Secure C programming

[Randy Howard]

Think your finger is pointing in the wrong direction. Anyone who knows humans
knows that an IQ of 100 is average. A person who designs something that they
know will be used by an average person but doesn't design it for use by such a
person is the one who should have the fault heaped on them.

So you suggest that programming languages should be designed for use by
average people from the general population? Or the standard library as
well? I'm quite confident that it wasn't believed that the average
person off the street was the target audience for C when it was
designed originally, but dmr may see fit to confirm or deny it.

If that is the goal today, it would certainly explain some of the new
languages that have appeared more recently. ;-)

When the standard
library and strings were defined, security may not have been an issue. Bad
future prediction I will forgive. However I can't forgive the standards
people
for continuing to permit it. Depreciated should be enforced. Yes, break the
program or make them compile it under the old standard.

You are now referring to things like gets() and company?

 

[Chris Hills]

Think your finger is pointing in the wrong direction. Anyone who knows humans
knows that an IQ of 100 is average. A person who designs something that they
know will be used by an average person but doesn't design it for use by such a
person is the one who should have the fault heaped on them.

However software engineering is not something that will be done by the
average person.

When the standard
library and strings were defined, security may not have been an issue.

Safety may have been if not security. However as IEC61508 says C should
be used with a subset, coding standard and static analysis.

Bad
future prediction I will forgive. However I can't forgive the standards people
for continuing to permit it. Depreciated should be enforced. Yes, break the
program or make them compile it under the old standard.

Not at all. I have no interest in using the new string library. If you
enforce it you will have consigned ISO C to obscurity.

 

[Golden California Girls]

So you suggest that programming languages should be designed for use by
average people from the general population?

Ask some of the teachers here what a passing grade is. You know that it was
average coder. And the reference to humans includes the general laziness that
many people have in doing work, reflected in such phrases as "good enough for
government work."

 

[Golden California Girls]

However software engineering is not something that will be done by the
average person.


Safety may have been if not security. However as IEC61508 says C should
be used with a subset, coding standard and static analysis.


Not at all. I have no interest in using the new string library. If you
enforce it you will have consigned ISO C to obscurity.

Perhaps it (old standards) should be consigned to obscurity along with the
thinking that went into their design.

 

[Randy Howard]

Ask some of the teachers here what a passing grade is. You know that it was
average coder.

Regardless of what the teacher does to bend the curve, that wasn't the
question. Your response seems to imply that the "average coder" ~=
"average people from the general population" when it comes to
programming ability. Do you really believe that, and if so, why?

And the reference to humans includes the general laziness that
many people have in doing work, reflected in such phrases as "good enough for
government work."

Yes, such people have likely been around forever, but the density of
them in the general population seems to be constantly increasing. At
the current time, I don't detect any measurable efforts that seem
likely to reverse this trend, but I don't think we can do anything
about it here, and I don't think it addresses the question asked.

 

[Randy Howard]

Perhaps it (old standards) should be consigned to obscurity along with the
thinking that went into their design.

Perhaps when some new standard comes along that is sufficiently good to
make that happen, those old standards will whither as you seem to
desire. People have been predicting the demise of C for a very long
time, pretty much every time some new language comes along. One of
them will eventually be correct as to when (by accident most likely),
but I doubt any of us here today will live long enough to cheer about
it.

 

[Chris Hills]

Perhaps it (old standards) should be consigned to obscurity along with the
thinking that went into their design.

Interesting. C95 is the C standard currently in use. by the majority of
compilers. It is C99 that has hardly been implemented.

BTW the new string library is irrelevant for many anyway.

 

[Kelsey Bjarnason]

[snips]

Think your finger is pointing in the wrong direction. Anyone who knows humans
knows that an IQ of 100 is average. A person who designs something that they
know will be used by an average person but doesn't design it for use by such a
person is the one who should have the fault heaped on them. When the standard
library and strings were defined, security may not have been an issue. Bad
future prediction I will forgive. However I can't forgive the standards people
for continuing to permit it. Depreciated should be enforced. Yes, break the
program or make them compile it under the old standard.

This doesn't seem to make a lot of sense to me, as it seems to be looking
in the wrong direction entirely.

Joe Sixpack doesn't need to have a bulletproof set of string functions in
the standard library, he never uses them directly. What he needs is a
bulletproof application.

So take the case of the string functions. strcpy is a good example. The
user enters some data, my code uses strcpy to stuff it into a buffer.
Does the user benefit if the strcpy first examines the string, ensuring
that the resultant buffer is large enough and reallocating if necessary?

Probably not, because I - the programmer - will already have done just
such a thing already. I'll have examined the length of his input and
allocated enough to store it, or processed it piecemeal, reallocating as I
go, etc. If it's simply too damn big, I'll reject it, if there's no
memory left to deal with it, I'll do something else - toss an error, say -
but I don't need the strcpy function to hold my hand for me by doing all
this.

Even worse, there are many cases where the strings I process will be known
to be smaller than the size of the buffer, and what I want is not
hand-holding, but efficiency in processing them. Having them spend their
time doing completely pointless tasks such as validating the length is not
what I need from them, I need them to work efficiently.

Thus there are at least two distinct "levels" of code: code exposed to
unknown, unpredictable data, and code exposed to known data. One set
benefits from such hand-holding, the other suffers potentially enormous
losses of efficiency from it. Making it _all_ behave as if it were "level
one" code benefits nobody but the clueless coder who doesn't bother to
check such details in the first place.

If you want to create a "level one" library, one that does all this sort
of hand-holding, by all means, do so; such checking is, in fact, necessary
in many parts of a program, we just generally do it ourselves. However,
in doing so, kindly do *not* mess with the "level two" library, where
efficiency is the name of the game: if we want the checking, we'll use it
where it's appropriate, not where what we're trying to do is the actual
"meat" of the job.

Yeah, fine, some coders skip such validation. Good ones have some means
to validate their code before releasing it to production - or to the
world. Bad ones, well, a bad programmer is somewhat less likely to do
this, but then, is this sort of thing really going to make his code good?
Or is it simply going to give him a sense of false security: "nothing can
go wrong, because these functions protect me"?

 

[Chris Hills]

[snips]

Think your finger is pointing in the wrong direction. Anyone who
knows humans
knows that an IQ of 100 is average. A person who designs something that they
know will be used by an average person but doesn't design it for use
by such a
person is the one who should have the fault heaped on them. When the
standard
library and strings were defined, security may not have been an issue. Bad
future prediction I will forgive. However I can't forgive the
standards people
for continuing to permit it. Depreciated should be enforced. Yes, break the
program or make them compile it under the old standard.

This doesn't seem to make a lot of sense to me, as it seems to be looking
in the wrong direction entirely.

Joe Sixpack doesn't need to have a bulletproof set of string functions in
the standard library, he never uses them directly. What he needs is a
bulletproof application.

Absolutely.

Also there are many who don't use the standard library that much anyway.
Also when we do they are used properly (ie with range checking etc)

So take the case of the string functions. strcpy is a good example. The
user enters some data, my code uses strcpy to stuff it into a buffer.
Does the user benefit if the strcpy first examines the string, ensuring
that the resultant buffer is large enough and reallocating if necessary?

There are a small group who are completely paranoid about buffer over
flow attacks.

Or is it simply going to give him a sense of false security: "nothing can
go wrong, because these functions protect me"?

That is the problem with this sort of library... However these sort of
programmers are just as likely to misuse the "safe" library.

 

[Richard Bos]

On Wed, 2 Jan 2008 00:07:10 -0600, Golden California Girls wrote


Regardless of what the teacher does to bend the curve, that wasn't the
question. Your response seems to imply that the "average coder" ~=
"average people from the general population" when it comes to
programming ability.

What's more, he implies that C was meant to be used by these average
people from the general population. It wasn't; it was meant to be used
by experienced, professional coders. What he writes may be relevant to
BASIC or Logo, but it is irrelevant to C.

Richard

 

[Chris Torek]

There are a small group who are completely paranoid about buffer over
flow attacks.

To be fair, this group has good reason for their paranoia.
But I think they -- or at least a subgroup of the above group -- focus
on the wrong approach, attempting to provide too much checking at
the bottom level and not enough at intermediate and higher levels.

That is the problem with this sort of library...

It is *a* problem, but not always *the* problem.

However these sort of programmers are just as likely to misuse the
"safe" library.

Indeed. Given an underlying mechanism that is incapable of buffer
overflow, some web-application-programmers then fail to do any
checking at all of input strings, so that entering something like:
similar to:

"; DROP TABLE

into the "name" field of a web input form results in disaster.

This does not make "length-checked strings" (and similar constructs)
*useless*; it just means that they are not a panacea. There is no
Royal Road to Correctness, as it were.

 

[Golden California Girls]

[snips]

Think your finger is pointing in the wrong direction. Anyone who knows humans
knows that an IQ of 100 is average. A person who designs something that they
know will be used by an average person but doesn't design it for use by such a
person is the one who should have the fault heaped on them. When the standard
library and strings were defined, security may not have been an issue. Bad
future prediction I will forgive. However I can't forgive the standards people
for continuing to permit it. Depreciated should be enforced. Yes, break the
program or make them compile it under the old standard.

[snip]
Thus there are at least two distinct "levels" of code: code exposed to
unknown, unpredictable data, and code exposed to known data. One set
benefits from such hand-holding, the other suffers potentially enormous
losses of efficiency from it. Making it _all_ behave as if it were "level
one" code benefits nobody but the clueless coder who doesn't bother to
check such details in the first place.

I believe you are looking for the phrase conditional compilation. I'm not
saying it can't be turned off or on at will.

Don't tell me that every coder is perfect while I look at all the security
patches that are released. How many of these security patches are for buffer
overflows? Smart people making the same error over and over and overflow again.
Fix the problem or be doomed to repeat it forever. Pull you head up out of the
sand and learn from history.

Please explain how you will be 100% sure that unpredictable data, including
purposefully malicious data, will never be tossed at your code. Make no
assumptions about physical control of hardware, employee loyalty or typing
proficiency or even coffee in the keyboard! Also make no assumptions about the
coders tasked with bug fixes or extensions to your code who will follow you.
Yes, that is probably unfair, but life is unfair.

 

[Golden California Girls]

Regardless of what the teacher does to bend the curve, that wasn't the
question. Your response seems to imply that the "average coder" ~=
"average people from the general population" when it comes to
programming ability. Do you really believe that, and if so, why?

Unless you have a research study handy, tell me why you don't think an average
person of IQ of 100 can be a coder?

Playing your straw game for the moment, I'll leave you with a math exercise.
Take a IQ curve with a median of 100 and lop off all the morons (IQ 70 or less)
because morons can't be coders. What is the median score now? Better lop off
all the ones over 130 because they aren't going to do anything as menial as be a
coder. What is the median score now?

I would never imply that the average man on the street would be a coder, heck
likely 99% of them would tell you to sit on it and rotate and you know it. So
stop your straw man thing about them instantly being a coder. You know it was
analogy implying the average person doing the job of coding across the universe
of coding.

Yes, such people have likely been around forever, but the density of
them in the general population seems to be constantly increasing. At
the current time, I don't detect any measurable efforts that seem
likely to reverse this trend, but I don't think we can do anything
about it here, and I don't think it addresses the question asked.

Population in general is going up, are you implying that this type is increasing
at a faster rate than the population is growing?

I think you are right that we can't do anything about them as they seem to have
infested the standards process.

 

[Friedrich Dominicus]

What's more, he implies that C was meant to be used by these average
people from the general population. It wasn't; it was meant to be used
by experienced, professional coders.

Really? I doubt it very much

Regards
Friedrich

 

[Chris Thomasson]

Unless you have a research study handy, tell me why you don't think an
average
person of IQ of 100 can be a coder?

[...]

http://groups.google.com/group/comp.arch/msg/f42fe74341301f9e

http://groups.google.com/group/comp.arch/msg/bf8bff8053ff147e

http://groups.google.com/group/comp.arch/msg/453f6d562750e762

I think that very careful, _and_, patient programmers, are part of a fairly
_GOOD_ company indeed; patience and programming go hand in hand. How much
patience can you handle before you go crazy?

 

[Chris Thomasson]

Unless you have a research study handy, tell me why you don't think an
average
person of IQ of 100 can be a coder?

[...]

WHOOPS!

I forgot to link you to the main question:


http://groups.google.com/group/comp.arch/msg/874255099b874e33

http://groups.google.com/group/comp.arch/msg/f42fe74341301f9e

http://groups.google.com/group/comp.arch/msg/bf8bff8053ff147e

http://groups.google.com/group/comp.arch/msg/453f6d562750e762

I think that very careful, _and_, patient programmers, are part of a
fairly _GOOD_ company indeed; patience and programming go hand in hand.
How much patience can you handle before you go crazy?

Sorry about that!

 

[Chris Hills]

Really? I doubt it very much

He's right It was originally designed for professionals to use

BASIC was for the average person.

 

[Richard Bos]

Really? I doubt it very much

Then you can't know much about C's history. It was created by an
experienced, professional coder at Bell Labs, by the name of Dennis
Ritchie, for use by himself and his colleagues.

Richard

 

[Randy Howard]

Unless you have a research study handy, tell me why you don't think an average
person of IQ of 100 can be a coder?

I didn't say that they couldn't.

I would never imply that the average man on the street would be a coder, heck
likely 99% of them would tell you to sit on it and rotate and you know it. So
stop your straw man thing about them instantly being a coder. You know it was
analogy implying the average person doing the job of coding across the
universe
of coding.

Fair enough. Now tell me how you think that C was designed by a person
that knew it would "be used by an average person", which was your
original claim.

Population in general is going up, are you implying that this type is
increasing
at a faster rate than the population is growing?

To a great degree.

I think you are right that we can't do anything about them as they seem to
have
infested the standards process.

Why don't you join one of them, and devote hours and hours of your time
to improving them then?

 

[Nick Keighley]

AOL

Unless you have a research study handy, tell me why you don't think an average
person of IQ of 100 can be a coder?

I don't have a research study handy either, but
he didn't say that. He was asking if you thought an average person was
the same as an average programmer. I suspect the IQ of the average
programmer is higher than 100.

He also didn't say someone with an IQ of 100 could not be a
programmer.
He said C was not aimed at such people.

I know IQ is somewhat iffy concept, but programming ability
seems like something that might correlate well with IQ

Playing your straw game for the moment, I'll leave you with a math exercise.
Take a IQ curve with a median of 100 and lop off all the morons (IQ 70 or less)

right, so you seem to think you can hack away at the statistics
how you feel. Why do the <70 IQs get removed from the statistical
universe?

"He uses statistics as a drunk uses a lamp post.
For support rather than for illumination"

because morons can't be coders.  What is the median score now?  Better lop off
all the ones over 130 because they aren't going to do anything as menial as be a
coder.  What is the median score now?

I would never imply that the average man on the street would be a coder,

but that's what you did say...

heck
likely 99% of them would tell you to sit on it and rotate and you know it.  So
stop your straw man thing about them instantly being a coder.  You know it was
analogy implying the average person doing the job of coding across the universe
of coding.

I didn't read it as an anology. And I thought my analogy-dar
was pretty hot.

Population in general is going up, are you implying that this type is increasing
at a faster rate than the population is growing?

yeah, that's what the reference to density means.
I suspect he was being a little tongue in cheek
(if he wasn't then I disagree with him)