Asking them to write bullet proof (sloth like) code is a waste of time.
Claiming that code that doesn't make unsustainable assumptions is "sloth like" is just a straw man, and a rather tired one at that. It doesn't deserve to be taken seriously, and so I won't.
"well commeted and readable code that makes a decent attempt at the assigned problem and it's constraints is far more important than passing..."
Ummmm no. There is your problem right there - looking pretty is not more important than working properly.
and grades should reflect that.
What makes you think their grades didn't reflect "commenting and readable" as well as correctness? Sorry but in software, just as in horseshoes, "close" doesn't count. And one programmer spending one extra hour to make sure that 1,000 users don't each spend an hour dealing with a bug is a good investment by any sane standard.
"two years with several different explanations from different presenters using different programming languagesIf after all that students didn't fully understand pointers then I suspect there is a more serious problem at the institution. The only thing necessary to get students to understand pointers is to teach them assembler for an architecture with indirect addressing, i.e. almost any modern cpu. Period. End of story.
Here's an exercise for you:
Until understood;Repeat
The tyrant will always find a pretext for his tyranny - Aesop
To emphasis my point you orinally wrote "A programmer not checking for a null pointer return or a buffer overflow is the equivalent of... geez, I don't know... a surgeon forgetting to wash his hands before operating?" To which I basically relpied that checking usually only needs to occur when talking input from outside your app and that a common and trivial mistake made by proffesionals is no justification for failing a student.
Not that someone like you would have made a mistike in your original statement but now you are telling me it means something different to what it actually says (ie: it now means "Do not copy a block of memory to another block of memory unless you know the destination block is large enough to contain the data you are copying.")
"Having code testers is no excuse for the original programmer being sloppy."
Never said it was, but in the real world as compared to your ivory tower only an idiot trusts a team of programmers to get everything right the first time. Take a look at the bug list for any major application, crappy apps don't have such lists (Hint: Absense of a bug list does not imply the programmer 'got it right').
Now here's a looping exercise for you:
Say: "In the real world people are expected to make mistakes despite their best efforts, teachers are not employed to act as a lint program." - until it bores through your ridgid ideology and the contorted logic you use to keep it alive.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.