This book doesn't really have any code in it. Building Secure Software has plenty of code.
Re:Can anybody shed some light on this?
on
.NETly News
·
· Score: 1
No, the feature doesn't even protect against the situations it's supposed to protect against. Therefore, it is providing a false sense of security to those who think they are getting some protection.
Re:Can anybody shed some light on this?
on
.NETly News
·
· Score: 1
Actually, this isn't what the guy is looking for. He's looking for something that can automatically check for Time-of-check, time-of-use file-based race conditions. They're race conditions between multiple processes, not multiple threads. You can certainly have security bugs resulting from thread-based race conditions, but it's not all that common in the grand scheme of things.
Additionally, that work is dynamic, which requires you to actually run the program. The person seems to be looking for static source code analysis tools. The best one right now is RATS (www.securesw.com). It scans in a bunch of different languages. Nonetheless, it has a lot of false positives... it's easy to imagine a tool that's a lot better.
I also don't think it's very likely that anyone not devoted to building this kind of a technology is going to find it very easy to build something that constitutes "real" analysis (though merely mimicing something like RATS doesn't take much effort).
I wanted to get a DVD-R drive, primarily for archiving television shows for my kids. I tried out a couple of drives that are intended for PCs. The software that came with the drives was incredibly limited, with poor user interfaces, and lots of bugs.
For example, none of the drives came with software that would do simple cutting of video footage imported from a camera. They all wanted the final media to be on the camera. If you need video editing, they want you to pay at least $100 extra.
Also, the ability to make menus, etc. totally, totally sucked (or was non-existant).
And, the QUE Firewire DVD-R/RAM drive kept giving me hardware crashes under XP.
I ended up returning each drive, and ultimately got a Dual Processor Mac G4 with superdrive. Everything I need to do can be done easily. iDVD2 is outstanding. Sure, I can squeeze more video on if I invest in DVD Studio, but it's incredibly easy to make discs that look great with that package (all under OSX... I don't think I could have standed a mac if it had to use the old Mac OS).
The bottom line here is that, while PC solutions are perfectly fine for archiving data, anyone who would like to make DVDs that play in DVD players should avoid PC solutions until the PC software advances a heck of a lot... the Mac solutions are infinitely better (another example: you can easily import from camcorders over the firewire port). I have to say that it was worth the extra cost, even though I had to buy a brand new machine.
The government is just starting to realize that they will probably get more assurance about their operating systems if those systems are source-available. Note that the program funding NAI is funding several other open source security projects, such as Sardonix (http://immunix.org/sardonix/) and tools for advanced code analysis (http://www.securesw.com/Projects/CHATS/).
The government has been interested in commercially-viable B-level secure operating systems for a long time, and, believe it or not, they are starting to see Darwin as the most viable candidate. Apple is willing to ship an OS with built-in mandatory access control primitives to every consumer (off by default), if the open source community performs such enhancements to the kernel. They've even started a consortium for promoting this goal (STOS; Secure Trusted OS). Several government agencies, including the NSA, are members of this consortium, and I would expect to see them funding several promising projects.
Slashdot Mirror
This book doesn't really have any code in it. Building Secure Software has plenty of code.
No, the feature doesn't even protect against the situations it's supposed to protect against. Therefore, it is providing a false sense of security to those who think they are getting some protection.
Stackguard. http://www.immunix.org/stackguard.html
Try Building Secure Software from Addison Wesley.
Actually, this isn't what the guy is looking for. He's looking for something that can automatically check for Time-of-check, time-of-use file-based race conditions. They're race conditions between multiple processes, not multiple threads. You can certainly have security bugs resulting from thread-based race conditions, but it's not all that common in the grand scheme of things.
Additionally, that work is dynamic, which requires you to actually run the program. The person seems to be looking for static source code analysis tools. The best one right now is RATS (www.securesw.com). It scans in a bunch of different languages. Nonetheless, it has a lot of false positives... it's easy to imagine a tool that's a lot better.
I also don't think it's very likely that anyone not devoted to building this kind of a technology is going to find it very easy to build something that constitutes "real" analysis (though merely mimicing something like RATS doesn't take much effort).
I wanted to get a DVD-R drive, primarily for archiving television shows for my kids. I tried out a couple of drives that are intended for PCs. The software that came with the drives was incredibly limited, with poor user interfaces, and lots of bugs.
For example, none of the drives came with software that would do simple cutting of video footage imported from a camera. They all wanted the final media to be on the camera. If you need video editing, they want you to pay at least $100 extra.
Also, the ability to make menus, etc. totally, totally sucked (or was non-existant).
And, the QUE Firewire DVD-R/RAM drive kept giving me hardware crashes under XP.
I ended up returning each drive, and ultimately got a Dual Processor Mac G4 with superdrive. Everything I need to do can be done easily. iDVD2 is outstanding. Sure, I can squeeze more video on if I invest in DVD Studio, but it's incredibly easy to make discs that look great with that package (all under OSX... I don't think I could have standed a mac if it had to use the old Mac OS).
The bottom line here is that, while PC solutions are perfectly fine for archiving data, anyone who would like to make DVDs that play in DVD players should avoid PC solutions until the PC software advances a heck of a lot... the Mac solutions are infinitely better (another example: you can easily import from camcorders over the firewire port). I have to say that it was worth the extra cost, even though I had to buy a brand new machine.
The government is just starting to realize that they will probably get more assurance about their operating systems if those systems are source-available. Note that the program funding NAI is funding several other open source security projects, such as Sardonix (http://immunix.org/sardonix/) and tools for advanced code analysis (http://www.securesw.com/Projects/CHATS/).
The government has been interested in commercially-viable B-level secure operating systems for a long time, and, believe it or not, they are starting to see Darwin as the most viable candidate. Apple is willing to ship an OS with built-in mandatory access control primitives to every consumer (off by default), if the open source community performs such enhancements to the kernel. They've even started a consortium for promoting this goal (STOS; Secure Trusted OS). Several government agencies, including the NSA, are members of this consortium, and I would expect to see them funding several promising projects.