Contributed by jose on from the fix-your-code dept.
We've posted about the SafeStr library before , and it's only getting better. Anyone been using it?
(Comments are closed)
Latest Articles
Credits
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By coldie () on
Comments
By Frank Denis () j@pureftpd.org on http://www.pureftpd.org/
However :
1) It doesn't provide any safe str* replacement.
2) OpenBSD's C library has zero support for new C functions.
3) GCC 2.95 has very limited support for new C keywords and types.
In fact, C9X is quite useable on recent Linux systems but when it comes to writing portable applications, it's still not an option yet.
By raiten () julien.touche@lycos.com on mailto:julien.touche@lycos.com
see strlcat & co
Comments
By Ralph Siegler () admail@rsiegler.org on mailto:admail@rsiegler.org
By supabeast () on http://supa-james.livejournal.com
By supabeast () on http://supa-james.livejournal.com
By Scott Parish () srp@srparish.net on http://srparish.net/
By Anonymous Coward () on
http://www.and.org/vstr/
Specifically this page is interesting:
http://www.and.org/vstr/security.html
By Anonymous Coward () on
Roll your own if you can. Ken Thompson says, "You can't trust code that you did not totally create yourself." http://www.acm.org/classics/sep95/ justifies that statement.
Comments
By gopher () on http://www.h07.org
By Anonymous Coward () on
Be very sure you want to roll your own and live with the results before starting down that path.
By djm () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Terminating with an error would probably
(a) break too much code;
(b) be non POSIX conformant in "style" (e.g. although the strl* functions are not POSIX defined, they are similar to str* functions which are POSIX defined, so need to preserve similar semantics);
(c) given (b), then it's arguable that existing code should already be designed to handle long strings before being given to str*;
By djm () on
By yoyo () on
IMHO little stuff *needs* to be coded in C.
I'd love to see more people using VHLL in projects where cpu time is not so critical.
Or someone should add SafeLevels in C as the ones found in ruby :))
Comments
By Boarding in Calgary () on
Lately C is getting slammed constantly, but languages like C++ do avoid these hazardous functions (avoid being key word). Another alternative maybe be doing a code audit on a .NET or Java interpreter/JIT. Niether ofcourse guarantee anything but just a suggestion.
Comments
By Anonymous Coward () on
i was just discussing this with a friend the other night. sloppy C programmers have at least another five years to screw things up.
By riffraff () on
Still, you can see that there is lot of wrong C++ code out there (cough..windo..cough..apps..cough)
It would be lovely to have a working Open Java JIT vm.. too bad SUN is not supporting OBSD.
Many people still don't understand How powerful java+hotspot is, they just notice the long start up time.
BTW, if the application is not cpu intensive, I still think python or ruby are the right choice(no, not perl :-)
By Anonymous Coward () on
Comments
By Anonymous Coward () on
As to museum computers, do we really need 2.6Ghz machines running personal routers and firewalls?
By Tony () aschlemm@comcast.net on mailto:aschlemm@comcast.net
For formatted output I see alot of code using sprintf() which is bad IMHO. Anyone needing to use sprintf() should consider using snprintf() instead since it allows a buffer size to be specified which helps alleviate allot of buffer overflow problems.
I've also done quite a bit of Java work over the last 7 years and while it improves things in some ways it isn't perfect and introduces its own set of problems.
Comments
By Anonymous Coward () on
If the probability of a critical mistake in a single line of code is X, then the probability of a piece of software having a critical vulnerability is X * the number of lines of code. That's simple math. If we agree that X can never get to zero, then there are two choices:
One is to make only very small applications. That's what NASA does, for example.
The other is to make small applications such as virtual machines that allow large bodies of code to run that don't manipulate memory. That's what Java does. Evil malicious hackers or incompetent idiots or monkeys can write trillions of lines of Java code, and we still know, with absolute certainty, that as long as the JVM is correct, there won't be any buffer overflow exploits. The probability of a mistake (X * lines of code) in a small JVM implementation is constant, so these trillions of lines of crappy or mallicious code don't need to be verified.
This is all simple math. As we can see from the various holes in OpenSSH, even the most skilled people out there do make mistakes. X is never zero. Let's instead use tools to isoalte the mistakes, like a VM.
I know that there are plenty of self-deluded people out there who still say "learn how to program and don't make mistakes." That is nonsense.
Comments
By Tony () aschlemm@comcast.net on mailto:aschlemm@comcast.net
I've been called in to work on a number of large Java projects over the last 7 years and the JVM failed in other ways even if buffer overflows were no longer a problem. Even in a protected evironment like Java programmers (monkeys) must not make mistakes! I've seen my share of lousy Java code where memory leaks abounded. All it takes is one sloppy programmer to place an object into a container and forget to remove it and now that gets repeated N times over the life of the run. After a certain amount of time, a system, that is supposed to run for months or years can't since the JVM has grown to a huge size (many 100's of MB) and eventually starts throwing OutOfMemoryErrors. In other cases I've seen systems that are nearly completely useless since multiple JVM's are consuming nearly 100% of all CPUs on a multi-CPU system.
It's then a very long, drawn our process running memory debugging tools that allowed heap snapshots to be taken so all of the places where objects were allocated and stranded could be found and Java coding changes could be made to the system. As I said in my previous post, Java opens up another set of problems. People come into Java thinking that just because it does garbage collection that they are now free to not worry about memory allocation issues anymore.
At least with C/C++ programmers I've never seen any of them delude themselves into thinking they never had to take any responsibility for their memory allocation in their code and everyone always used memory debugging tools on their code to make sure their code wasn't leaking memory.
I believe that Java has its uses in certain areas but it is far from a programmer's panacia. For certain types of systems that are required to have months or even years of uptime for handling real-time event processing I don't feel that Java is up to that task yet. Even Sun doesn't have that much faith in Java for certain mission critical areas since I believe that they have placed some restrictions on using Java for things like life support machines, air traffic control, and weapon systems. HP even goes so far as mentioning not using Java controlling any nuclear facilities in their license for their JDK.
Comments
By Michael van der Westhuizen () on
Programmers, regardless of the language or their skill level, need to take responsibility for the correctness of their code.
Different (language) environments carry different pitfalls - developers need to be aware of them and be more careful making sure they do not fall into those traps.
I agree with a lot of the negative and the positive sentiments expressed in the comments to this post, but most of all: no language is a panacea for all the worlds problems.
If you want the safety, you take the performance hit and lose the control you could otherwise enjoy over your environment. You do, however, get a lot of other benefits - nobody is disputing that.
If you want the power and freedom of lower level languages it comes with a bigger price: responsibility. C, like UNIX, assumes one thing only: that _you_ know what you're doing.
At the end of the day mistakes will be made in both environments - but in C it's more likely those mistakes could cause security issues.
Yes, it's a matter of picking the right tool for the job. For UNIX development (as in: the kernel and all base OS tools) I still believe that tool is C. Others may disagree, but that's their choice.
I also don't see much point in discussing what tools a project like OpenBSD should use. What right does anybody who (like me) does commit code to OpenBSD CVS have to make that call? None. (To all) Put your code on the line and prove what you're saying about security et al. and maybe, just maybe, someone will listen.
At the end of the day it's a case of 'the right tool for the job', and 'a bad workman blames his tools'. It's not my call to make, but I'd rather learn from my mistakes and continue to use C than switch to a higher level language that is less suitable for OS development.
But that's just my opinion...
By Anonymous Coward () on
http://www.gnu.org/directory/security/net/libsafe.html