Security in use of contants

Discussion in 'Ruby' started by Kless, Aug 17, 2008.

  1. Kless

    Kless Guest

    Is secure use constants?

    I come from Python and it isn't recommended there.
     
    Kless, Aug 17, 2008
    #1
    1. Advertising

  2. Kless

    Phlip Guest

    Kless wrote:

    > Is secure use constants?
    >
    > I come from Python and it isn't recommended there.


    Use constants to avoid repeating a literal with the same meaning, such as '42',
    in various locations in your code.

    What do you mean by "secure"? Neither Ruby nor Python are secure from reverse
    engineering, because all the source is hanging out visible for all to see!

    --
    Phlip
     
    Phlip, Aug 17, 2008
    #2
    1. Advertising

  3. Kless

    loolek Guest

    >
    > What do you mean by "secure"? Neither Ruby nor Python are secure from reverse
    > engineering, because all the source is hanging out visible for all to see!
    >
    > --
    > Phlip


    private static final int 42;

    Or something like this...
     
    loolek, Aug 17, 2008
    #3
  4. Kless

    Dejan Dimic Guest

    On Aug 17, 8:36 pm, Phlip <> wrote:
    > Kless wrote:
    > > Is secure use constants?

    >
    > > I come from Python and it isn't recommended there.

    >
    > Use constants to avoid repeating a literal with the same meaning, such as'42',
    > in various locations in your code.
    >
    > What do you mean by "secure"? Neither Ruby nor Python are secure from reverse
    > engineering, because all the source is hanging out visible for all to see!
    >
    > --
    >    Phlip


    How do you come up with this question?

    CONSTANTS are perhaps more secure in comparison to loops. :)
    Be avare of the interations.
     
    Dejan Dimic, Aug 17, 2008
    #4
  5. Kless

    Phlip Guest

    loolek wrote:

    > private static final int 42;
    >
    > Or something like this...


    What is secure about that? Nobody can ever change it?

    Even in C, a language designed to compile directly to machine language with no
    questions asked, you can still force a constant to change. You get "undefined
    behavior", but you can still do it.

    Don't worry about your constants changing. Just write clean code, and pay
    attention to your warnings & test results, and you will be okay.

    --
    Phlip
     
    Phlip, Aug 17, 2008
    #5
  6. Kless

    loolek Guest

    "Nobody can ever change it?"

    Yes, yes -> i mean, under the java vm security control -> nobody can
    change it.

    That's cool for me -> but means nothing for a serious hacker...

    peter
     
    loolek, Aug 18, 2008
    #6
  7. Kless

    loolek Guest

    "Don't worry about your constants changing."

    My job is -> be full secure !!!

    So, i am worring about this -> "small ruby leak"....

    Do you need a case study -> for this "bad" situation, becouse a week
    constant guarding (for example in C)?

    "Just write clean code, and pay attention to your warnings & test
    results, and you will be okay."

    Thanks buddy.........you help a lot :p

    peter
     
    loolek, Aug 18, 2008
    #7
  8. Kless

    Tim Hunter Guest

    loolek wrote:
    > "Don't worry about your constants changing."
    >
    > My job is -> be full secure !!!
    >
    > So, i am worring about this -> "small ruby leak"....
    >
    > Do you need a case study -> for this "bad" situation, becouse a week
    > constant guarding (for example in C)?


    I admit it, I'm largely ignorant of security issues. What kind of bad
    thing can you do with Ruby constants?

    --
    RMagick: http://rmagick.rubyforge.org/
     
    Tim Hunter, Aug 18, 2008
    #8
  9. Kless

    Phlip Guest

    loolek wrote:

    > "Don't worry about your constants changing."


    > My job is -> be full secure !!!


    Static type checking (constant, private, etc.) only provide negative
    reinforcement that code might work as designed. Unit tests provide positive
    reinforcement that your features behave as expected. Code with wall-to-wall unit
    tests is better than any code with all kinds of constants, privates, and typechecks.

    --
    Phlip
     
    Phlip, Aug 18, 2008
    #9
  10. Kless

    Marc Heiler Guest

    > I admit it, I'm largely ignorant of security issues. What kind of
    > bad thing can you do with Ruby constants?


    It depends on the coder in question:

    - matz once single handedly trapped Chuck Norris within a constant void.

    - Lesser ruby coders may utterly fail in doing so, ending up as bloody
    BBQ.

    Also, there exists believable rumours that one can do time travels with
    constants, if used in the right way (full moon, 12 fresh sheep, some old
    gold coins and a pirate curse...)

    But again beware, only those strong in will may succeed...
    --
    Posted via http://www.ruby-forum.com/.
     
    Marc Heiler, Aug 18, 2008
    #10
  11. Kless

    loolek Guest

    "What kind of bad thing can you do with Ruby constants? "

    I think this is not the question of ruby. Imagine this -> there is a
    constant that holds the value that triggers the cooler sticks in a
    nuclear power plant. Than the bad guy "overwrites" it, what comes
    next ?

    A BIG CRASH BANG

    "I'm largely ignorant"

    Are you sure, you will be ingnorant if you where living in the next
    city from the plant ?

    peter
     
    loolek, Aug 18, 2008
    #11
  12. Kless

    loolek Guest

    "Static"

    The JVM do this dynamically, how do you mean "static" ?

    "only provide negative reinforcement ... wall-to-wall unit tests is
    better"

    Could you explain this more detailed, i dont get it what are you
    thinking about ?

    peter
     
    loolek, Aug 18, 2008
    #12
  13. Kless

    loolek Guest

    "Unit tests provide positive reinforcement that your features behave
    as expected."

    Yehh, if you know how to write bulletproof unit tests......

    peter
     
    loolek, Aug 18, 2008
    #13
  14. Kless

    Phlip Guest

    loolek wrote:

    > "What kind of bad thing can you do with Ruby constants? "
    >
    > I think this is not the question of ruby. Imagine this -> there is a
    > constant that holds the value that triggers the cooler sticks in a
    > nuclear power plant. Than the bad guy "overwrites" it, what comes
    > next ?


    Okay, you and I are bidding for that contract. (In an imaginary, old-fashioned
    world where government contract bids are competitive!;)

    I tell them I will use a constant there.

    You tell them you will write unit tests for all your code.

    Who should get the contract?

    And note that, in Ruby, changing the immediate value of a constant ("immediate"
    meaning it is a small integer only), causes a warning.

    --
    Phlip
     
    Phlip, Aug 18, 2008
    #14
  15. Kless

    loolek Guest

    "You tell them you will write unit tests for all your code."

    Wrong, i will never work for the goverment -> the job is yours whitout
    a BID...

    Double wrong, i never write unit tests, becouse i sad it -> unit tests
    NEVER discovers all of the security holes (remember FULL security).

    "meaning it is a small integer only"

    Yeah, this small door will be enough for that clever/fast bad guy ->
    BANG AGAIN

    "causes a warning"

    This is interesting, do you have a rubydoc link to this topic ?

    peter
     
    loolek, Aug 18, 2008
    #15
  16. Kless

    loolek Guest

    "right?"

    Nope, PLZ explain it.

    peter
     
    loolek, Aug 18, 2008
    #16
  17. Kless

    loolek Guest

    ""causes a warning""

    "This is interesting, do you have a rubydoc link to this topic ? "

    And don't forget this Q.

    peter
     
    loolek, Aug 18, 2008
    #17
  18. On Sunday 17 August 2008 22:06:51 loolek wrote:
    > "What kind of bad thing can you do with Ruby constants? "
    >
    > I think this is not the question of ruby. Imagine this -> there is a
    > constant that holds the value that triggers the cooler sticks in a
    > nuclear power plant. Than the bad guy "overwrites" it, what comes
    > next ?


    Ok, first, how does the "bad guy", whoever they are, get the ability
    to "overwrite" it? They shouldn't even be on the same _network_, let alone in
    my memory space.

    And, for that matter, if they were in my memory space, they can do a hell of a
    lot worse than "overwriting a constant".

    Here, I think XKCD explains this better than I could:

    http://xkcd.com/463/

    > Are you sure, you will be ingnorant if you where living in the next
    > city from the plant ?


    Sorry, but the magnitude of possible failure doesn't prove your point.

    No one is saying that it's OK to be less secure. What we are saying is that
    you are wrong about how to go about being secure.

    In other words, we are saying that your attitude towards security is more
    likely to blow up that hypothetical plant than, say, proper unit testing.
     
    David Masover, Aug 18, 2008
    #18
  19. Kless

    Kless Guest

    On Aug 17, 7:00 pm, Kless <> wrote:
    > Is secure use constants?
    >
    > I come from Python and it isn't recommended there.


    Ops! I was wrong! I mean global variables instead of constants. Sorry!
     
    Kless, Aug 18, 2008
    #19
  20. Kless

    loolek Guest

    "Ok, first, how does the "bad guy", whoever they are, get the ability
    to "overwrite" it? They shouldn't even be on the same _network_, let
    alone in
    my memory space.

    And, for that matter, if they were in my memory space, they can do a
    hell of a
    lot worse than "overwriting a constant".

    This topic turned to interesting "ruby hacker" lessons. But first let
    me answare your Qs ->

    "Ok, first ... whoever they are"

    a. May be ter*rist or whatever, don' really matter. But they are only
    one guy.


    "get the ability to "overwrite" it?"

    Secound, play that -> i am the bad guy...

    a. I was won the ruby programmer job at the plant -> I'm in!

    b. I hacked the box of the security guy of the plant (home machine).
    Why? Becouse he/she is got connection to the inner plant network
    (SSH). So i am in again! (idea from Kevin)

    c. I gave a really cool video game CD to my "new friend Joe", who is
    working at the plant. Why? Becouse he will install it on the inner
    box, just for fun. The game will install me among the cool game. So i
    am in again!

    d. Maybe in the plant, there is some "hard but alive" way -> between
    the local and public lan.

    e. Should i continue?


    "let alone in my memory space."

    Hmm, how do you mean this? The ruby code will guard the memory/
    hardware/io/etc. I really don't get you?

    But anyway -> i was first hacked the unpatched Linux kernel... Should
    i continue the "how"?

    a. I thought only only the CPU's protected mode can do this kind of
    job. Or i am wrong?


    "WE are saying is that you are wrong about how to go about being
    secure."

    I think "hypotheticaly" -> i am right. In other words, you STILL don't
    see the DANGER that the week coding language cousing?

    "hell of a lot worse than "overwriting a constant""

    Oh yes, i see now -> you don't smell the dager still, becouse you
    asking this silly Q. But okay, what worse could happen?

    a. You are dead.
    b. Your home city is dead too.
    c. You mom is dead too.
    d. The water in your area is posioned for a long time.
    e. etc.

    peter
     
    loolek, Aug 18, 2008
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    386
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,458
    Roedy Green
    Jan 28, 2006
  3. Boba

    ADO and COM contants

    Boba, Feb 26, 2004, in forum: Python
    Replies:
    2
    Views:
    415
  4. Stefan Ram
    Replies:
    5
    Views:
    484
  5. Akram Baig
    Replies:
    0
    Views:
    355
    Akram Baig
    Apr 7, 2011
Loading...

Share This Page