C dangerous?

[Bill Cunningham]

I read an article in a book about Perl and Common Gateway Interface and it
mentioned C. It said that C could damage your computer. I don't know wether
it meant the standard or compiler issuses. I was a little upset. Well more
upset. I sent Dennis Ritchie and email. I don't know if he'll respond if he
gets it. Sometimes he does sometimes not. How can C damage your computer?

Bill

 

[Christopher Dyken]

| I read an article in a book about Perl and Common Gateway Interface and it
| mentioned C. It said that C could damage your computer. I don't know wether
| it meant the standard or compiler issuses. I was a little upset. Well more
| upset. I sent Dennis Ritchie and email. I don't know if he'll respond if he
| gets it. Sometimes he does sometimes not. How can C damage your computer?

The only way damaging the computer with C I can think of is
programming a bad kernel-driver trashing on some extremely fragile
hardware. Otherwise, your OS is broken.

However, what is probably meant is that using C from cgi requires
quite some caution. Since a CGI program receives input from any (and
potential malicious) users, it must take a lot of precautions. For
example, passing your arguments unchecked to a shell is a bad idea,
for then a example "; rm -rf /" wipes clean whatever the http-user can
delete.

Perl has (in addition to dynamic arrays etc.) something called
taint-mode that can identify some of these issues and take appropriate
action (abort).

So to summarize: It is very unlikely that a C program actually damages
your computer, but a broken C program can mess
(read/forward/delete/whatever) the files the user running the C
program has access to. And since you through CGI let anyone run this
program, this is a major security concern.

Cheers
Chris.

 

[David Rubin]

I read an article in a book about Perl and Common Gateway Interface and it
mentioned C. It said that C could damage your computer. I don't know wether
it meant the standard or compiler issuses. I was a little upset. Well more
upset. I sent Dennis Ritchie and email. I don't know if he'll respond if he
gets it. Sometimes he does sometimes not. How can C damage your computer?

Bill

The issue is really that if you don't C, you could accidentally push
your computer off the table...

/david

 

[gabriel]

How

can C damage your computer?

Blah, just some language zealot. They're a dime a dozen.

 

[Bill Cunningham]

The only way damaging the computer with C I can think of is
programming a bad kernel-driver trashing on some extremely fragile
hardware. Otherwise, your OS is broken.

However, what is probably meant is that using C from cgi requires
quite some caution. Since a CGI program receives input from any (and
potential malicious) users, it must take a lot of precautions. For
example, passing your arguments unchecked to a shell is a bad idea,
for then a example "; rm -rf /" wipes clean whatever the http-user can
delete.

Perl has (in addition to dynamic arrays etc.) something called
taint-mode that can identify some of these issues and take appropriate
action (abort).

So to summarize: It is very unlikely that a C program actually damages
your computer, but a broken C program can mess
(read/forward/delete/whatever) the files the user running the C
program has access to. And since you through CGI let anyone run this
program, this is a major security concern.

Cheers
Chris.

Dennis wrote me back and I'm not quite sure I understood what he was trying
to say so I'll post his response. Maybe someone will understand better.
/* Dennis's response */
At least some graphics cards were able to
destroy a monitor if the settings were wrong
enough. And of course you can overwrite your
disk, but that's different.

However, it's likely that these things could
be done in Perl as well.

/* End Dennis's response */

Does anyone understand this a little better than me?

Bill

 

[Joona I Palaste]

Dennis wrote me back and I'm not quite sure I understood what he was trying
to say so I'll post his response. Maybe someone will understand better.
/* Dennis's response */
At least some graphics cards were able to
destroy a monitor if the settings were wrong
enough. And of course you can overwrite your
disk, but that's different.

However, it's likely that these things could
be done in Perl as well.

/* End Dennis's response */

Does anyone understand this a little better than me?

I think what dmr / Dennis / Mr.Ritchie (choose your style) is trying to
say is that actually damaging your computer programmatically requires
native machine code. This machine code doesn't have to be typed in by
hand though - it can have been compiled from C, Perl, or whatever.
Sometimes you don't even need that - some languages specify interfaces
to native machine code. That is, you call a function (in C terminology)
where the calling interface is in C, Perl, or whatever, but the actual
function code is in native machine code. Graphics cards drivers usually
do this. Doing things with your graphics card is way beyond C's
abilities, but it can be done in native machine code, and people who
write graphics card drivers usually write their code so that it allows
functions to be called through a C interface.

 

[E. Robert Tisdale]

Dennis wrote me back

Dennis who?

and I'm not quite sure I understood what he was trying to say
so I'll post his response.

Did you get his permission to post this response?

 

[Christopher Dyken]

| Dennis wrote me back and I'm not quite sure I understood what he was trying
| to say so I'll post his response. Maybe someone will understand better.
| /* Dennis's response */
| At least some graphics cards were able to
| destroy a monitor if the settings were wrong
| enough. And of course you can overwrite your
| disk, but that's different.| However, it's likely that these things could
| be done in Perl as well.

| /* End Dennis's response */

| Does anyone understand this a little better than me?

I think I understand your question in the same way Dennis does: You
wonder if it is possible for a program written in C to physically
damage your computer.

And the answer to this is "very unlikely". And if you don't do kernel
programming, "not at all".

(However, poking around in the memory using perl is substantially more
difficult than doing it in C. But I have trouble seeing how this
relate to CGI.)

Bad design of a C/perl/python/assembler/whatever program can cripple
any data the user who is running the program has access to. What means
different languages/run-time systems apply to prevent this varies. But
perl can mess up your files as easily as C. But this doesn't
physically harm your computer.


Cheers,
Chris.

 

[Thomas Matthews]

I read an article in a book about Perl and Common Gateway Interface and it
mentioned C. It said that C could damage your computer. I don't know wether
it meant the standard or compiler issuses. I was a little upset. Well more
upset. I sent Dennis Ritchie and email. I don't know if he'll respond if he
gets it. Sometimes he does sometimes not. How can C damage your computer?

Bill

The C language cannot damage your computer. An
executable program can, regardless of the language
it was written in. I can write a program in assembly
that will trash your harddrive and play havoc on
your graphics card. I could write it in C, C++
and Basic as well. The danger only lies in the
execution of said program.

--
Thomas Matthews

C++ newsgroup welcome message:
http://www.slack.net/~shiva/welcome.txt
C++ Faq: http://www.parashift.com/c++-faq-lite
C Faq: http://www.eskimo.com/~scs/c-faq/top.html
alt.comp.lang.learn.c-c++ faq:
http://www.raos.demon.uk/acllc-c++/faq.html
Other sites:
http://www.josuttis.com -- C++ STL Library book

 

[Bill Cunningham]

I think what dmr / Dennis / Mr.Ritchie (choose your style) is trying to
say is that actually damaging your computer programmatically requires
native machine code. This machine code doesn't have to be typed in by
hand though - it can have been compiled from C, Perl, or whatever.
Sometimes you don't even need that - some languages specify interfaces
to native machine code. That is, you call a function (in C terminology)
where the calling interface is in C, Perl, or whatever, but the actual
function code is in native machine code. Graphics cards drivers usually
do this. Doing things with your graphics card is way beyond C's
abilities, but it can be done in native machine code, and people who
write graphics card drivers usually write their code so that it allows
functions to be called through a C interface.

Are you saying device drivers should probably be written in assembly? Or
maybe straight binary?

Bill

 

[Richard Heathfield]

Bill Cunningham wrote:

Are you saying device drivers should probably be written in assembly? Or
maybe straight binary?

That wouldn't make them any safer.

 

[Richard Heathfield]

How can C damage your computer?

/* The social engineering technique */
#include <stdio.h>
int main(void)
{
puts("Please destroy the computer with an axe.");
puts("If you don't have an axe, at least");
puts("hit the monitor with a chair.");
puts("Thank you.");
return 0;
}

/* The system-specific technique */
#include <stdlib.h>
int main(void)
{
system("insert system-trashing command here");
return 0;
}

/* The undefined behaviour technique (not guaranteed, alas) */
void main() { gets(0); }

/* The Windows technique - this one caused
* a disk failure on my Windows 2000 box
*/
#include <stdio.h>
int main(void)
{
int i;
for(i = 0; i < 1000; i++)
{
printf("\t\b\b\b\b\b");
fflush(stdout);
}

return 0;
}


Anyone care to add to the list?


Note: none of these problems is unique to C. If a programming language can
access your hardware, it can almost certainly /damage/ your hardware too.
And even if it can't, it might be able to trick the /user/ into damaging
your hardware. With an axe.

C is dangerous in the same way that any powerful tool can be dangerous if
handled maliciously or incompetently. A scalpel is dangerous in the hands
of an infant or a psychopath, but remains useful in the hands of a surgeon.

If you don't want to use a powerful tool, try some other language.

 

[David Rubin]

Bill Cunningham wrote:

[snip - how to destroy your computer]

/* Dennis's response */
At least some graphics cards were able to
destroy a monitor if the settings were wrong
enough. And of course you can overwrite your
disk, but that's different.

However, it's likely that these things could
be done in Perl as well.

http://www.duk0r.net/matrix/107.jpg

/david

 

[Nick Landsberg]

Bad design of a C/perl/python/assembler/whatever program can cripple
any data the user who is running the program has access to. What means
different languages/run-time systems apply to prevent this varies. But
perl can mess up your files as easily as C. But this doesn't
physically harm your computer.


Cheers,
Chris.

Unless it has access to the assembly instruction
"HCF" - halt and catch fire

 

[nrk]

/* The social engineering technique */
#include <stdio.h>
int main(void)
{
puts("Please destroy the computer with an axe.");
puts("If you don't have an axe, at least");
puts("hit the monitor with a chair.");
puts("Thank you.");
return 0;
}

/* The system-specific technique */
#include <stdlib.h>
int main(void)
{
system("insert system-trashing command here");
return 0;
}

/* The undefined behaviour technique (not guaranteed, alas) */
void main() { gets(0); }

/* The Windows technique - this one caused
* a disk failure on my Windows 2000 box
*/

I am not sure if you're joking or serious here. Did it really happen? If
it did... well, I never... That code crashes the hard disk???? Seriously, I
don't even see undefined behavior in there.

-nrk.

 

[Christopher Dyken]

| Unless it has access to the assembly instruction
| "HCF" - halt and catch fire

Has anyone encountered a virus that actually harms the hardware of the
host computer? The virus-engineers usually quite clever when it comes
to malicious code.

(and I don't mean in an indirect way, e.g. annoying the user beyond
sanity so the user assualts the hardware from pure frustration)


Cheers,
Chris.

 

[Martin Dickopp]

Has anyone encountered a virus that actually harms the hardware of the
host computer?

While I have not personally encountered it, a virus existed which tried
to overwrite the BIOS of PCs which allowed BIOS upgrades without setting
a jumper on the motherboard. I'm not sure if this should be counted as
hardware damage, but it certainly had the effect that affected PCs
wouldn't boot.

The virus-engineers usually quite clever when it comes to malicious
code.

Huh? Most viruses are created with a few clicks in a virus construction
kit. If virus writers were actually clever, the world would be very
different.

 

[Richard Heathfield]

I am not sure if you're joking or serious here.

Of course I am!

Did it really happen?

Yes. The machine restarted spontaneously, and failed to detect the hard
disks on the restart. (A cold boot fixed it, thank heaven.)

If
it did... well, I never... That code crashes the hard disk????

Your mileage may vary. On some Win2K machines, nothing happens, apparently.
On others, the machine restarts but without the disk problems. It's not
just Win2K. I believe NT4 and some versions of XP have the same problem. It
is entirely possible that this problem has since been addressed by a
bugfi\b\b\b\b\bService Pack.

Seriously,
I don't even see undefined behavior in there.

Gotta love Microsoft. Gotta.

Gotta.

Gotta love 'em. Right. Yes.

 

[Richard Heathfield]

Christopher Dyken wrote:

Has anyone encountered a virus that actually harms the hardware of the
host computer?

There was an Amiga virus that played tunes on the floppy disk drive by
adjusting the stepper motor speed. This didn't do the drive any good.

You might want to take this to alt.folklore.computers or something.

 

[sellountos euripides]

Bill Cunningham wrote:




/* The social engineering technique */
#include <stdio.h>
int main(void)
{
puts("Please destroy the computer with an axe.");
puts("If you don't have an axe, at least");
puts("hit the monitor with a chair.");
puts("Thank you.");
return 0;
}

/* The system-specific technique */
#include <stdlib.h>
int main(void)
{
system("insert system-trashing command here");
return 0;
}

/* The undefined behaviour technique (not guaranteed, alas) */
void main() { gets(0); }

/* The Windows technique - this one caused
* a disk failure on my Windows 2000 box
*/
#include <stdio.h>
int main(void)
{
int i;
for(i = 0; i < 1000; i++)
{
printf("\t\b\b\b\b\b");
fflush(stdout);
}

return 0;
}


Anyone care to add to the list?

Yes... you forgot viruses...

#include <stdio.h>
#include <stdlib.h>

int main(void) {
printf("Your system is affected by ancient virus\n");
printf("Remove all files from your computer\n");
printf(" and distribute this virus to your friends.\n");
return EXIT_SUCCESS;
}



cheers
e.j.s