Secure C programming

[Kelsey Bjarnason]

[snips]

I believe you are looking for the phrase conditional compilation. I'm not
saying it can't be turned off or on at will.

No, I'm not talking conditional compilation, I'm talking two entirely
separate sets of library functions.

Conditional compilation allows me to create a debug versus release version
of, say, strcpy, or to build my app using the "safe" versus "non-safe"
version. This is not an acceptable approach to deal with the stuff you're
talking about: if you want a "safe" strcpy, fine - but leave *my* strcpy,
the one with the decent performance, alone.

To do this, you're going to have to actually create a function other than
strcpy - call it safe_strcpy if you want. Fine by me, I don't care, make
your safe_strcpy as slow an bloated as you want, I don't care. I might
even use it, in a few places. Where I want efficiency, though, I've got
my original, unmodified version, the one without all the bloat and checks
and other crap I don't need or want.

Don't tell me that every coder is perfect while I look at all the
security patches that are released.

Who said *any* coders are perfect, let alone all of 'em?

Fix the problem or be doomed to repeat it forever.

The problem is, generally, bad coding practises. You think telling
someone "You don't have to worry about security, because these functions
will do it for you" is going to magically turn bad coders into good ones?

Please explain how you will be 100% sure that unpredictable data,
including purposefully malicious data, will never be tossed at your
code.

You do grasp the concept of "input", right? You understand what it means?
Obviously not, so I'll explain it.

Input is data coming into your program. It can come from a whole variety
of sources - users typing on keyboards, files read from disk, you name it,
but it's stuff that comes in from the outside.

Since it comes in from the outside, its size and format and other
characteristics are unpredictable and need to be analysed. You need to
tell how much data is involved. You need to remove or escape or otherwise
cope with unwanted characters or strings. You may need to add things to
the data to make it manageable.

Once it's been processed into something usable to the code, however... it
is *absolutely* fixed. It's size is known. Its characteristics are
known. It doesn't magically grow or shrink or add stuff or delete stuff,
it is size X, with properties A, B and C, and will remain so for all time,
unless and until your code - *YOUR CODE* - does something to change that.

Which means that unless you, the coder, are such an incompetent nitwit you
can't tell what your code does with the data, there is absolutely no
reason whatsoever to dick around with "safe" string copies and the like
from that point on, as you know, absolutely, how large the buffers are,
how large the data is.

Deal with the inconsistencies at input, obviously. This is a requirement,
and creating a second-tier library to manage that sort of thing is fine.
Just do *not* screw around with the existing efficient functions,
especially if the only reason you can come up with to justify such an act
is your own incompetence to determine what your own damn code is doing.

 

[Friedrich Dominicus]

Then you can't know much about C's history. It was created by an
experienced, professional coder at Bell Labs, by the name of Dennis
Ritchie, for use by himself and his colleagues.

You're both right, I messed it up.

Regards
Friedrich

 

[Tor Rustad]

No

Have you read "C traps and Pitfalls"?

There are several good books.
1)
“Safer C”
Les Hatton

This book is about safety engineering, not really about security.

2)
Writing secure code
Howard and LeBlanc

Typical Microsoft Press, lots of pages, but little to learn for a
professional. I find "Building Secure Software" by Viega, a better read.

Received some books for Chrismas, including "The art of Software
Security Assessment", which is supposed to be the bible in this field.
However, after poking around, it looked rather boring, so I started off
reading "Rootkits" instead.

I find the first one the best.

It's indeed a good read, perhaps a must, for anyone doing
safety-critical work.

 

[Chris Hills]

No

Yes there are some about.

Have you read "C traps and Pitfalls"?
This book is about safety engineering, not really about security.

There is a major overlap between safety(reliability) and security. The
main difference is that security looks at intentional abuse from an
"intelligence" where are safety looks are making thing inherently
reliable and safe.

 

[Richard Heathfield]

Chris Hills said:

Yes there are some about.

A truly complete text on security would deal with all past, present, and
future software security risks. I know of no such texts. If you do,
perhaps you would care to share this information?

 

[Chris Hills]

Chris Hills said:


A truly complete text on security would deal with all past, present, and
future software security risks. I know of no such texts. If you do,
perhaps you would care to share this information?

Nope... Not if you are going to start (yet again) with your own
definitions "would deal with all past, present, and future software
security risks"

All future risks? Do you want a sensible discussion or are you going to
get argumentative?

Jacob post something to distract him!

 

[Richard Heathfield]

Chris Hills said:

Nope... Not if you are going to start (yet again) with your own
definitions "would deal with all past, present, and future software
security risks"

I'm not trying to re-define anything. But, if none of the texts you have in
mind fit the above description, it would seem you are trying to re-define
"complete" to mean what an ordinary English speaker would be more likely
to think of as "incomplete".

All future risks? Do you want a sensible discussion or are you going to
get argumentative?

If *you* want a sensible discussion, why post a risible claim?

Jacob post something to distract him!

Oh, don't be silly. It's what is posted that matters, rather than who posts
it (up, of course, to a point, and a point that trolls tend to reach
rather quickly). If you don't want me to point out the idiocies in your
claims, don't make idiotic claims.

 

[Tor Rustad]

Yes there are some about.

Nope, there are for sure no *complete* texts.


Security experts in e.g. military, rarely disclose information to the
public. Some of these experts, know far more about security, than a
Professor in cryptography.


I have even designed attacks myself (and know about others), which are
not yet known to the public.

 

[Chris Hills]

Chris Hills said:


I'm not trying to re-define anything. But, if none of the texts you have in
mind fit the above description, it would seem you are trying to re-define
"complete" to mean what an ordinary English speaker would be more likely
to think of as "incomplete".

It's your definition of "complete". You want all future
vulnerabilities as well? These will depend on several things including
were the C language goes.

If *you* want a sensible discussion, why post a risible claim?

I just said there were some about, you suddenly added "all past, present
and future"

I can't be bothered to argue. So I shan't post any. Which is a pity as
it is one area I am working on at the moment.

Oh, don't be silly. It's what is posted that matters, rather than who posts
it (up, of course, to a point, and a point that trolls tend to reach
rather quickly).

Yes I agree but you do tend to jump on Jacob no matter what... So you
are labelling your self as a Troll?

 

[Richard Heathfield]

Chris Hills said:

It's your definition of "complete". You want all future
vulnerabilities as well?

That would be nice, if true completeness is sought. But all present ones
would surely be a necessary starting point, would it not? I do not believe
that any such text exists.

I just said there were some about, you suddenly added "all past, present
and future"

What else do you think "complete" means? "Many past, some present, perhaps
one or two future"?

I can't be bothered to argue.

That's fair enough. Nobody can expect you to be bothered to argue. But in
this case, it looks very much as if you can't be bothered to argue because
you've made an indefensible claim.

So I shan't post any. Which is a pity as
it is one area I am working on at the moment.

If complete texts exist, surely the field is closed?

Yes I agree but you do tend to jump on Jacob no matter what...

Clearly you didn't notice the recent "extensions" discussion, where I was
defending and supporting his (correct) claim that extensions do not of
themselves render an implementation non-conforming. When Jacob Navia is
correct, I either support him or say nothing. When he is incorrect, I
either oppose him or say nothing. If I oppose him significantly more often
than I support him, it is only because he is wrong significantly more
often than he is right.

So you are labelling your self as a Troll?

That's a false conclusion based on an incorrect interpretation of
inadequate data.

 

[Chris Hills]

That's fair enough. Nobody can expect you to be bothered to argue. But in
this case, it looks very much as if you can't be bothered to argue because
you've made an indefensible claim.

Not at all. I am working on the ISO Language Vulnerabilities group so I
have seen a lot of the current work. .

However as you are going to be pedantic, as usual, over "complete" I
can't be bothered to start putting up information if you are going to be
silly other every other word.

So you can bask in the belief that you are "correct" but you have
effectively stopped the flow of useful information.

 

[Tor Rustad]

Not at all. I am working on the ISO Language Vulnerabilities group so I
have seen a lot of the current work. .

Ohh.. race-conditions, buffer-overflows and format strings are yesterday
news, been there, seen that.

Has malloc off-by-one vulnerabilities, surfaced yet?

However as you are going to be pedantic, as usual, over "complete" I
can't be bothered to start putting up information if you are going to be
silly other every other word.

There is nothing like a *complete* text, I haven't even read a really
good text on this subject either.

There is no bible in this field that I'm aware of, so why don't you
forget the pedantry, and give references instead?

 

[Walter Roberson]

Chris Hills said:

It's your definition of "complete". You want all future
vulnerabilities as well? These will depend on several things including
were the C language goes.

It isn't just Richard's definition of "complete", and he was not
the first to use it in this thread. I responded to the original poster
within a few minutes of the original article reaching my system,
and I raised the same objection. The English definition of
"complete" in the phrase "a complete text" implies *everything*
about the subject, without omission or exclusion, such as
"The Complete Poems of Robert Frost", or "The Complete Book of
Wedgewood China 1917-1939", or "The Complete Source of Emacs 6.83".

A "complete" text on secure programming in C would have to describe
*every* attack and variety of coding mistake, and the mitigation thereof.
And none of of the available texts do. There are probably some
excellent texts available, but none of them are *complete* within
the English meaning of the word.

 

[Chris Thomasson]

Nope, there are for sure no *complete* texts.


Security experts in e.g. military, rarely disclose information to the
public. Some of these experts, know far more about security, than a
Professor in cryptography.


I have even designed attacks myself (and know about others), which are not
yet known to the public.

Have you designed anything like this fuc%ing crap?

http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

 

[James Kuyper]

It's your definition of "complete". You want all future
vulnerabilities as well? These will depend on several things including
were the C language goes.

Sure, I'd like that. But that's not the point. The point is that it
can't be 'complete' if there's anything missing from it, and future
vulnerabilities is just one example of the many things that must be
missing from any book that any real author could actually write.

 

[Chris Thomasson]

Have you designed anything like this fuc%ing crap?

http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

Pushes a hypervisor element into the interrupt descriptor table. NASTY!

 

[Tor Rustad]

[..]

Security experts in e.g. military, rarely disclose information to the
public. Some of these experts, know far more about security, than a
Professor in cryptography.


I have even designed attacks myself (and know about others), which are
not yet known to the public.

Have you designed anything like this fuc%ing crap?

That is not an attack.

I work with highly secure systems, expected to be immune to trojan
horses, backdoors etc.

 

[gregk]

[..]

Security experts in e.g. military, rarely disclose information to the
public. Some of these experts, know far more about security, than a
Professor in cryptography.


I have even designed attacks myself (and know about others), which are
not yet known to the public.

Have you designed anything like this fuc%ing crap?

That is not an attack.

I work with highly secure systems, expected to be immune to trojan
horses, backdoors etc.

What has your crass bragging about your alleged work got to do with C
programming? Answer: Nothing. ...Keep it on topic or take it elsewhere,
troll boy. (Or troll girl, or whatever the hell you are.)

p-l-o-n-k