Re: [SC-L] RE: Comparing Scanning Tools

face=3DArial=20 > color=3D#0000ff size=3D2>P.S. Since Brian provided a link to a press = > release about=20 > Oracle using Fortify, I'll offer a link about a financial services = > company using=20 > Secure Software: href=3D"http://www.securesoftware.com/news/releases/ > 20050725.html">http:= > //www.securesoftware.com/news/releases/20050725.html SPAN> DIV>
> style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff > 2px = > solid; MARGIN-RIGHT: 0px"> >

align=3Dleft> >

> From: = > sc-l-bounces at securecoding.org=20 > [mailto:sc-l-bounces at securecoding.org] On Behalf Of B>McGovern, = > James F=20 > (HTSC, IT)
Sent: Friday, June 09, 2006 12:10 = > PM
To: Secure=20 > Mailing List
Subject: RE: [SC-L] RE: Comparing Scanning=20 > Tools

>
>
class=3D617262813-09062006>I=20 > think I should have been more specific in my first post. I should = > have phrased=20 > it as I have yet to find a large enterprise whose primary business = > isn't=20 > software or technology that has made a significant investment in > such = > > tools.
>
class=3D617262813-09062006>
>
class=3D617262813-09062006>Likewise, a lot of large enteprrises > are = > shifting=20 > away from building inhouse to either outsourcing and/or buying > which = > means=20 > that secure coding practices should also be enforced via > procurement=20 > agreements. Has anyone here ran across contract clauses that > assist = > in this=20 > regard?
>
>
face=3DTahoma=20 > size=3D2>-----Original Message-----
From: Gunnar > Peterson = > > [mailto:gunnar at arctecgroup.net]
Sent: Friday, June 09, = > 2006 8:48=20 > AM
To: Brian Chess; Secure Mailing List; McGovern, > James = > F (HTSC,=20 > IT)
Subject: Re: [SC-L] RE: Comparing Scanning=20 > Tools

Arial"> style=3D"FONT-SIZE: 12px">Right, because their customers (are = > starting to)=20 > demand more secure code from their technology. In the enterprise = > space the=20 > financial, insurance, healthcare companies who routinely lose > their = > > customer’s data and provide their customers with = > vulnerability-laden apps=20 > have not yet seen the same amount of customer demand for this, > but = > 84=20 > million public lost records later ( = > href=3D"http://www.privacyrights.org/ar/ > ChronDataBreaches.htm)">http://w= > ww.privacyrights.org/ar/ChronDataBreaches.htm)=20 > this may begin to change.

-gp

On 6/9/06 1:45 > AM, = > "Brian=20 > Chess" <brian at fortifysoftware.com> = > wrote:

>
style=3D"FONT-SIZE: 12px">McGovern, James F > wrote:

> I = > have yet to=20 > find a large enterprise that has made a significant > investment in = > such=20 > tools.

I’ll give you pointers to two. = > They’re two of the=20 > three largest software companies in the world.

= > href=3D"http://news.com.com/2100-1002_3-5220488.html">http:// > news.com.co= > m/2100-1002_3-5220488.html
= > href=3D"http://news.zdnet.com/2100-3513_22-6002747.html">http:// > news.zdn= > et.com/2100-3513_22-6002747.html

Brian

>
> New"> style=3D"FONT-SIZE: = > 10px">_______________________________________________
Secure=20 > Coding mailing list (SC-L)
SC-L at securecoding.org
List = > information,=20 > subscriptions, etc - = > href=3D"http://krvw.com/mailman/listinfo/sc-l">http://krvw.com/ > mailman/l= > istinfo/sc-l
List=20 > charter available at - = > href=3D"http://www.securecoding.org/list/charter.php">http:// > www.securec= > oding.org/list/charter.php
BLOCKQUOTE> T=20 > size=3D2> style=3D"FONT-SIZE: 10px">
FONT> > = > size=3D3>

***************************************************** > **= > ******************
This=20 > communication, including attachments, is
for the exclusive use > of = > addressee=20 > and may contain proprietary,
confidential and/or privileged = > information. If=20 > you are not the intended
recipient, any use, copying, > disclosure,=20 > dissemination or distribution is
strictly prohibited. If you > are = > not the=20 > intended recipient, please notify
the sender immediately by > return = > e-mail,=20 > delete this communication and
destroy all=20 > = > copies.
*********************************************************** > **= > ************
> > ------_=_NextPart_001_01C68BF3.086B16AC-- > > --===============1664004964== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/ > listinfo/sc-l > List charter available at - http://www.securecoding.org/list/ > charter.php > > --===============1664004964==-- ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ken at krvw.com Wed Jun 21 09:28:39 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Wed, 21 Jun 2006 09:28:39 -0400 Subject: [SC-L] Ajax security basics Message-ID: FYI, I just found an article on Ajax security out on Security focus. The article is here: http://www.securityfocus.com/infocus/1868 The article touches on several key issues regarding Ajax, including the fact that scripting runs client-side and such. It also discusses how Ajax complicates app testing, which I think is worthwhile to consider carefully. Cheers, Ken van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060621/16e85e4a/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20060621/16e85e4a/attachment.bin From gunnar at arctecgroup.net Wed Jun 21 10:18:46 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Wed, 21 Jun 2006 09:18:46 -0500 Subject: [SC-L] Ajax security basics In-Reply-To: References: Message-ID: <1150899526.4499554655167@my.visi.com> Also, Andrew van der Stock did a presentation at OWASP Europe on Ajax security http://www.greebo.net/?p=344 -gp Quoting Kenneth Van Wyk : > FYI, I just found an article on Ajax security out on Security focus. > The article is here: > > http://www.securityfocus.com/infocus/1868 > > The article touches on several key issues regarding Ajax, including > the fact that scripting runs client-side and such. It also discusses > how Ajax complicates app testing, which I think is worthwhile to > consider carefully. > > Cheers, > > Ken van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > From ken at krvw.com Thu Jun 22 21:34:33 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Thu, 22 Jun 2006 21:34:33 -0400 Subject: [SC-L] Article -- IBM offers developers free security tools Message-ID: FYI, I saw the following story out on ZD Net today regarding IBM releasing some free (and some commercial) software security tools. http://news.zdnet.com/2100-1009_22-6086913.html?tag=zdfd.newsfeed In particular, "IBM also introduced a tool called Security Workbench Development Environment for Java, which is designed to enable developers to configure and validate Java applications that support both Java and the Open Services Gateway Initiative (OSGI) industry security standards." I haven't looked at these tools yet, but I thought that some of you might find this interesting. Cheers, Ken van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060622/3680b9fb/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20060622/3680b9fb/attachment.bin From vanderaj at greebo.net Mon Jun 26 13:23:52 2006 From: vanderaj at greebo.net (Andrew van der Stock) Date: Tue, 27 Jun 2006 03:23:52 +1000 Subject: [SC-L] OWASP PHP Top 5 Announcement Message-ID: OWASP is pleased to announce the immediate availability of the OWASP PHP Top 5. The OWASP Top 5 is an education piece which provides up to date advice to PHP developers, hosters, and other PHP users. The PHP Top 5 is produced by the OWASP PHP Project. The PHP Top 5 is based upon attack frequency in 2005 as reported to Bugtraq. This information is a valuable insight into the most devastating attacks against the world's most popular web application framework. In 2005, OWASP collaborated with SANS to research and write a completely new PHP section for their successful SANS Top 20 2005. The OWASP PHP Top 5 is the full unabridged text, updated to reflect recent XSS attacks and SQL injection vectors. OWASP PHP Top 5 http://www.owasp.org/index.php/PHP_Top_5 OWASP PHP Project http://www.owasp.org/index.php/Category:OWASP_PHP_Project -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2234 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20060627/2e152846/attachment.bin From stephen at corsaire.com Fri Jun 30 23:52:00 2006 From: stephen at corsaire.com (Stephen de Vries) Date: Sat, 1 Jul 2006 10:52:00 +0700 Subject: [SC-L] OWASP Java Project: Call for volunteers Message-ID: <7C6B3F0B-7D89-46B2-B3C6-806C845B5ACA@corsaire.com> The OWASP Java Project needs your help! The project's goal is to enable Java and J2EE developers to build secure applications efficiently. To this end we plan on producing materials that show J2EE architects, developers, and deployers how to deal with most common application security problems. The material will be produced in wiki form at the OWASP Java Project wiki: http://www.owasp.org/index.php/Category:OWASP_Java_Project Joining the project is easy - Have a look at the Roadmap: http://www.owasp.org/index.php/OWASP_Java_Project_Roadmap - Read the tutorial on submitting to OWASP: http://www.owasp.org/index.php/Tutorial - And join the mailing list: http://lists.owasp.org/mailman/listinfo/java-project Regards, The OWASP Java Project leads Rohyt Belani and Stephen de Vries From gem at cigital.com Wed Jul 5 11:06:01 2006 From: gem at cigital.com (Gary McGraw) Date: Wed, 5 Jul 2006 11:06:01 -0400 Subject: [SC-L] SD West Call for proposals Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> Hi all, Last year we rebooted the SD West security track and built a world class software security track. The CFP for next year just came out. Please consider sending in a proposal! This is a large, important conference for developers. Full disclosure: I am on the Advisory Board (an unpaid position), and I chair the Software Security track. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ------------------------------------------------------------------------ -------------- SD WEST 2007 CALL FOR PAPERS IS NOW OPEN! Submissions will be accepted through August 11, 2006 Please use the following link to update your contact information and submit your proposal(s): https://www.cmpevents.com/?M=dDvEPIJYiqQl4C9iAyuVo4W8FAXC7STigxTzjA0oxuL kcQ== You may want to save this personalized URL to return to this page later. (This link logs you in automatically, by-passing the password requirement. If you share this link you may be compromising your personal data.) With a 19-year history, Software Development Conference & Expo West is the place where software development professionals go to learn how to build better software. No other developer conference matches the comprehensive mix of training delivered by the industry's most respected faculty. SD has always been dedicated to highlighting the newest cutting edge technologies as well as presenting a relevant core curriculum of development fundamentals. Conference Details: March 19-23, 2007 Santa Clara Convention Center Santa Clara, CA Sessions must focus on independent education. Sessions containing any product, tool or service sales pitch will not be accepted. If you have questions regarding the Call for Papers, please contact me at tcarter at cmp.com. Regards, Tamara Carter, Conference Manager, Dr. Dobb's SD Events ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From gem at cigital.com Wed Jul 5 20:10:43 2006 From: gem at cigital.com (Gary McGraw) Date: Wed, 5 Jul 2006 20:10:43 -0400 Subject: [SC-L] Sd west Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF4B6@va-mail.cigital.com> As about 10 of you pointed out to me privately, the url I broadcast today included identity information of mine. It wasn't supposed to, but it did. Should have done some testing in my haste! Anyway, that url is dead now. Here is a generic url for submissions to sd west. I do encourage you all to submit something great. We need to make software security blossom. https://www.cmpevents.com/SDw7/a.asp?option=N&CPid=152 Sorry for the mistake. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com Sent from my treo. ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ge at linuxbox.org Fri Jul 7 02:45:20 2006 From: ge at linuxbox.org (Gadi Evron) Date: Fri, 7 Jul 2006 01:45:20 -0500 (CDT) Subject: [SC-L] "Baking Security In" - Microsoft dev security training Message-ID: http://softwaredev.itbusinessnet.com/articles/viewarticle.jsp?id=47176 Gadi. From Ken at KRvW.com Fri Jul 7 09:05:17 2006 From: Ken at KRvW.com (Kenneth Van Wyk) Date: Fri, 7 Jul 2006 09:05:17 -0400 Subject: [SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006 Message-ID: <9F0D8BA4-E32C-480F-9013-9C7146467DC3@KRvW.com> Greetings SC-L, I saw an article on Dr. Dobb's (via Slashdot) this morning that made me pause a bit. The article is on "Quick-Kill Project Management" -- full link is here: http://www.ddj.com/dept/architect/189401902 The article describes a small project team (say 5 developers) who have suddenly had their dev schedule drastically accelerated on them by powers outside of their control. It describes some techniques that the dev leader can use to concentrate the team's focus on killing (hence the name) the most pressing of issues. Not surprisingly, there's no mention of security in the article, although they do talk about conducting code reviews, but only for functional defects in the code. What caught my attention here is that I'll bet that a *lot* of small dev teams end up in situations very similar to the one described in the article's opening statements. In that sort of situation (where the company VP says "finish this yesterday"), I'd expect that doing just about any sort of security review is the first thing to be dropped from the dev schedule. I wonder, though, if teams that have already integrated (say) static analysis tools into their build cycle might have a fighting chance at *not* dropping those checks during this kind of "death march". Put another way, how does a team hold onto its good practices (not just security reviews) when they're in crisis mode? I'm sure that the answer varies a lot by team, priorities, etc., but I'd welcome any comments, opinions, etc. from any of you who have been in similar situations. Cheers, Ken Kenneth Van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060707/01e2c5f8/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20060707/01e2c5f8/attachment.bin From ken at krvw.com Fri Jul 7 09:09:44 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Fri, 7 Jul 2006 09:09:44 -0400 Subject: [SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006 Message-ID: Greetings SC-L, (Sorry for the previous message; I see that my (new) MacGPG is causing grief for Mailman, so I'm re-sending this message unsigned.) I saw an article on Dr. Dobb's (via Slashdot) this morning that made me pause a bit. The article is on "Quick-Kill Project Management" -- full link is here: http://www.ddj.com/dept/architect/189401902 The article describes a small project team (say 5 developers) who have suddenly had their dev schedule drastically accelerated on them by powers outside of their control. It describes some techniques that the dev leader can use to concentrate the team's focus on killing (hence the name) the most pressing of issues. Not surprisingly, there's no mention of security in the article, although they do talk about conducting code reviews, but only for functional defects in the code. What caught my attention here is that I'll bet that a *lot* of small dev teams end up in situations very similar to the one described in the article's opening statements. In that sort of situation (where the company VP says "finish this yesterday"), I'd expect that doing just about any sort of security review is the first thing to be dropped from the dev schedule. I wonder, though, if teams that have already integrated (say) static analysis tools into their build cycle might have a fighting chance at *not* dropping those checks during this kind of "death march". Put another way, how does a team hold onto its good practices (not just security reviews) when they're in crisis mode? I'm sure that the answer varies a lot by team, priorities, etc., but I'd welcome any comments, opinions, etc. from any of you who have been in similar situations. Cheers, Ken Kenneth Van Wyk KRvW Associates, LLC http://www.KRvW.com From Kevin.Wall at qwest.com Fri Jul 7 12:44:47 2006 From: Kevin.Wall at qwest.com (Wall, Kevin) Date: Fri, 7 Jul 2006 11:44:47 -0500 Subject: [SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006 Message-ID: Kenneth Van Wyk writes... > http://www.ddj.com/dept/architect/189401902 > ... > Put another way, how does a team hold onto its good practices (not > just security reviews) when they're in crisis mode? I'm sure that > the answer varies a lot by team, priorities, etc., but I'd welcome > any comments, opinions, etc. from any of you who have been in > similar situations. I've been in this situation several times in my 25+ years in software development (especially with post-divestiture Bell Labs). During the times that it has been successfully addressed, I've noticed one major common theme and that is that the development team (and particularly the team lead) has got to have the "balls" to stand up to management and tell them that the dev team is unwilling to compromise on quality / security / (fill-in-the-blank-with-whatever-is-important-to-you) and that the ONLY way that it can be done is to drop certain FUNCTIONALITY (which usually management is reluctant to do). How successful this approach is depends on the several things (not a comprehensive list): 1) Whether the team has any credibility with management or not. (Hint: If you've already slipped your original schedule several times, you probably don't have any. :-) 2) How well the dev team presents its arguments, especially in terms of risks of NOT doing testing / security reviews / insert-your-favorite-here. (Since security is in a large part about _managing_ risks, this fits in nicely.) You need to remember though that ultimately, it is management's discretion whether or not to accept the risk(s), not the development team's. 3) How tactfully you present your case. (I.e., don't be arrogant; be willing to show some flexibility, e.g., working some additional hrs of unpaid OT; etc.) 4) Know your Brooks' _Mythical Man-Month. Management almost certainly will offer to give you more developers/testers/etc. This is almost always a bad ROI since you will spend more time bringing those individuals up-to-speed on your project than you will get back in productivity. Also, know your Capers Jones'; he has produced some excellent documentation that shows that dropping things like software code inspections actually increases software costs and time-to-delivery. It also greatly helps to have a team with enough spine that they all are willing to walk and find another job if they feel that they are being held hostage and being forced to make unnecessary compromises. I have been fortunate to have worked with many such teams in the past who consider their craftsmanship and pride in their work more important than prevalent "finish this yesterday" mentality, including a few teams that HAVE been willing to walk out in such situations. (Of course, that was during the dotcom boom, when all you had to do to find an development job was to know how to spell "www". I'm not sure how committed those people would have been during the leaner times.) BTW, I am proud to say that the application security team that I have worked with for the past six years or so have had the courage to insist that best practices such as formal use cases, design reviews, code inspections, etc. be followed even though the _formal_ IT process had thrown such practices out the window in favor of so-called XP development practices. (When it comes to security, I tell management that XP stands for "eXpect Problems" rather than "eXtreme Programming".) Of course, it is best to avoid situation like those described in the _Dr. Dobb's_ article in the first place. That's where it's useful to have a skill in estimating development effort, and one unfortunately where I think we as an industry have a rather poor track record. But that's another topic entirely. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit > I saw an article on Dr. Dobb's (via Slashdot) this morning that made > me pause a bit. The article is on "Quick-Kill Project > Management" -- > full link is here: > > http://www.ddj.com/dept/architect/189401902 > > The article describes a small project team (say 5 developers) who > have suddenly had their dev schedule drastically accelerated on them > by powers outside of their control. It describes some techniques > that the dev leader can use to concentrate the team's focus on > killing (hence the name) the most pressing of issues. Not > surprisingly, there's no mention of security in the article, > although > they do talk about conducting code reviews, but only for functional > defects in the code. > > What caught my attention here is that I'll bet that a *lot* of small > dev teams end up in situations very similar to the one described in > the article's opening statements. In that sort of situation (where > the company VP says "finish this yesterday"), I'd expect that doing > just about any sort of security review is the first thing to be > dropped from the dev schedule. I wonder, though, if teams that have > already integrated (say) static analysis tools into their > build cycle > might have a fighting chance at *not* dropping those checks during > this kind of "death march". Put another way, how does a team hold > onto its good practices (not just security reviews) when they're in > crisis mode? I'm sure that the answer varies a lot by team, > priorities, etc., but I'd welcome any comments, opinions, etc. from > any of you who have been in similar situations. > > Cheers, > > Ken > > Kenneth Van Wyk > KRvW Associates, LLC > http://www.KRvW.com This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From gem at cigital.com Fri Jul 7 14:34:14 2006 From: gem at cigital.com (Gary McGraw) Date: Fri, 7 Jul 2006 14:34:14 -0400 Subject: [SC-L] Darkreading: on developer optimism Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB421435@va-mail.cigital.com> Hi all, My latest darkreading column (up just 5 minutes ago) is entitled "If You Build It, They'll Crash It." http://www.darkreading.com/document.asp?doc_id=98702&WT.svl=column1_1 It's about what we all need to do to get developers and builder types to think about bad people. I'm trying to address the "nobody would ever do that" problem. Pass it on... gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From gem at cigital.com Fri Jul 7 17:51:21 2006 From: gem at cigital.com (Gary McGraw) Date: Fri, 7 Jul 2006 17:51:21 -0400 Subject: [SC-L] darkreading covers software security Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB421442@va-mail.cigital.com> Well, kinda... http://www.darkreading.com/document.asp?doc_id=98338 Time for you to hop on over there and post some noise! I plan to. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From Ken at krvw.com Mon Jul 10 09:53:06 2006 From: Ken at krvw.com (Kenneth Van Wyk) Date: Mon, 10 Jul 2006 09:53:06 -0400 Subject: [SC-L] InformationWeek | IT Security | Built-In Software Security Flaws Have Companies Up In Arms | July 10, 2006 Message-ID: <08512D10-1A9C-4785-B6AF-5C115A16EEF5@krvw.com> Greetings SC-Lers, Here's an interesting article that I stumbled on in Information Week: http://www.informationweek.com/story/showArticle.jhtml? articleID=190301156&cid=RSSfeed_IWK_Security The article discusses the results of a security survey, indicating that enterprise software users are quite fed up with the state of software security these days. I'm sure that none of us should be surprised by that, but maybe, just maybe, it's an indicator that software purchasers are going to start demanding more? Or perhaps it's Monday and I'm not (yet) sufficiently pessimistic for the week. :-) Cheers, Ken Kenneth Van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060710/4903bd1a/attachment.html From gem at cigital.com Thu Jul 13 07:56:16 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 13 Jul 2006 07:56:16 -0400 Subject: [SC-L] ddj: beyond the badnessometer Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB74258B@va-mail.cigital.com> Hi all, Is penetration testing good or bad? http://ddj.com/dept/security/189500001 gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ge at linuxbox.org Thu Jul 13 08:52:18 2006 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 13 Jul 2006 07:52:18 -0500 (CDT) Subject: [SC-L] ddj: beyond the badnessometer In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB74258B@va-mail.cigital.com> Message-ID: On Thu, 13 Jul 2006, Gary McGraw wrote: > Hi all, > > Is penetration testing good or bad? > > http://ddj.com/dept/security/189500001 It's great, but "penetration testing" of the network assesment types is useless as it takes a picture of what the network look slike TODAY, while tomorrow it's a different network with different vulnerabilities. Automating the process is the way to go. As to software testing, it considerably depends on what you use. If you test with SATAN-comparable tools, well, you won't get far. > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > book www.swsec.com > > > ---------------------------------------------------------------------------- > This electronic message transmission contains information that may be > confidential or privileged. The information contained herein is intended > solely for the recipient and use by any other party is not authorized. If > you are not the intended recipient (or otherwise authorized to receive this > message by the intended recipient), any disclosure, copying, distribution or > use of the contents of the information is prohibited. If you have received > this electronic message transmission in error, please contact the sender by > reply email and delete all copies of this message. Cigital, Inc. accepts no > responsibility for any loss or damage resulting directly or indirectly from > the use of this email or its contents. > Thank You. > ---------------------------------------------------------------------------- > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From nash at solace.net Thu Jul 13 10:17:53 2006 From: nash at solace.net (Nash) Date: Thu, 13 Jul 2006 10:17:53 -0400 Subject: [SC-L] ddj: beyond the badnessometer In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB74258B@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB74258B@va-mail.cigital.com> Message-ID: <20060713141753.GB9859@quack.solace.net> On Thu, Jul 13, 2006 at 07:56:16AM -0400, Gary McGraw wrote: > > Is penetration testing good or bad? > http://ddj.com/dept/security/189500001 Test coverage is an issue that penetration testers have to deal with, without a doubt. Pen-tests can never test every possible attack vector, which means that pen-tests can not always falsify a security assertion. Ok. But... First, pen-testers are highly active. The really good ones spend alot of time in the hacker community keeping up with the latest attack types, methods, and tools. Hence, the relevance of the test coverage you get from a skilled pen-tester is actually quite good. In addition, the tests run are similar to real attacks you're likely to see in the wild. Also, pen-testsing is often intelligent, focused, and highly motivated. After all, how would you like to have to go back to your customer with a blank report? And, the recommendations you get can be quite good because pen-testers tend to think about the entire deployment environment, instead of just the code. So, they can help you use technologies you already have to fix problems instead of having to write lots and lots of new code to fix them. All of these make pen-testing a valuable exercise for software environments to go through. Second, every software application in deployment has an associated level of acceptable risk. In many cases, the level of acceptable risk is low enough that penetration testing provides all the verificaton capabilities needed. In some cases, the level of acceptable risk is really low and even pen-testing is overkill. I do mostly code review work these days, but I find that pen-testing has more general applicability to my customers. There are exceptions, but not that many. Third, pen-tests also have real business advantages that don't directly address risk mitigation. Pen-test reports are typically more "down to earth." That is, they can be read more easily and the attacks can be demonstrated more easily to business leaders, executives, and other stakeholders. In my experience, recommendations from both pen-tests and code reviews are commonly ignored. But, a good pen-test gets the executive blood flowing in a way that code-oriented security evaluations just don't. Fourth, assertion falsification isn't always what you're after. Being able to falsify the statement, "this app is secure enough," is a common objective, but it's not really that useful for most businesses. What exactly is secure enough? How do you define it? How do you measure it? How much accuracy do you need? How do you get more accuracy, if you want it? How much do you trust your expert's opinion? Sometimes, it's better to simply demonstrate a positive assertion, such as: - This application is not subject to known, automatic attacks. - This application demonstrates the same security profile in all supported deployment environments. - This application demonstrates different security profiles, depending upon the deployment environment. - The latest MS patch does not affect the testable security profile of this application. These are all assertions that pen-testing is arguably pretty good for demonstrating. In some cases it might even be better than code anlaysis--e.g., the effects of new environments or upgrades to low-level libraries, virtual machines, operating systems. Finally, my freind Sam pointed out that only during some kind of pen-testing can you really identify what the actual attack surface of an application looks like in its final deployment environment. This is especially relevant in today's world because applications are now made as much through integration of existing, off-the-shelf components as through new development. A "new" application might only have a few thousand lines of original code, but might be resting on top of a software stack that has millions. Whether it's J2EE, .NET, or LAMP, all those environments are only really practical to test using some form of pen-test. Every security assessment methodology has its limits. Pen-testing has limited falsification capabilities. Code review, various kinds of code analysis, unit testing, whatever else. These methods can all have practical financial limitations and information accesibility problems. Of course, all these are good approaches and a wise security manager will employ as wide a variety of assessment methods as he can afford so that they compliment each other. But, affordability is a real concern for most busineses and pen-testing is pretty affordable. In the end, no assessment methodology produces results that are as good as having a skilled Security Developer on your team during the application design stage. Getting a security architecture in place that matches your risk tolerance and functional requirements is the single best way to prevent intrusions, bar none. nash e. foster Stratum Security, LLC -- "the lyf so short, the craft so long to lerne." - Geoffrey Chaucer From gem at cigital.com Thu Jul 13 11:05:01 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 13 Jul 2006 11:05:01 -0400 Subject: [SC-L] ddj: beyond the badnessometer Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7425A3@va-mail.cigital.com> Excellent post nash. Thanks! I agree with you for the most part. You have a view of pen testing that is quite sophisticated (especially compared to the usual drivel). I agree with you so much that I included pen testing as the third most important touchpoint in my new book "Software Security" www.swsec.com. It is the subject of chapter 6. All the code review and architectural risk analysis in the world can still be completely sidestepped by poor decisions regarding the fielded software. Pen testing is ideal for looking into that. But there are two things I want to reiterate: 1) pen testing is a bad way to *start* working on software security...you'll get much better traction with code review and architectural risk assessment. {Of course, what nash says about the power of a live sploit is true, and that kind of momentum creation may be called for in a completely new situation where biz execs need basic clue.} 2) pen testing can't tell you anything about how good your security is, only how bad it is. 3) never use the results of a pen test as a "punch list" to attain security gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From dana at vulscan.com Thu Jul 13 12:48:55 2006 From: dana at vulscan.com (Dana Epp) Date: Thu, 13 Jul 2006 09:48:55 -0700 Subject: [SC-L] ddj: beyond the badnessometer Message-ID: <9AE3FC06F0A89A43A4D6F667955082C402D350@sbsmain.Vulscan.local> Although pentesting isn't perfect, I think in the right scope it has the potential of acting in a vital role in the development lifecycle of a project. Building known attack patterns into a library which can be run against a codebase has some merrit, as long as you understand what the resulting expectations will be. As an example, I would consider automated vulnerability assessment tools built to do input validation fuzzing to be part of pentesting. And most pentesters out there use said tools for that very reason. I agree that pentesting at the START of a project is futile. Evaluating the risks to the software by understanding its architecture, inputs and flows goes much deeper and allows you to better find design flaws instead of implementation bugs. But I am not so sure I would dismiss the act of pentesting because of the badness-ometer factor. If we did, we would also be dismissing things like static code analysis tools as they may show similar results to many out there. On a different tangent to this thread though, I don't think that the BEST use of pentesting is for determining how secure your code is in the first place. It is much more suited to allow you to stress test failure code paths for different implementation configurations. No matter how safe you write your code, pentesting can ferret out different scenarios that come from deployment configuration problems. That is, if the pentest tools and the user(s) of said tools know how to run through this properly. As you mentioned in your article, too many people pass themselves off as pentesting experts when they aren't. Just because they CAN run Nessus doesn't mean they are good pentesters. Its about using the right tool for the right job. As pentest tools mature I think we will be able to use the growing attack libraries to test against known patterns to eliminate the brain dead security bugs, while allowing the tools to go deeper and ferret out problems as it reaches more code coverage. The more we can automate that process and make it part of our daily tests... the quicker it can expose 'known problems' in a code base. Can anyone recommend a tool that CAN tell you how good your security is? I thought not. Here I go quoting Spaf again. "When the code is incorrect, you can't really talk about security. When the code is faulty, it cannot be safe." Problem is, no tool in the world is going to show green blinky lights to tell you the code is safe. Human heuristics come into play here, and we have to leverage what assets we have, both manual and automatic, to find the faulty code and eliminate it. And pentesting is just another one of those tools in the arsenal to help. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Gary McGraw Sent: Thursday, July 13, 2006 8:05 AM To: Nash Cc: Secure Coding Mailing List Subject: RE: [SC-L] ddj: beyond the badnessometer Excellent post nash. Thanks! I agree with you for the most part. You have a view of pen testing that is quite sophisticated (especially compared to the usual drivel). I agree with you so much that I included pen testing as the third most important touchpoint in my new book "Software Security" www.swsec.com. It is the subject of chapter 6. All the code review and architectural risk analysis in the world can still be completely sidestepped by poor decisions regarding the fielded software. Pen testing is ideal for looking into that. But there are two things I want to reiterate: 1) pen testing is a bad way to *start* working on software security...you'll get much better traction with code review and architectural risk assessment. {Of course, what nash says about the power of a live sploit is true, and that kind of momentum creation may be called for in a completely new situation where biz execs need basic clue.} 2) pen testing can't tell you anything about how good your security is, only how bad it is. 3) never use the results of a pen test as a "punch list" to attain security gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ------------------------------------------------------------------------ ---- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ------------------------------------------------------------------------ ---- _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php From muscetta at gmail.com Fri Jul 14 06:33:19 2006 From: muscetta at gmail.com (Daniele Muscetta) Date: Fri, 14 Jul 2006 12:33:19 +0200 Subject: [SC-L] ddj: beyond the badnessometer In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7425A3@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7425A3@va-mail.cigital.com> Message-ID: <745d56450607140333l75f2a9f2u6cb5546c0005d10b@mail.gmail.com> On 7/13/06, Gary McGraw wrote: > > 3) never use the results of a pen test as a "punch list" to attain > security > You are right, but very sadly, that's how it gets used by a lot of companies.... "hey, the pen testers found problem 1, 2, 3 - we fix those, we are fine". No way. But still.... I've seen this done in a lot of places.... Best, Daniele -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060714/7d662d11/attachment.html From ge at linuxbox.org Fri Jul 14 08:18:08 2006 From: ge at linuxbox.org (Gadi Evron) Date: Fri, 14 Jul 2006 07:18:08 -0500 (CDT) Subject: [SC-L] ddj: beyond the badnessometer In-Reply-To: <745d56450607140333l75f2a9f2u6cb5546c0005d10b@mail.gmail.com> Message-ID: On Fri, 14 Jul 2006, Daniele Muscetta wrote: > On 7/13/06, Gary McGraw wrote: > > > > 3) never use the results of a pen test as a "punch list" to attain > > security > > > > > You are right, but very sadly, that's how it gets used by a lot of > companies.... > "hey, the pen testers found problem 1, 2, 3 - we fix those, we are fine". No > way. But still.... I've seen this done in a lot of places.... Gary is correct on many issues, except for one: pen-testing is NOT black-box testing. Black-box testing is comparable to White-box testing in parameters of quantification. How the client deals with the results is unrelated to the type of results. It's directly linked to why they ordered the test and how they treat security. Gadi. > > Best, > > Daniele > From arian.evans at anachronic.com Fri Jul 14 11:56:30 2006 From: arian.evans at anachronic.com (Arian J. Evans) Date: Fri, 14 Jul 2006 10:56:30 -0500 Subject: [SC-L] ddj: beyond the badnessometer In-Reply-To: <20060713141753.GB9859@quack.solace.net> Message-ID: <001201c6a75e$171c1a80$6400a8c0@mail> Great stuff Nash. To re-iterate one important statement: Many orgs today will *only* respond to a working exploit. (I'm not sure what the sample (%clue) of orgs I see is vs. Cigital's client, but...) Pen-test vs. code review, black-box, white-box, whatever: There is absolutely no difference at the end of the day in terms of *verification* between finding SQL injection or susceptibility to XSS attacks via black box attacks or fully white human eyeball source code review. Commission, Omission, transmission, no difference. It's verification. The pen test *can* make an acceptable 'punch card'. Depends on how the punch card results are written: + Does the punch card simply list the "top 10 XSS'able parameters"? + Or does it provide a finding covering both/either: - design Omission *or* - implementation Commission/failure to "encode output appropriately for the User Agent(s) specified"? The rabbit hole can, of course, go far more usefully deeper in terms of problem resolution with source code review. I think that's the worst sentence I've ever written. Today, maybe for the last <= 1.5 years, I get "but what library should I use to accomplish this with [insert_framework]?" instead of "uh, what's output encoding?" or "input validation is too hard/slow". Assertion Falsification can be a tail-chaser. That's why you add in business context. I think you'll find that many good pen testers sit down with the business and help them define security goals for the application, e.g.- "Rob must never get Sally's report" or "Sally's report must remain sacred at all points, in transit, storage, access, etc." Commonly this is achieved through threat modeling, which turns pen testing into a verification mechanism. Ultimately the folks on this list are pretty smart and I'd wonder why/if this dialogue is needed, except that a recent discussion opened my eyes a bit to approaches I thought were doornail dead. A fairly large consultancy with a practice focused on "application security" contacted me earlier this year and in the course of discussing their approach to appsec I asked, "but when do you talk to the business and when do you work with the developers?" and their response was "What?" After repeating the question I got told "Oh, no, you won't talk to those folks or get to see their documentation; we're security professionals, not developers". So evidently there is still a market for high-dollar, completely blind pen tests of apps with zero business context and no understanding of architecture, dev/design goals, etc. Hmmm. That's what I'm guessing Gary means, and surely that sun is slowly setting. -ae p.s. - Nash, when I first read your post, I thought p2 started with "Pen tests are highly addictive". Then I re-read. > -----Original Message----- > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Nash > Sent: Thursday, July 13, 2006 9:18 AM > To: Gary McGraw > Cc: Secure Coding Mailing List > Subject: Re: [SC-L] ddj: beyond the badnessometer > > On Thu, Jul 13, 2006 at 07:56:16AM -0400, Gary McGraw wrote: > > > > Is penetration testing good or bad? > > http://ddj.com/dept/security/189500001 > > > Test coverage is an issue that penetration testers have to deal with, > without a doubt. Pen-tests can never test every possible attack > vector, which means that pen-tests can not always falsify a security > assertion. > > Ok. But... > > First, pen-testers are highly active. The really good ones spend alot > of time in the hacker community keeping up with the latest attack > types, methods, and tools. Hence, the relevance of the test coverage > you get from a skilled pen-tester is actually quite good. In addition, > the tests run are similar to real attacks you're likely to see in the > wild. Also, pen-testsing is often intelligent, focused, and highly > motivated. After all, how would you like to have to go back to your > customer with a blank report? And, the recommendations you get can be > quite good because pen-testers tend to think about the entire > deployment environment, instead of just the code. So, they can help > you use technologies you already have to fix problems instead of > having to write lots and lots of new code to fix them. All of these > make pen-testing a valuable exercise for software environments to go > through. > > Second, every software application in deployment has an associated > level of acceptable risk. In many cases, the level of acceptable risk > is low enough that penetration testing provides all the verificaton > capabilities needed. In some cases, the level of acceptable risk is > really low and even pen-testing is overkill. I do mostly code review > work these days, but I find that pen-testing has more general > applicability to my customers. There are exceptions, but not that > many. > > Third, pen-tests also have real business advantages that don't > directly address risk mitigation. Pen-test reports are typically more > "down to earth." That is, they can be read more easily and the attacks > can be demonstrated more easily to business leaders, executives, and > other stakeholders. In my experience, recommendations from both > pen-tests and code reviews are commonly ignored. But, a good pen-test > gets the executive blood flowing in a way that code-oriented security > evaluations just don't. > > Fourth, assertion falsification isn't always what you're after. Being > able to falsify the statement, "this app is secure enough," is a > common objective, but it's not really that useful for most businesses. > What exactly is secure enough? How do you define it? How do you > measure it? How much accuracy do you need? How do you get more > accuracy, if you want it? How much do you trust your expert's opinion? > > Sometimes, it's better to simply demonstrate a positive assertion, > such as: > > - This application is not subject to known, automatic attacks. > - This application demonstrates the same security profile in all > supported deployment environments. > - This application demonstrates different security profiles, > depending upon the deployment environment. > - The latest MS patch does not affect the testable security > profile of this application. > > These are all assertions that pen-testing is arguably pretty good for > demonstrating. In some cases it might even be better than code > anlaysis--e.g., the effects of new environments or upgrades to > low-level libraries, virtual machines, operating systems. > > Finally, my freind Sam pointed out that only during some kind of > pen-testing can you really identify what the actual attack surface of > an application looks like in its final deployment environment. This is > especially relevant in today's world because applications are now made > as much through integration of existing, off-the-shelf components as > through new development. A "new" application might only have a few > thousand lines of original code, but might be resting on top of a > software stack that has millions. Whether it's J2EE, .NET, or LAMP, > all those environments are only really practical to test using some > form of pen-test. > > Every security assessment methodology has its limits. Pen-testing has > limited falsification capabilities. Code review, various kinds of > code analysis, unit testing, whatever else. These methods can all have > practical financial limitations and information accesibility > problems. > > Of course, all these are good approaches and a wise security manager > will employ as wide a variety of assessment methods as he can afford > so that they compliment each other. But, affordability is a real > concern for most busineses and pen-testing is pretty affordable. > > In the end, no assessment methodology produces results that are as > good as having a skilled Security Developer on your team during the > application design stage. Getting a security architecture in place > that matches your risk tolerance and functional requirements is the > single best way to prevent intrusions, bar none. > > > nash e. foster > Stratum Security, LLC > > > -- > > "the lyf so short, the craft so long to lerne." > - Geoffrey Chaucer > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php From crispin at novell.com Fri Jul 14 21:36:06 2006 From: crispin at novell.com (Crispin Cowan) Date: Fri, 14 Jul 2006 18:36:06 -0700 Subject: [SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006 In-Reply-To: References: Message-ID: <44B84686.7030704@novell.com> Wall, Kevin wrote: > 4) Know your Brooks' _Mythical Man-Month. Management almost > certainly > will offer to give you more developers/testers/etc. This is > almost > always a bad ROI since you will spend more time bringing those > individuals up-to-speed on your project than you will get back > in productivity. One of the most interesting aspects of the Open Source phenomena is that open source projects, esp. the Linux kernel, seem to be able to violate most of Brooks' laws with impunity. Linus has achieved absurd levels of software development parallelism, using a very loosely knit team of people, with different social cultures, languages, social agendas, and most of them have never met each other. Brooks says this should be an unmitigated disaster, yet it succeeds. Go figure :) How Linus does this is open to lively debate. That he achieves it is pretty hard to dispute. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Necessity is the mother of invention ... except for pure math From goertzel_karen at bah.com Sat Jul 15 15:27:15 2006 From: goertzel_karen at bah.com (Goertzel Karen) Date: Sat, 15 Jul 2006 15:27:15 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> Message-ID: <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> I've been struggling for a while to synthesise a definition of secure software that is short and sweet, yet accurate and comprehensive. Here's what I've come up with: Secure software is software that remains dependable despite efforts to compromise its dependability. Agree? Disagree? -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703-902-6981 goertzel_karen at bah.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060715/f582d0c0/attachment.html From ljknews at mac.com Sun Jul 16 08:36:29 2006 From: ljknews at mac.com (ljknews) Date: Sun, 16 Jul 2006 08:36:29 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> Message-ID: At 3:27 PM -0400 7/15/06, Goertzel Karen wrote: > Content-class: urn:content-classes:message > Content-Type: multipart/alternative; > boundary="----_=_NextPart_001_01C6A844.D6A28B6B" > > I've been struggling for a while to synthesise a definition of secure >software that is short and sweet, yet accurate and comprehensive. Here's >what I've come up with: > > Secure software is software that remains dependable despite efforts to >compromise its dependability. > > Agree? Disagree? I disagree about that being bumper-sticker size, and I think we really need bumper stickers. -- Larry Kilgallen From stephen at corsaire.com Sun Jul 16 09:26:20 2006 From: stephen at corsaire.com (Stephen de Vries) Date: Sun, 16 Jul 2006 20:26:20 +0700 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> Message-ID: <1DF5DB11-E36A-4C7E-98AD-DA0BD78247F4@corsaire.com> Not even Chuck Norris can break Secure Software. ;) -- Stephen de Vries Corsaire Ltd E-mail: stephen at corsaire.com Tel: +44 1483 226014 Fax: +44 1483 226068 Web: http://www.corsaire.com On 16 Jul 2006, at 02:27, Goertzel Karen wrote: > I've been struggling for a while to synthesise a definition of > secure software that is short and sweet, yet accurate and > comprehensive. Here's what I've come up with: > > Secure software is software that remains dependable despite efforts > to compromise its dependability. > > Agree? Disagree? > > -- > Karen Mercedes Goertzel, CISSP > Booz Allen Hamilton > 703-902-6981 > goertzel_karen at bah.com > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/ > listinfo/sc-l > List charter available at - http://www.securecoding.org/list/ > charter.php From michaelslists at gmail.com Sun Jul 16 09:32:07 2006 From: michaelslists at gmail.com (mikeiscool) Date: Sun, 16 Jul 2006 23:32:07 +1000 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> Message-ID: <5e01c29a0607160632n715b9d33sfeaf5dcc6517083d@mail.gmail.com> On 7/16/06, ljknews wrote: > At 3:27 PM -0400 7/15/06, Goertzel Karen wrote: > > Content-class: urn:content-classes:message > > Content-Type: multipart/alternative; > > boundary="----_=_NextPart_001_01C6A844.D6A28B6B" > > > > I've been struggling for a while to synthesise a definition of secure > >software that is short and sweet, yet accurate and comprehensive. Here's > >what I've come up with: > > > > Secure software is software that remains dependable despite efforts to > >compromise its dependability. > > > > Agree? Disagree? > > I disagree about that being bumper-sticker size, and I think we really > need bumper stickers. a better bumper sticker would be something like: "secure software is what i write. call me now to find out how!" ... i don't see the point of a short phrase. it's obvious what secure software is. software that has no bugs and no design faults. -- mic From secureCoding2dave at davearonson.com Sun Jul 16 10:46:55 2006 From: secureCoding2dave at davearonson.com (Dave Aronson) Date: Sun, 16 Jul 2006 10:46:55 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> Message-ID: <44BA515F.4040802@davearonson.com> Goertzel Karen wrote: > Secure software is software that remains dependable despite efforts > to compromise its dependability. If you really want to compress that to bumper-sticker size, how about "Secure Software: Does what it's meant to. Period." This encompasses both "can't be forced NOT to do what it's meant to do", and "can't be forced to do what it's NOT meant to do". Also note, however, that "Secure Software" is the name of a company (which I used to work for). Dunno how picky they may get about possible trademark (service mark?) infringement, though IMHO they'd probably just love the free publicity. ;-) -Dave From jjchryan at gwu.edu Sun Jul 16 14:05:49 2006 From: jjchryan at gwu.edu (Julie J.C.H. Ryan) Date: Sun, 16 Jul 2006 14:05:49 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> Message-ID: <37C561EF-07F1-4117-B8EB-0487FB911378@gwu.edu> So, if software is dependably bad and can dependably be counted on to fail, it's secure? Especially if it resists attempts to compromise such dependability? On Jul 15, 2006, at 3:27 PM, Goertzel Karen wrote: > I've been struggling for a while to synthesise a definition of > secure software that is short and sweet, yet accurate and > comprehensive. Here's what I've come up with: > > Secure software is software that remains dependable despite efforts > to compromise its dependability. > > Agree? Disagree? > > -- > Karen Mercedes Goertzel, CISSP > Booz Allen Hamilton > 703-902-6981 > goertzel_karen at bah.com > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/ > listinfo/sc-l > List charter available at - http://www.securecoding.org/list/ > charter.php From gunnar at arctecgroup.net Sun Jul 16 10:56:23 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Sun, 16 Jul 2006 09:56:23 -0500 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <5e01c29a0607160632n715b9d33sfeaf5dcc6517083d@mail.gmail.com> Message-ID: Secure software you're (not) soaking in it. On 7/16/06 8:32 AM, "mikeiscool" wrote: > On 7/16/06, ljknews wrote: >> At 3:27 PM -0400 7/15/06, Goertzel Karen wrote: >>> Content-class: urn:content-classes:message >>> Content-Type: multipart/alternative; >>> boundary="----_=_NextPart_001_01C6A844.D6A28B6B" >>> >>> I've been struggling for a while to synthesise a definition of secure >>> software that is short and sweet, yet accurate and comprehensive. Here's >>> what I've come up with: >>> >>> Secure software is software that remains dependable despite efforts to >>> compromise its dependability. >>> >>> Agree? Disagree? >> >> I disagree about that being bumper-sticker size, and I think we really >> need bumper stickers. > > a better bumper sticker would be something like: > > "secure software is what i write. call me now to find out how!" > > ... > > i don't see the point of a short phrase. it's obvious what secure > software is. software that has no bugs and no design faults. > > -- mic > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php From ge at linuxbox.org Sun Jul 16 11:07:05 2006 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 16 Jul 2006 10:07:05 -0500 (CDT) Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <5e01c29a0607160632n715b9d33sfeaf5dcc6517083d@mail.gmail.com> Message-ID: On Sun, 16 Jul 2006, mikeiscool wrote: > On 7/16/06, ljknews wrote: > > At 3:27 PM -0400 7/15/06, Goertzel Karen wrote: > > > Content-class: urn:content-classes:message > > > Content-Type: multipart/alternative; > > > boundary="----_=_NextPart_001_01C6A844.D6A28B6B" > > > > > > I've been struggling for a while to synthesise a definition of secure > > >software that is short and sweet, yet accurate and comprehensive. Here's > > >what I've come up with: > > > > > > Secure software is software that remains dependable despite efforts to > > >compromise its dependability. > > > > > > Agree? Disagree? > > > > I disagree about that being bumper-sticker size, and I think we really > > need bumper stickers. > > a better bumper sticker would be something like: > > "secure software is what i write. call me now to find out how!" "I read your email" jinx.com From crispin at novell.com Sun Jul 16 12:10:16 2006 From: crispin at novell.com (Crispin Cowan) Date: Sun, 16 Jul 2006 09:10:16 -0700 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> Message-ID: <44BA64E8.1060601@novell.com> Goertzel Karen wrote: > > I've been struggling for a while to synthesise a definition of secure > software that is short and sweet, yet accurate and comprehensive. > My favorite is by Ivan Arce, CTO of Core Software, coming out of a discussion between him and I on a mailing list about 5 years ago. Reliable software does what it is supposed to do. Secure software does what it is supposed to do, and /nothing else/. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Necessity is the mother of invention ... except for pure math -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060716/cea0a953/attachment.html From crispin at novell.com Mon Jul 17 03:00:42 2006 From: crispin at novell.com (Crispin Cowan) Date: Mon, 17 Jul 2006 00:00:42 -0700 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <5e01c29a0607161917m392c98cbn633040541984022c@mail.gmail.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> <44BA64E8.1060601@novell.com> <5e01c29a0607161917m392c98cbn633040541984022c@mail.gmail.com> Message-ID: <44BB359A.2010001@novell.com> mikeiscool wrote: > On 7/17/06, Crispin Cowan wrote: >> > Goertzel Karen wrote: >> > I've been struggling for a while to synthesise a definition of secure >> > software that is short and sweet, yet accurate and comprehensive. >> >> My favorite is by Ivan Arce, CTO of Core Software, coming out of a >> discussion between him and I on a mailing list about 5 years ago. >> >> Reliable software does what it is supposed to do. Secure software >> does what >> it is supposed to do, and nothing else. > and what if it's "supposed" to take unsanitzed input and send it into > a sql database using the administrators account? > > is that secure? "supposed to" goes to intent. If it is a bug that allows this, then it was not intentional. If it was intended, then (from this description) it was likely a Trojan Horse, and it is secure from the perspective of the attacker who put it there. IMHO, bumper sticker slogans are necessarily short and glib. There isn't room to put in all the qualifications and caveats to make it a perfectly precise statement. As such, mincing words over it is a futile exercise. Or you could just print a technical paper on a bumper sticker, in really small font :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Necessity is the mother of invention ... except for pure math From michaelslists at gmail.com Mon Jul 17 03:19:09 2006 From: michaelslists at gmail.com (mikeiscool) Date: Mon, 17 Jul 2006 17:19:09 +1000 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <44BB359A.2010001@novell.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> <44BA64E8.1060601@novell.com> <5e01c29a0607161917m392c98cbn633040541984022c@mail.gmail.com> <44BB359A.2010001@novell.com> Message-ID: <5e01c29a0607170019y7aeb2839l368cbb07332e981b@mail.gmail.com> On 7/17/06, Crispin Cowan wrote: > mikeiscool wrote: > > On 7/17/06, Crispin Cowan wrote: > >> > Goertzel Karen wrote: > >> > I've been struggling for a while to synthesise a definition of secure > >> > software that is short and sweet, yet accurate and comprehensive. > >> > >> My favorite is by Ivan Arce, CTO of Core Software, coming out of a > >> discussion between him and I on a mailing list about 5 years ago. > >> > >> Reliable software does what it is supposed to do. Secure software > >> does what > >> it is supposed to do, and nothing else. > > and what if it's "supposed" to take unsanitzed input and send it into > > a sql database using the administrators account? > > > > is that secure? > > "supposed to" goes to intent. I don't know. I think there is a difference between "this does what it's supposed to do" and "this has no design faults". That's all I was trying to highlight. The point remains though: trimming this down into a friendly little phrase is, IMCO, useless. > If it is a bug that allows this, then it > was not intentional. If it was intended, then (from this description) it > was likely a Trojan Horse, and it is secure from the perspective of the > attacker who put it there. > > IMHO, bumper sticker slogans are necessarily short and glib. There isn't > room to put in all the qualifications and caveats to make it a perfectly > precise statement. As such, mincing words over it is a futile exercise. > > Or you could just print a technical paper on a bumper sticker, in really > small font :) > > Crispin -- mic From crispin at novell.com Mon Jul 17 03:31:31 2006 From: crispin at novell.com (Crispin Cowan) Date: Mon, 17 Jul 2006 00:31:31 -0700 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <5e01c29a0607170019y7aeb2839l368cbb07332e981b@mail.gmail.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> <44BA64E8.1060601@novell.com> <5e01c29a0607161917m392c98cbn633040541984022c@mail.gmail.com> <44BB359A.2010001@novell.com> <5e01c29a0607170019y7aeb2839l368cbb07332e981b@mail.gmail.com> Message-ID: <44BB3CD3.6030200@novell.com> mikeiscool wrote: > On 7/17/06, Crispin Cowan wrote: >> "supposed to" goes to intent. > I don't know. I think there is a difference between "this does what > it's supposed to do" and "this has no design faults". That's all I was > trying to highlight. The difference between "supposed to", "design flaw", and "implementation flaw" is entirely dependent on your level of abstraction: * Executive: "build a thingie that lets good guys in and keeps bad guys out." * Director: "build an authentication engine that uses 2-factor tokens to authenticate users and only then lets them in." * Manager: "use OpenSSL and this piece of glue to implement that 2-factor thingie." * Coder: "main() { ..." :) Errors can occur at any level of translation. When it does something "surprising", then the guy at the top can claim that it wasn't "supposed" to do that, and if you dig hard enough, you will discover *some* layer of abstraction where the vulnerability violates the upper intent, but not the lower intent. Hence the bug. Some example bugs at each level: * Executive: forgot to specify who is a "good guy" * Director: Forgot to provide complete mediation, so the attacker could bypass the authenticator. * Manager: the glue thingie allowed proper authentication tokens, but also allowed tokens with a string value of 0. * Coder: "gets(token); ..." Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Necessity is the mother of invention ... except for pure math From Holger.Peine at iese.fraunhofer.de Mon Jul 17 02:32:40 2006 From: Holger.Peine at iese.fraunhofer.de (Holger.Peine at iese.fraunhofer.de) Date: Mon, 17 Jul 2006 08:32:40 +0200 Subject: [SC-L] "Bumper sticker" definition of secure software Message-ID: <687F148231CEBF449E6206E3FA7AAC3F1359DE@hermes.iese.fhg.de> > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Dave Aronson > If you really want to compress that to bumper-sticker size, how about > > "Secure Software: Does what it's meant to. Period." > > This encompasses both "can't be forced NOT to do what it's > meant to do", > and "can't be forced to do what it's NOT meant to do". While I think this is the most concise formulation so far of what most readers on this list would mean and would understand, I think the non-security public does not think of security breaches in terms of software doing more than it was supposed to. My suggestion for a bumper sticker is therefore less conceptually crisp, but perhaps more accessible: "Secure Software: Works even if you try to dupe it" Nice question, though - Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1299 (shared) PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 From gem at cigital.com Sun Jul 16 22:17:24 2006 From: gem at cigital.com (Gary McGraw) Date: Sun, 16 Jul 2006 22:17:24 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB742652@va-mail.cigital.com> I wrote a book with viega a few years ago called "building secure software"...it was not about that company (at all). Software security: building security in. gem P.s. I actually like ivan's quip as reported by crispy. -----Original Message----- From: Dave Aronson [mailto:secureCoding2dave at davearonson.com] Sent: Sun Jul 16 15:58:08 2006 To: SC-L at securecoding.org Subject: Re: [SC-L] "Bumper sticker" definition of secure software Goertzel Karen wrote: > Secure software is software that remains dependable despite efforts > to compromise its dependability. If you really want to compress that to bumper-sticker size, how about "Secure Software: Does what it's meant to. Period." This encompasses both "can't be forced NOT to do what it's meant to do", and "can't be forced to do what it's NOT meant to do". Also note, however, that "Secure Software" is the name of a company (which I used to work for). Dunno how picky they may get about possible trademark (service mark?) infringement, though IMHO they'd probably just love the free publicity. ;-) -Dave _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From michaelslists at gmail.com Sun Jul 16 22:17:01 2006 From: michaelslists at gmail.com (mikeiscool) Date: Mon, 17 Jul 2006 12:17:01 +1000 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <44BA64E8.1060601@novell.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> <44BA64E8.1060601@novell.com> Message-ID: <5e01c29a0607161917m392c98cbn633040541984022c@mail.gmail.com> On 7/17/06, Crispin Cowan wrote: > > > Goertzel Karen wrote: > > > > > > I've been struggling for a while to synthesise a definition of secure > > software that is short and sweet, yet accurate and comprehensive. > > My favorite is by Ivan Arce, CTO of Core Software, coming out of a > discussion between him and I on a mailing list about 5 years ago. > > Reliable software does what it is supposed to do. Secure software does what > it is supposed to do, and nothing else. and what if it's "supposed" to take unsanitzed input and send it into a sql database using the administrators account? is that secure? > Crispin -- mic From secureCoding2dave at davearonson.com Mon Jul 17 08:48:03 2006 From: secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson) Date: Mon, 17 Jul 2006 12:48:03 +0000 Subject: [SC-L] (no subject) Message-ID: Gary McGraw [mailto:gem at cigital.com] wrote: > I wrote a book with viega a few years ago called "building secure > software"... Yes, John gave us all copies. Didn't bother to get it autographed though. :-) > it was not about that company (at all). It certainly was not about the horribly broken software I spent months banging my head against a wall trying to fix.... :-( > P.s. I actually like ivan's quip as reported by crispy. Me too. It contains the ideas I was trying to convey, more clearly, but it's still too long to fit on a bumper sticker. :-) -Dave From gem at cigital.com Mon Jul 17 08:59:16 2006 From: gem at cigital.com (Gary McGraw) Date: Mon, 17 Jul 2006 08:59:16 -0400 Subject: [SC-L] silver bullet: mjr Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB421462@va-mail.cigital.com> Hi all, The silver bullet episode featuring Marcus Ranum went live recently: http://www.cigital.com/silverbullet/ In the interview, we discuss software security progress briefly. BTW, I did an interview with the mysterious Dana Epp (silverstr) last week that is in the production pipeline. I'll let you all know when that goes live too. gem company www.cigital.com book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From secureCoding2dave at davearonson.com Mon Jul 17 09:07:35 2006 From: secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson) Date: Mon, 17 Jul 2006 13:07:35 +0000 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: mikeiscool [mailto:michaelslists at gmail.com] writes: > The point remains though: trimming this down into a friendly little > phrase is, IMCO, useless. One of the common problems in trying to persuade the masses of ANYTHING, be it the importance of secure software, the factual or moral correctness of your political stances, etc., is how to communicate it so that they will understand and receive the message. You can easily confuse them, bore them, or turn them against yourself. Truly putting it on bumper stickers is likely to be useless, but this is a useful exercise in thinking how we could express the concept briefly and simply. Another useful thing would be if all engineers would enroll in Toastmasters, but that's another story. ;-) -Dave, Governor of Toastmasters Area 63 (District 27) From Kevin.Wall at qwest.com Mon Jul 17 09:16:46 2006 From: Kevin.Wall at qwest.com (Wall, Kevin) Date: Mon, 17 Jul 2006 08:16:46 -0500 Subject: [SC-L] "Bumper sticker" definition of secure software Message-ID: Crispin Cowan writes... > IMHO, bumper sticker slogans are necessarily short and glib. > There isn't room to put in all the qualifications and caveats > to make it a perfectly precise statement. As such, mincing > words over it is a futile exercise. > > Or you could just print a technical paper on a bumper > sticker, in really small font :) Actually, I like that I idea. And it could end with the cliche: "If you can read this, you are too close." Seriously, while I understand that there may be a reason to have a bumper-sticker-like catch phrase for the definition of "secure", I think that in the long run, it is more likely to backfire. I have already reviewed an untold number of security "requirements" that said "The system shall be secure". Having some bumper-sticker slogan that we all use would only allow those yo-yos to justify their "requirements", at least if it reflects anything regarding an actual definition of security such as Ivan's comment that Crispan posted. With that in mind, maybe it would be less "dangerous" to use something more pithy or sardonic, but less to the point of an actual definition. Security: Pay me now, or I'll pay myself later. Of course that would only be appropriate for black or grey hats. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From jeremy.epstein at webmethods.com Mon Jul 17 11:45:45 2006 From: jeremy.epstein at webmethods.com (Jeremy Epstein) Date: Mon, 17 Jul 2006 11:45:45 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software Message-ID: I like the idea of a bumper sticker slogan for the same reason as "elevator pitches" are useful - they don't cover everything, and they don't try to be precise - just give enough information to whet the reader's/listener's appetite. And with that, I offer the following: "Software Security Keeps the Bad Guys Out" No, it's not precise - it doesn't define bad guys, doesn't say anything about intent, etc. But it's something people (even CEOs) can understand, and it provides the motivation for a potential purchaser of software security technology. --Jeremy From Brian.A.Shea at bankofamerica.com Mon Jul 17 11:57:55 2006 From: Brian.A.Shea at bankofamerica.com (Shea, Brian A) Date: Mon, 17 Jul 2006 08:57:55 -0700 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: Message-ID: <17EF6F3064F79040A085A09975A8595305B7F5CC@ex2k.bankofamerica.com> My slogan: Unsecured Applications = Unsecured Business -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Jeremy Epstein Sent: Monday, July 17, 2006 8:46 AM To: Secure Coding Mailing List Subject: Re: [SC-L] "Bumper sticker" definition of secure software I like the idea of a bumper sticker slogan for the same reason as "elevator pitches" are useful - they don't cover everything, and they don't try to be precise - just give enough information to whet the reader's/listener's appetite. And with that, I offer the following: "Software Security Keeps the Bad Guys Out" No, it's not precise - it doesn't define bad guys, doesn't say anything about intent, etc. But it's something people (even CEOs) can understand, and it provides the motivation for a potential purchaser of software security technology. --Jeremy _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php From goertzel_karen at bah.com Mon Jul 17 12:17:42 2006 From: goertzel_karen at bah.com (Goertzel Karen) Date: Mon, 17 Jul 2006 12:17:42 -0400 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: <184D5FFC5203644FB4F8864B0EE445B40111D176@MCLNEXVS06.resource.ds.bah.com> Or if not Toastmasters, Actors' Studio. :) -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.902.6981 goertzel_karen at bah.com > -----Original Message----- > Another useful thing would be if all engineers would enroll > in Toastmasters, but that's another story. ;-) > > -Dave, Governor of Toastmasters Area 63 (District 27) From goertzel_karen at bah.com Mon Jul 17 12:23:17 2006 From: goertzel_karen at bah.com (Goertzel Karen) Date: Mon, 17 Jul 2006 12:23:17 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software Message-ID: <184D5FFC5203644FB4F8864B0EE445B40111D17A@MCLNEXVS06.resource.ds.bah.com> Another possibility: Secure software can't be subverted. -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.902.6981 goertzel_karen at bah.com From secureCoding2dave at davearonson.com Mon Jul 17 12:29:40 2006 From: secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson) Date: Mon, 17 Jul 2006 16:29:40 +0000 Subject: [SC-L] (no subject) Message-ID: Jeremy Epstein [mailto:jeremy.epstein at webmethods.com] writes: > "Software Security Keeps the Bad Guys Out" That's certainly one important aspect, but this slogan doesn't address issues such as staying up, producing correct output, etc. It also can blur the already much too fuzzy (in the public mind) line between "software security" and "security software". -Dave From ge at linuxbox.org Mon Jul 17 12:37:12 2006 From: ge at linuxbox.org (Gadi Evron) Date: Mon, 17 Jul 2006 11:37:12 -0500 (CDT) Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <184D5FFC5203644FB4F8864B0EE445B40111D17A@MCLNEXVS06.resource.ds.bah.com> Message-ID: On Mon, 17 Jul 2006, Goertzel Karen wrote: > Another possibility: > > Secure software can't be subverted. We Read Your Email Your Program == Swiss Cheese > > -- > Karen Mercedes Goertzel, CISSP > Booz Allen Hamilton > 703.902.6981 > goertzel_karen at bah.com > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From michaelslists at gmail.com Mon Jul 17 13:12:50 2006 From: michaelslists at gmail.com (mikeiscool) Date: Tue, 18 Jul 2006 03:12:50 +1000 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <184D5FFC5203644FB4F8864B0EE445B40111D17A@MCLNEXVS06.resource.ds.bah.com> References: <184D5FFC5203644FB4F8864B0EE445B40111D17A@MCLNEXVS06.resource.ds.bah.com> Message-ID: <5e01c29a0607171012i43be2a61k2daec2dcd401fca5@mail.gmail.com> On 7/18/06, Goertzel Karen wrote: > Another possibility: > > Secure software can't be subverted. Again you are all missing that point that design faults are a major *major* problem. Cannot be "subvered"; well fine. But what if the main function of the app itself is wrong. It is not a secure program in this case. -- mic From mark at markgraff.com Mon Jul 17 13:56:09 2006 From: mark at markgraff.com (mark at markgraff.com) Date: Mon, 17 Jul 2006 10:56:09 -0700 (PDT) Subject: [SC-L] "Bumper sticker" definition of secure software Message-ID: <4983.128.115.27.10.1153158969.squirrel@webmail.coastside.net> It's my view, as Ken and I have said in a couple of publications, that secure code "lets you say yes with confidence, and no with certainty". -mg- From neumann at csl.sri.com Mon Jul 17 14:16:40 2006 From: neumann at csl.sri.com (Peter G. Neumann) Date: Mon, 17 Jul 2006 11:16:40 PDT Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: Your message of Sat, 15 Jul 2006 15:27:15 -0400 Message-ID: You suggest: Secure software is software that remains dependable despite efforts to compromise its dependability. You need a bigger-picture view that encompasses trustworthiness and assurance. "Dependable systems are systems that remain dependable despite would-be compromises to their dependability." "Trustworthy systems are systems that are worthy of being trusted to satisfy their requirements (for security, reliability, survivability, safety, or whatever)." Security is generally too narrow by itself, because a system that is not reliable is not likely to be secure, especially when in unreliability mode! The principle of Keep It Simple is inherently unworkable with respect to security. Security is inherently complex. Trustworthiness is broader and even more complex. But if you don't think about trustworthiness more broadly, what you get is not likely to be very secure. Forget the bumper sticker approach. From leichter_jerrold at emc.com Mon Jul 17 15:24:39 2006 From: leichter_jerrold at emc.com (leichter_jerrold at emc.com) Date: Mon, 17 Jul 2006 15:24:39 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software Message-ID: Secure Software: Safe Ex ecution (No, I'm not serious.) -- Jerry From ge at linuxbox.org Mon Jul 17 16:32:12 2006 From: ge at linuxbox.org (Gadi Evron) Date: Mon, 17 Jul 2006 15:32:12 -0500 (CDT) Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: Message-ID: On Mon, 17 Jul 2006, Peter G. Neumann wrote: > Forget the bumper sticker approach. Hey Peter. :) Well, one should forget the bumper-sticker approach if all us broing dry guys keep try to explain to people how math works. Instead, teling them: 1+1=? Didn't learn math, eh? Is bumper-sticker worthy, if pointless as an example. In other words: "I read your email! When have you last audited your code?" From leichter_jerrold at emc.com Mon Jul 17 17:48:59 2006 From: leichter_jerrold at emc.com (leichter_jerrold at emc.com) Date: Mon, 17 Jul 2006 17:48:59 -0400 Subject: [SC-L] Resource limitation Message-ID: I was recently looking at some code to do regular expression matching, when it occurred to me that one can produce fairly small regular expressions that require huge amounts of space and time. There's nothing in the slightest bit illegal about such regexp's - it's just inherent in regular expressions that such things exist. Or consider file compression formats. Someone out there has a hand- constructed zip file that corresponds to a file with more bytes than there are particles in the universe. Again, perfectly legal as it stands. Back in the old days, when users ran programs in their own processes and operating systems actually bothered to have a model of resource usage that they enforced, you could at least ensure that the user could only hurt himself if handed such an object. These days, OS's tend to ignore resource issues - memory and time are, for most legitimate purposes, "too cheap to meter" - and in any case this has long moved outside of their visibility: Clients are attaching to multi-thread servers, and all the OS sees is the aggregate demand. Allocating huge amounts of memory in almost any multi-threaded app is likely to cause problems. Yes, the thread asking for the memory will die - but unless the code is written very defensively, it stands a good chance of bring down other threads, or the whole application, along with it: Memory is a global resource. We recently hardened a network protocol against this kind of problem. You could transfer arbitrary-sized strings over the link. A string was sent as a 4-byte length in bytes, followed by the actual data. A request for 4 GB would fail quickly, breaking the connection. But a request for 2 GB might well succeed, starving the rest of the application. Worse, the API supports groups of requests - e.g., arguments to a function. Even though the individual requests might look reasonable, the sum of them could crash the application. This makes the hardened code more complex: You can't just limit the size of an individual request, you have to limit the total amount of memory allocated in multiple requests. Also, because in general you don't know what the total will be ahead of time, you end up having to be conservative, so that if a request gets right up close to the limit, you won't cause the application problems. (This, of course, could cause the application *other* problems.) Is anyone aware of any efforts to control these kinds of vulnerabili- ties? It's something that cries out for automation: Getting it right by hand is way too hard. Traditional techniques - strong typing, unavoidable checking of array bounds and such - may be required for a more sophisticated approach, but they don't in and of themselves help: One can exhaust resources with entirely "legal" requests. In addition, the kinds of resources that you can exhaust this way is broader than you'd first guess. Memory is obvious; overrunning a thread stack is perhaps less so. (That will *usually* only affect the thread in question, but not always.) How about file descriptors? File space? Available transmission capacity for a variety of kinds of connections? -- Jerry From neumann at csl.sri.com Mon Jul 17 17:20:27 2006 From: neumann at csl.sri.com (Peter G. Neumann) Date: Mon, 17 Jul 2006 14:20:27 PDT Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: Your message of Mon, 17 Jul 2006 15:32:12 -0500 (CDT) Message-ID: Gary, If you think security is a funny topic, try this one: http://haha.nu/funny/funny-math/ From pmeunier at cerias.purdue.edu Mon Jul 17 17:29:56 2006 From: pmeunier at cerias.purdue.edu (Pascal Meunier) Date: Mon, 17 Jul 2006 17:29:56 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> Message-ID: I prefer to define the opposite: "Insecure Software is like a joke, Except others laugh at you" I like it because: -it captures the notion that vulnerabilities, just like jokes, are very often made apparent by thinking in a different context from the software's designers (the straight man). -It conveys the notion that insecure software is shoddy; -It conveys the notion that there are people who will find out that you run insecure software; -It may motivate some people to care about security by invoking social stigma ;) Cheers, Pascal Meunier Purdue University CERIAS On 7/15/06 3:27 PM, "Goertzel Karen" wrote: > I've been struggling for a while to synthesise a definition of secure software > that is short and sweet, yet accurate and comprehensive. Here's what I've come > up with: > > Secure software is software that remains dependable despite efforts to > compromise its dependability. > > Agree? Disagree? > > -- > Karen Mercedes Goertzel, CISSP > Booz Allen Hamilton > 703-902-6981 > goertzel_karen at bah.com > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php From everhart at gce.com Mon Jul 17 19:33:55 2006 From: everhart at gce.com (Glenn and Mary Everhart) Date: Mon, 17 Jul 2006 19:33:55 -0400 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <44BB3CD3.6030200@novell.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6BF474@va-mail.cigital.com> <184D5FFC5203644FB4F8864B0EE445B4E73809@MCLNEXVS06.resource.ds.bah.com> <44BA64E8.1060601@novell.com> <5e01c29a0607161917m392c98cbn633040541984022c@mail.gmail.com> <44BB359A.2010001@novell.com> <5e01c29a0607170019y7aeb2839l368cbb07332e981b@mail.gmail.com> <44BB3CD3.6030200@novell.com> Message-ID: <44BC1E63.7020107@gce.com> Crispin Cowan wrote: > mikeiscool wrote: >> On 7/17/06, Crispin Cowan wrote: >>> "supposed to" goes to intent. >> I don't know. I think there is a difference between "this does what >> it's supposed to do" and "this has no design faults". That's all I was >> trying to highlight. > The difference between "supposed to", "design flaw", and "implementation > flaw" is entirely dependent on your level of abstraction: > > * Executive: "build a thingie that lets good guys in and keeps bad > guys out." > * Director: "build an authentication engine that uses 2-factor > tokens to authenticate users and only then lets them in." > * Manager: "use OpenSSL and this piece of glue to implement that > 2-factor thingie." > * Coder: "main() { ..." :) > > Errors can occur at any level of translation. When it does something > "surprising", then the guy at the top can claim that it wasn't > "supposed" to do that, and if you dig hard enough, you will discover > *some* layer of abstraction where the vulnerability violates the upper > intent, but not the lower intent. Hence the bug. > > Some example bugs at each level: > > * Executive: forgot to specify who is a "good guy" > * Director: Forgot to provide complete mediation, so the attacker > could bypass the authenticator. > * Manager: the glue thingie allowed proper authentication tokens, > but also allowed tokens with a string value of 0. > * Coder: "gets(token); ..." > > Crispin > Yep...there are plenty of things that can go wrong. There are also plenty of rather clever attacks. Designing a system requires much more complete thought and a comprehensive viewpoint to have a hope... As one very very minor example consider: Authentication only for a payment rather resembles a check with only a signature. Glenn Everhart From nash at solace.net Mon Jul 17 19:32:56 2006 From: nash at solace.net (Nash) Date: Mon, 17 Jul 2006 19:32:56 -0400 Subject: [SC-L] Resource limitation In-Reply-To: References: Message-ID: <20060717233256.GD9859@quack.solace.net> On Mon, Jul 17, 2006 at 05:48:59PM -0400, leichter_jerrold at emc.com wrote: > I was recently looking at some code to do regular expression > matching, when it occurred to me that one can produce fairly small > regular expressions that require huge amounts of space and time. > There's nothing in the slightest bit illegal about such regexp's - > it's just inherent in regular expressions that such things exist. Yeah... the set of regular languages is big. And, some have pretty pathological FSM representations. > In addition, the kinds of resources that you can exhaust this way is > broader than you'd first guess. Memory is obvious; overrunning a > thread stack is perhaps less so. ... How about file descriptors? > File space? Available transmission capacity for a variety of kinds > of connections? > One place to look is capability systems. They're more flexible and should have all the features you want, but are still largely theoretical. http://en.wikipedia.org/wiki/Capability-based_security That said, every decent Unix system I'm aware of has ulimit, which you can use to restrict virtual memory allocations, total open files, etc: nash @ quack% ulimit -a ... virtual memory (kbytes, -v) unlimited nash @ quack% ulimit -v 1024 # just 1M RAM, this'll be fun :-) nash @ quack% ( find * ) find: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Cannot allocate memory Alternately, you can implement your own allocator library for your application and then impose per-thread limits using that library. How you do that is going to depend alot on the language. Obviously, there are lots for C/C++ floating around. http://en.wikipedia.org/wiki/Memory_allocation In Java, you don't get nice knobs on Objects and Threads, but you get several nice knobs on the VM itself: -Xm, -XM, etc. Other high level languages have similar problems to Java. I.e., how do you abstract the "size" of a thing when you don't give access to memory as a flat byte array? Well, you can do lots of fun things using LIFO queues, or LRU caches, and so forth. There are performance impacts to consider, but they you can often tweak things so it sucks primarily for the abuser. None of these is really that hard to implement. So, do we really need new theory for this? Dunno. One's mileage does vary. -nash -- "the lyf so short, the craft so long to lerne." - Geoffrey Chaucer From rgk at cerias.purdue.edu Mon Jul 17 22:23:27 2006 From: rgk at cerias.purdue.edu (Rajeev Gopalakrishna) Date: Mon, 17 Jul 2006 22:23:27 -0400 (EDT) Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: References: Message-ID: Reliability is concerned only with accidental failures while security has to consider malicious attacks as well. The difference is in the intent of the software user: benign or malicious. And for a bumper sticker, here is one for the pessimists: "Secure Software is a Myth" and another version for the skeptics: "Is Secure Software a Myth?" :) -rajeev On Mon, 17 Jul 2006, Peter G. Neumann wrote: > You suggest: > > Secure software is software that remains dependable despite efforts to > compromise its dependability. > > You need a bigger-picture view that encompasses trustworthiness > and assurance. > > "Dependable systems are systems that remain dependable despite > would-be compromises to their dependability." > > "Trustworthy systems are systems that are worthy of being trusted > to satisfy their requirements (for security, reliability, survivability, > safety, or whatever)." > > Security is generally too narrow by itself, because a system that is > not reliable is not likely to be secure, especially when in > unreliability mode! > > The principle of Keep It Simple is inherently unworkable with respect to > security. Security is inherently complex. Trustworthiness is broader and > even more complex. But if you don't think about trustworthiness more > broadly, what you get is not likely to be very secure. > > Forget the bumper sticker approach. > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From ge at linuxbox.org Tue Jul 18 06:34:48 2006 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 18 Jul 2006 05:34:48 -0500 (CDT) Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: Message-ID: On Mon, 17 Jul 2006, Rajeev Gopalakrishna wrote: > Reliability is concerned only with accidental failures while security has > to consider malicious attacks as well. The difference is in the intent of > the software user: benign or malicious. > > And for a bumper sticker, here is one for the pessimists: > > "Secure Software is a Myth" > > and another version for the skeptics: > > "Is Secure Software a Myth?" > > :) Again, this would speak only to a very small percentage of the population. You me, maybe 10K people around the world if we are generous. > > -rajeev > > > On Mon, 17 Jul 2006, Peter G. Neumann wrote: > > > You suggest: > > > > Secure software is software that remains dependable despite efforts to > > compromise its dependability. > > > > You need a bigger-picture view that encompasses trustworthiness > > and assurance. > > > > "Dependable systems are systems that remain dependable despite > > would-be compromises to their dependability." > > > > "Trustworthy systems are systems that are worthy of being trusted > > to satisfy their requirements (for security, reliability, survivability, > > safety, or whatever)." > > > > Security is generally too narrow by itself, because a system that is > > not reliable is not likely to be secure, especially when in > > unreliability mode! > > > > The principle of Keep It Simple is inherently unworkable with respect to > > security. Security is inherently complex. Trustworthiness is broader and > > even more complex. But if you don't think about trustworthiness more > > broadly, what you get is not likely to be very secure. > > > > Forget the bumper sticker approach. > > > > _______________________________________________ > > Secure Coding mailing list (SC-L) > > SC-L at securecoding.org > > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > > List charter available at - http://www.securecoding.org/list/charter.php > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From petesh at indigo.ie Tue Jul 18 08:04:59 2006 From: petesh at indigo.ie (Pete Shanahan) Date: Tue, 18 Jul 2006 13:04:59 +0100 Subject: [SC-L] Resource limitation In-Reply-To: References: Message-ID: <44BCCE6B.7050700@indigo.ie> leichter_jerrold at emc.com wrote: > I was recently looking at some code to do regular expression matching, > when it occurred to me that one can produce fairly small regular > expressions that require huge amounts of space and time. There's > nothing in the slightest bit illegal about such regexp's - it's just > inherent in regular expressions that such things exist. > Been there, done that, watched computers go down again and again from this. > Or consider file compression formats. Someone out there has a hand- > constructed zip file that corresponds to a file with more bytes than > there are particles in the universe. Again, perfectly legal as it > stands. > > Back in the old days, when users ran programs in their own processes and > operating systems actually bothered to have a model of resource usage > that they enforced, you could at least ensure that the user could only > hurt himself if handed such an object. These days, OS's tend to ignore > resource issues - memory and time are, for most legitimate purposes, > "too cheap to meter" - and in any case this has long moved outside of > their visibility: Clients are attaching to multi-thread servers, and > all the OS sees is the aggregate demand. > Most typical unix/linux environments contain aggregate resource meters - per process limitations on resource usage. > Allocating huge amounts of memory in almost any multi-threaded app is > likely to cause problems. Yes, the thread asking for the memory will > die - but unless the code is written very defensively, it stands a > good chance of bring down other threads, or the whole application, > along with it: Memory is a global resource. Ah, now this would be due to the standard definition of a thread. If you used something more akin to light weight processes then you could isolate this resource consumption problem a little bit better. A thread is the basic unit of processing, it was never intended to be a unit of resource consumption. > > We recently hardened a network protocol against this kind of problem. > You could transfer arbitrary-sized strings over the link. A string > was sent as a 4-byte length in bytes, followed by the actual data. > A request for 4 GB would fail quickly, breaking the connection. But > a request for 2 GB might well succeed, starving the rest of the > application. Worse, the API supports groups of requests - e.g., > arguments to a function. Even though the individual requests might > look reasonable, the sum of them could crash the application. This > makes the hardened code more complex: You can't just limit the > size of an individual request, you have to limit the total amount > of memory allocated in multiple requests. Also, because in general > you don't know what the total will be ahead of time, you end up > having to be conservative, so that if a request gets right up close > to the limit, you won't cause the application problems. (This, of > course, could cause the application *other* problems.) > Yes, and this falls into general application design. Most network protocols are designed around the concept of front loading information into the stack. Every level puts more information at the front, not at the end. This means that you can make decisions based on a very small piece of data, allowing you to quickly process it, or kill it should it causes you problems. If you're allowing such huge data packets and you haven't got the back-end system in place to process them quickly, and without resource starvation, then you're just looking to shoot yourself in the foot. Every system on the planet has had to deal with these problems. From fork-bombs through to excess network connections. A lot of them can be prevented using resource limits. Depending on the OS, you can limit resource usage by either individual process, or group of processes (typically referred to as a task-group). Should an operating system not provide you with integrated features to protect you from these resource consumptions, then you can quite easily create monitoring tools that are integrated into the application to monitor and prevent these kinds of things. Under an OS like Solaris, you could use a facility like dtrace to monitor resource use from both the application and OS level to make resource allocation decisions. This facility would not need to be integrated into the application. the problem is that a lot of the resource decisions that are made with applications are more dependent on the administrator rather than the application developer. After all, while an application developer may say '10% of physical memory left is OK', and administrator might say 'but what about that other service there that needs 15%'. > Is anyone aware of any efforts to control these kinds of vulnerabili- > ties? It's something that cries out for automation: Getting it right > by hand is way too hard. Traditional techniques - strong typing, > unavoidable checking of array bounds and such - may be required for a > more sophisticated approach, but they don't in and of themselves help: > One can exhaust resources with entirely "legal" requests. > > In addition, the kinds of resources that you can exhaust this way is > broader than you'd first guess. Memory is obvious; overrunning a thread > stack is perhaps less so. (That will *usually* only affect the thread > in question, but not always.) How about file descriptors? File space? > Available transmission capacity for a variety of kinds of connections? -- Pete +353 (87) 412 9576 [M] Just about every computer on the market today runs Unix, except the Mac (and nobody cares about it). -- Bill Joy 6/21/85 From thesp0nge at gmail.com Tue Jul 18 10:32:12 2006 From: thesp0nge at gmail.com (Paolo Perego) Date: Tue, 18 Jul 2006 16:32:12 +0200 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: References: Message-ID: Hi list, I'll introduce myself with a claim: "Software is like Titanic, pleople claim it was unsinkable. Securing is providing it power steering" thesp0nge On 7/18/06, Gadi Evron wrote: > > On Mon, 17 Jul 2006, Rajeev Gopalakrishna wrote: > > Reliability is concerned only with accidental failures while security > has > > to consider malicious attacks as well. The difference is in the intent > of > > the software user: benign or malicious. > > > > And for a bumper sticker, here is one for the pessimists: > > > > "Secure Software is a Myth" > > > > and another version for the skeptics: > > > > "Is Secure Software a Myth?" > > > > :) > > Again, this would speak only to a very small percentage of the > population. You me, maybe 10K people around the world if we are generous. > > > > > -rajeev > > > > > > On Mon, 17 Jul 2006, Peter G. Neumann wrote: > > > > > You suggest: > > > > > > Secure software is software that remains dependable despite efforts > to > > > compromise its dependability. > > > > > > You need a bigger-picture view that encompasses trustworthiness > > > and assurance. > > > > > > "Dependable systems are systems that remain dependable despite > > > would-be compromises to their dependability." > > > > > > "Trustworthy systems are systems that are worthy of being trusted > > > to satisfy their requirements (for security, reliability, > survivability, > > > safety, or whatever)." > > > > > > Security is generally too narrow by itself, because a system that is > > > not reliable is not likely to be secure, especially when in > > > unreliability mode! > > > > > > The principle of Keep It Simple is inherently unworkable with respect > to > > > security. Security is inherently complex. Trustworthiness is broader > and > > > even more complex. But if you don't think about trustworthiness more > > > broadly, what you get is not likely to be very secure. > > > > > > Forget the bumper sticker approach. > > > > > > _______________________________________________ > > > Secure Coding mailing list (SC-L) > > > SC-L at securecoding.org > > > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > > > List charter available at - > http://www.securecoding.org/list/charter.php > > > > > _______________________________________________ > > Secure Coding mailing list (SC-L) > > SC-L at securecoding.org > > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > > List charter available at - http://www.securecoding.org/list/charter.php > > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > -- $>cd /pub $>more beer AngeL core developer: http://www.sikurezza.org/angel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060718/9e775e27/attachment-0001.html From secureCoding2dave at davearonson.com Tue Jul 18 10:52:56 2006 From: secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson) Date: Tue, 18 Jul 2006 14:52:56 +0000 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: Paolo Perego [mailto:thesp0nge at gmail.com] writes: > "Software is like Titanic, pleople claim it was unsinkable. Securing is > providing it power steering" But power steering wouldn't have saved it. By the time the iceberg was spotted, there was not enough time to turn that large a boat. Perhaps radar, but that doesn't make a very good analogy. Maybe a thicker tougher hull and automatic compartment doors? -Dave From dana at vulscan.com Tue Jul 18 11:45:28 2006 From: dana at vulscan.com (Dana Epp) Date: Tue, 18 Jul 2006 08:45:28 -0700 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> Or perhaps less arrogance in believing "it won't sink". Absolute security is a myth. As is designing absolutely secure software. It is a lofty goal, but one of an absolute that just isn't achievable as threats change and new attack patterns are found. Designing secure software is about attaining a level of balance around software dependability weighed against mitigated risks against said software to acceptable tolerance levels, while at the same time ensuring said software accomplishes the original goal... to solve some problem for the user. On my office door is a bumper sticker I made. It simply says: 0x5 10 points to the first person to explain what that means. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of SC-L Subscriber Dave Aronson Sent: Tuesday, July 18, 2006 7:53 AM To: SC-L at securecoding.org Subject: [SC-L] bumper sticker slogan for secure software Paolo Perego [mailto:thesp0nge at gmail.com] writes: > "Software is like Titanic, pleople claim it was unsinkable. Securing is > providing it power steering" But power steering wouldn't have saved it. By the time the iceberg was spotted, there was not enough time to turn that large a boat. Perhaps radar, but that doesn't make a very good analogy. Maybe a thicker tougher hull and automatic compartment doors? -Dave _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php From massimo at grandmedia.si Tue Jul 18 12:56:53 2006 From: massimo at grandmedia.si (...) Date: Tue, 18 Jul 2006 18:56:53 +0200 Subject: [SC-L] bumper sticker slogan for secure software References: Message-ID: <014d01c6aa8b$2bc22e40$c1b13405@pitgroup.local> well... there's no possible definition... unless programmers start thinking and acting in another way, and who commissions the software respect and pays for the real value of it, and users understand the value, Secure Software is an Oxymoron (there may be a reason why this has "moron" inside......) From vanderaj at greebo.net Tue Jul 18 13:17:49 2006 From: vanderaj at greebo.net (Andrew van der Stock) Date: Wed, 19 Jul 2006 03:17:49 +1000 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> References: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> Message-ID: Best for older cars... "My other car is a bit more secure" Best for Volvos (or pick another high safety brand): "I wish my finance systems are as safe as this car" "Honk if you want secure software" "Who has your data? Ask for secure software next time" thanks, Andrew -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2234 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20060719/b049ee0f/attachment.bin From wietse at porcupine.org Tue Jul 18 13:28:01 2006 From: wietse at porcupine.org (Wietse Venema) Date: Tue, 18 Jul 2006 13:28:01 -0400 (EDT) Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> "from Dana Epp at Jul 18, 2006 08:45:28 am" Message-ID: <20060718172801.D9C12BC099@spike.porcupine.org> Dana Epp: > Or perhaps less arrogance in believing "it won't sink". Absolutely. Here's my $0.02: secure software fails safely Any non-trivial piece of software has defects. My challenge is not to eliminate the last defect, but to make the system safe to use (for some appropriate definition of safe) in the presence of defects. Wietse From michaelslists at gmail.com Tue Jul 18 20:59:35 2006 From: michaelslists at gmail.com (mikeiscool) Date: Wed, 19 Jul 2006 10:59:35 +1000 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> References: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> Message-ID: <5e01c29a0607181759x13d531f4n95972f5b60c189d2@mail.gmail.com> On 7/19/06, Dana Epp wrote: > Or perhaps less arrogance in believing "it won't sink". > > Absolute security is a myth. no it isn't. pretending it is a 'myth' is an attempt by sloppy programmers and designers to explain away the reasons for their applications failing. > As is designing absolutely secure software. > It is a lofty goal, but one of an absolute that just isn't achievable as > threats change and new attack patterns are found. Designing secure > software is about attaining a level of balance around software > dependability weighed against mitigated risks against said software to > acceptable tolerance levels, while at the same time ensuring said > software accomplishes the original goal... to solve some problem for the > user. > > On my office door is a bumper sticker I made. It simply says: > > 0x5 > > 10 points to the first person to explain what that means. security 101? -- mic From pmeunier at cerias.purdue.edu Wed Jul 19 10:07:23 2006 From: pmeunier at cerias.purdue.edu (Pascal Meunier) Date: Wed, 19 Jul 2006 10:07:23 -0400 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> Message-ID: On 7/18/06 11:45 AM, "Dana Epp" wrote: > Or perhaps less arrogance in believing "it won't sink". > > Absolute security is a myth. As is designing absolutely secure software. I have high hopes in formal methods. > It is a lofty goal, but one of an absolute that just isn't achievable as > threats change and new attack patterns are found. Designing secure > software is about attaining a level of balance around software > dependability weighed against mitigated risks against said software to > acceptable tolerance levels, while at the same time ensuring said > software accomplishes the original goal... to solve some problem for the > user. > > On my office door is a bumper sticker I made. It simply says: > > 0x5 > > 10 points to the first person to explain what that means. Since you're at Microsoft I'll bet it's related to "RPC Layer returned error 0x5 (Access is denied.) This may happen if host security is not installed". http://support.microsoft.com/kb/216558/en-us So it would be an oblique way of referring to host security. If it was on a motel-style door-handle card it could also mean "do not disturb" (send visitors away with an "access denied"). Perhaps, "go away if you haven't secured your system". Who knows besides you ;) Pascal > > > Regards, > Dana Epp > [Microsoft Security MVP] > http://silverstr.ufies.org/blog/ > > -----Original Message----- > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] On Behalf Of SC-L Subscriber Dave > Aronson > Sent: Tuesday, July 18, 2006 7:53 AM > To: SC-L at securecoding.org > Subject: [SC-L] bumper sticker slogan for secure software > > Paolo Perego [mailto:thesp0nge at gmail.com] writes: > >> "Software is like Titanic, pleople claim it was unsinkable. Securing > is > providing it power steering" > > But power steering wouldn't have saved it. By the time the iceberg was > spotted, there was not enough time to turn that large a boat. Perhaps > radar, but that doesn't make a very good analogy. Maybe a thicker > tougher hull and automatic compartment doors? > > -Dave > > > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From vanderaj at greebo.net Wed Jul 19 10:45:25 2006 From: vanderaj at greebo.net (Andrew van der Stock) Date: Thu, 20 Jul 2006 00:45:25 +1000 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <5e01c29a0607181759x13d531f4n95972f5b60c189d2@mail.gmail.com> References: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> <5e01c29a0607181759x13d531f4n95972f5b60c189d2@mail.gmail.com> Message-ID: Actually, it is a myth. For every non-trivial system, there are business pressures on resourcing, deadlines, and acceptable quality (pick any two). Once a business has set their taste for risk, it makes no sense to spend say $10m on security controls on a product and delay it for six months which may only bring in $2m in revenue in total, or none at all if the company runs out of money to bring it to market. At the moment, most companies neither accept or assign the risk, enumerate the risk correctly, nor take adequate steps to eliminate as much risk as possible. We need to improve all three aspects. Even in a perfect world, there will still be bugs and security defects. Let's make sure that the remaining ones are really hard to exploit, and when the exploit happens, not much loss occurs. thanks, Andrew On 19/07/2006, at 10:59 AM, mikeiscool wrote: >> Absolute security is a myth. > > no it isn't. pretending it is a 'myth' is an attempt by sloppy > programmers and designers to explain away the reasons for their > applications failing. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2234 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20060720/a1a1e54b/attachment.bin From leichter_jerrold at emc.com Wed Jul 19 10:30:48 2006 From: leichter_jerrold at emc.com (leichter_jerrold at emc.com) Date: Wed, 19 Jul 2006 10:30:48 -0400 Subject: [SC-L] Resource limitation Message-ID: | > I was recently looking at some code to do regular expression | > matching, when it occurred to me that one can produce fairly small | > regular expressions that require huge amounts of space and time. | > There's nothing in the slightest bit illegal about such regexp's - | > it's just inherent in regular expressions that such things exist. | | Yeah... the set of regular languages is big. And, some have pretty | pathological FSM representations. | | > In addition, the kinds of resources that you can exhaust this way is | > broader than you'd first guess. Memory is obvious; overrunning a | > thread stack is perhaps less so. ... How about file descriptors? | > File space? Available transmission capacity for a variety of kinds | > of connections? | > | | One place to look is capability systems. They're more flexible and | should have all the features you want, Capability systems I've seen have Boolean capabilities. I agree that one could, in principle, extend the notion to include resource limits - but that adds complexity. | but are still largely | theoretical. ...for an interesting notion of "still". Capability systems have been around for 30 years. They've been implemented repeatedly. But they haven't actually succeeded in any meaningful sense anywhere. The problem doesn't seem to be capabilities as such - it's the management of them, which is way too complex. Great research area.... BTW, as an example of the additional complexity in going from binary capabilities to resource limits: If I have a capability, I may or may not be able to grant it to another actor (keeping it for myself as well); and I may or may not be able to *transfer* it to another actor. With resources, can I have to split my resources with, say, the subprocesses I create? Can I start them with the same resources I have? Can I pool mine with theirs? If I have to split them, is there some way of moving the resources around later? (VMS has OS-enforced resources, and has different catagories of them along these lines. It's been too long and I don't even remember the catagories or examples for certain, but things like "total memory used" are pooled, others are split, and yet others are simply copied.) There's a recent research programming language whose name escapes me at the moment that fully integrates capabilities with the language itself. Nice work - it was used in a demo of a multi-level secure Web browser or some such thing recently. What I don't recall is whether they do resource control as well. | http://en.wikipedia.org/wiki/Capability-based_security | | | That said, every decent Unix system I'm aware of has ulimit, which you | can use to restrict virtual memory allocations, total open files, etc: | | nash @ quack% ulimit -a | ... | virtual memory (kbytes, -v) unlimited | | nash @ quack% ulimit -v 1024 # just 1M RAM, this'll be fun :-) | | nash @ quack% ( find * ) | find: error while loading shared libraries: libc.so.6: failed to map | segment from shared object: Cannot allocate memory ...missing the point entirely. Take a multithreaded server. Apply a strict ulimit. Voila - simple denial of service attack: It's now easy for any thread to exhaust available VM, crashing the entire application. Thanks, but no thanks. | | Alternately, you can implement your own allocator library for your | application and then impose per-thread limits using that library. How | you do that is going to depend alot on the language. Obviously, there | are lots for C/C++ floating around. (a) Who said anything about per-*thread* limits? (b) Even if it is a per-thread limit, what happens when memory is transfered from thread to thread; (c) having been there ... you grossly underestimate the difficulty of "implement[ing] your own allocator library", at least if performance matters to you. | http://en.wikipedia.org/wiki/Memory_allocation | | In Java, you don't get nice knobs on Objects and Threads, but you get | several nice knobs on the VM itself: -Xm, -XM, etc. The moral equivalent of ulimit. | Other high level | languages have similar problems to Java. I.e., how do you abstract the | "size" of a thing when you don't give access to memory as a flat byte | array? Well, you can do lots of fun things using LIFO queues, or LRU | caches, and so forth. There are performance impacts to consider, but | they you can often tweak things so it sucks primarily for the abuser. | | None of these is really that hard to implement. So, do we really need | new theory for this? Dunno. One's mileage does vary. Well, based on what you've proposed ... yes, we're seriously lacking in both theory and implementation. -- Jerry | -nash | | -- | | "the lyf so short, the craft so long to lerne." | - Geoffrey Chaucer | From mouse at Rodents.Montreal.QC.CA Wed Jul 19 11:22:01 2006 From: mouse at Rodents.Montreal.QC.CA (der Mouse) Date: Wed, 19 Jul 2006 11:22:01 -0400 (EDT) Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: References: Message-ID: <200607191525.LAA11582@Sparkle.Rodents.Montreal.QC.CA> >> Absolute security is a myth. As is designing absolutely secure >> software. > I have high hopes in formal methods. All formal methods do is push bugs around. Basically, you end up writing in a higher-level language (the spec you are formally verifying the program meets). You are then subject to the bugs present in *that* "program" (the spec) and the bugs present in the "compiler" (the formal verifier). Formal methods are a useful tool, and have a place. But they are not a magic bullet. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From michaelslists at gmail.com Wed Jul 19 18:53:22 2006 From: michaelslists at gmail.com (mikeiscool) Date: Thu, 20 Jul 2006 08:53:22 +1000 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: References: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> <5e01c29a0607181759x13d531f4n95972f5b60c189d2@mail.gmail.com> Message-ID: <5e01c29a0607191553o62e16598lb647c332df9324c2@mail.gmail.com> On 7/20/06, Andrew van der Stock wrote: > Actually, it is a myth. > > For every non-trivial system, there are business pressures on > resourcing, deadlines, and acceptable quality (pick any two). Once a > business has set their taste for risk, it makes no sense to spend say > $10m on security controls on a product and delay it for six months > which may only bring in $2m in revenue in total, or none at all if > the company runs out of money to bring it to market. > > At the moment, most companies neither accept or assign the risk, > enumerate the risk correctly, nor take adequate steps to eliminate as > much risk as possible. We need to improve all three aspects. Even in > a perfect world, there will still be bugs and security defects. Let's > make sure that the remaining ones are really hard to exploit, and > when the exploit happens, not much loss occurs. yeah. but none of this changes the fact that it IS possible to write completely secure code. > thanks, > Andrew -- mic From dana at vulscan.com Thu Jul 20 10:49:03 2006 From: dana at vulscan.com (Dana Epp) Date: Thu, 20 Jul 2006 07:49:03 -0700 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: <9AE3FC06F0A89A43A4D6F667955082C402D361@sbsmain.Vulscan.local> > yeah. > but none of this changes the fact that it IS possible to write completely secure code. > -- mic And it IS possible that a man will walk on Mars someday. But its not practical or realistic in the society we live in today. I'm sorry mic, but I have to disagree with you here. It is EXTREMELY difficult to have code be 100% correct if an application has any level of real use or complexity. There will be security defects. The weakest link here is the human factor, and people make mistakes. More importantly, threats are constantly evolving and what you may consider completely secure today may not be tomorrow when a new attack vector is recognized that may attack your software. And unless you wrote every single line of code yourself without calling out to ANY libraries, you cannot rely on the security of other libraries or components that may NOT have the same engineering discipline that you may have on your own code base. Ross Anderson once said that secure software engineering is about building systems to remain dependable in the face of malice, error, or mischance. I think he has something there. If we build systems to maintain confidentiality, integrity and availability, we have the ability to fail gracefully in a manner to recover from unknown or changing problems in our software without being detrimental to the user, or their data. I don't think we should ever stop striving to reach secure coding nirvana. But I also understand that in the real world we are still in our infancy when it comes to secure software as a discipline, and we still have much to learn before we will reach it. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ From gem at cigital.com Thu Jul 20 12:18:34 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 20 Jul 2006 12:18:34 -0400 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB74271A@va-mail.cigital.com> And don't forget about the compiler you will no doubt have to use. Do you trust that? You might want to read Thompson's classic "reflections on trusting trust". www.acm.org/classics/sep95 All your compilers are belong to us. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: Dana Epp [mailto:dana at vulscan.com] Sent: Thu Jul 20 12:14:54 2006 To: Andrew van der Stock Cc: SC-L at securecoding.org Subject: Re: [SC-L] bumper sticker slogan for secure software > yeah. > but none of this changes the fact that it IS possible to write completely secure code. > -- mic And it IS possible that a man will walk on Mars someday. But its not practical or realistic in the society we live in today. I'm sorry mic, but I have to disagree with you here. It is EXTREMELY difficult to have code be 100% correct if an application has any level of real use or complexity. There will be security defects. The weakest link here is the human factor, and people make mistakes. More importantly, threats are constantly evolving and what you may consider completely secure today may not be tomorrow when a new attack vector is recognized that may attack your software. And unless you wrote every single line of code yourself without calling out to ANY libraries, you cannot rely on the security of other libraries or components that may NOT have the same engineering discipline that you may have on your own code base. Ross Anderson once said that secure software engineering is about building systems to remain dependable in the face of malice, error, or mischance. I think he has something there. If we build systems to maintain confidentiality, integrity and availability, we have the ability to fail gracefully in a manner to recover from unknown or changing problems in our software without being detrimental to the user, or their data. I don't think we should ever stop striving to reach secure coding nirvana. But I also understand that in the real world we are still in our infancy when it comes to secure software as a discipline, and we still have much to learn before we will reach it. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From fw at deneb.enyo.de Thu Jul 20 11:54:33 2006 From: fw at deneb.enyo.de (Florian Weimer) Date: Thu, 20 Jul 2006 17:54:33 +0200 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <17EF6F3064F79040A085A09975A8595305B7F5CC@ex2k.bankofamerica.com> (Brian A. Shea's message of "Mon, 17 Jul 2006 08:57:55 -0700") References: <17EF6F3064F79040A085A09975A8595305B7F5CC@ex2k.bankofamerica.com> Message-ID: <87lkqop8zq.fsf@mid.deneb.enyo.de> * Brian A. Shea: > My slogan: > > Unsecured Applications = Unsecured Business Which is completely acceptable if you and your business partners are aware of the risk level at which your are running your company. Secure software costs more, requires more user training, and fails in hard-to-understand patterns. If you really need it, you lose. From fw at deneb.enyo.de Thu Jul 20 11:58:35 2006 From: fw at deneb.enyo.de (Florian Weimer) Date: Thu, 20 Jul 2006 17:58:35 +0200 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <200607191525.LAA11582@Sparkle.Rodents.Montreal.QC.CA> (der Mouse's message of "Wed, 19 Jul 2006 11:22:01 -0400 (EDT)") References: <200607191525.LAA11582@Sparkle.Rodents.Montreal.QC.CA> Message-ID: <87hd1cp8t0.fsf@mid.deneb.enyo.de> * der Mouse: >>> Absolute security is a myth. As is designing absolutely secure >>> software. > >> I have high hopes in formal methods. > > All formal methods do is push bugs around. Basically, you end up > writing in a higher-level language (the spec you are formally verifying > the program meets). You are then subject to the bugs present in *that* > "program" (the spec) and the bugs present in the "compiler" (the formal > verifier). But people are forced to spend more time with the code, which generally helps them (in particular smart people) to eradicate bugs. Another way to achieve the same thing is to freeze the code base and let it mature over decades, but I don't see the business model for that. From Kevin.Wall at qwest.com Thu Jul 20 12:58:48 2006 From: Kevin.Wall at qwest.com (Wall, Kevin) Date: Thu, 20 Jul 2006 11:58:48 -0500 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: Dana, Regarding your remarks about writing perfectly secure code... well put. And your remarks about Ross Anderson... > Ross Anderson once said that secure software engineering is about > building systems to remain dependable in the face of malice, error, > or mischance. I think he has something there. If we build systems > to maintain confidentiality, integrity and availability, we have the > ability to fail gracefully in a manner to recover from unknown or > changing problems in our software without being detrimental to > the user, or their data. remined me of Anderson and Ralph Needham coining the phrase (hope I'm getting this right) that "security is like programming Satan's computer" in the sense that you have an evil extremely intelligent adversary with unlimited resources and time, etc. [http://www.cl.cam.ac.uk/ftp/users/rja14/satan.pdf] So there's a bumper sticker for you: Security: programming Satan's computer Of course, it's likely to be misunderstood by most. (Maybe we could attribute it to SNL's "church lady". Sorry Ross. ;-) BTW, does anyone besides me think that it's time to put this thread to rest? -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From ge at linuxbox.org Thu Jul 20 13:28:31 2006 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 20 Jul 2006 12:28:31 -0500 (CDT) Subject: [SC-L] Google Auditing Message-ID: Hi guys! A few days ago, following the announcements by Dan from Websense and then HD, I wrote a post covering what they have done and what the future may gold for Google hacking for security purposes. http://blogs.securiteam.com/index.php/archives/513 Today a guy posted a blog on using the filetype: feature to find coding errors: http://www.cipher.org.uk/index.php?p=projects/bugle.project Gadi. From pmeunier at cerias.purdue.edu Thu Jul 20 13:36:52 2006 From: pmeunier at cerias.purdue.edu (Pascal Meunier) Date: Thu, 20 Jul 2006 13:36:52 -0400 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <87hd1cp8t0.fsf@mid.deneb.enyo.de> Message-ID: On 7/20/06 11:58 AM, "Florian Weimer" wrote: > * der Mouse: > >>>> Absolute security is a myth. As is designing absolutely secure >>>> software. >> >>> I have high hopes in formal methods. >> >> All formal methods do is push bugs around. Basically, you end up >> writing in a higher-level language (the spec you are formally verifying >> the program meets). You are then subject to the bugs present in *that* >> "program" (the spec) and the bugs present in the "compiler" (the formal >> verifier). > > But people are forced to spend more time with the code, which > generally helps them (in particular smart people) to eradicate bugs. > Another way to achieve the same thing is to freeze the code base and > let it mature over decades, but I don't see the business model for > that. Also, writing it twice with different languages, especially at different levels of abstraction, makes it less likely that the same bugs will appear in both. You can choose the higher level language so that it has great expressive power exactly for the things that are a pain to capture and verify (and thus a source of bugs) in the lower-level language. Last time I checked, formal methods were even able to catch design errors in some networking protocols. But you're right, they are not absolutely perfect because the tools and operators aren't, etc... That doesn't mean they can't help a great deal. I have great hopes for their usefulness. Maybe some day they will help so much that the distinction between what they can produce and absolutely secure software will become too small to matter. Whether we'll still be alive when that happens is another question. Pascal From gem at cigital.com Thu Jul 20 13:57:26 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 20 Jul 2006 13:57:26 -0400 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB742727@va-mail.cigital.com> I'm afraid that's not true. John Knight has a famous paper that shows that design/requirements bugs persist in n-version programming paradigms. I'll let the interested people google that one up for themselves. gem company www.cigital.com. podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: Pascal Meunier [mailto:pmeunier at cerias.purdue.edu] Sent: Thu Jul 20 13:54:42 2006 To: Florian Weimer; der Mouse Cc: SC-L at securecoding.org Subject: Re: [SC-L] bumper sticker slogan for secure software On 7/20/06 11:58 AM, "Florian Weimer" wrote: > * der Mouse: > >>>> Absolute security is a myth. As is designing absolutely secure >>>> software. >> >>> I have high hopes in formal methods. >> >> All formal methods do is push bugs around. Basically, you end up >> writing in a higher-level language (the spec you are formally verifying >> the program meets). You are then subject to the bugs present in *that* >> "program" (the spec) and the bugs present in the "compiler" (the formal >> verifier). > > But people are forced to spend more time with the code, which > generally helps them (in particular smart people) to eradicate bugs. > Another way to achieve the same thing is to freeze the code base and > let it mature over decades, but I don't see the business model for > that. Also, writing it twice with different languages, especially at different levels of abstraction, makes it less likely that the same bugs will appear in both. You can choose the higher level language so that it has great expressive power exactly for the things that are a pain to capture and verify (and thus a source of bugs) in the lower-level language. Last time I checked, formal methods were even able to catch design errors in some networking protocols. But you're right, they are not absolutely perfect because the tools and operators aren't, etc... That doesn't mean they can't help a great deal. I have great hopes for their usefulness. Maybe some day they will help so much that the distinction between what they can produce and absolutely secure software will become too small to matter. Whether we'll still be alive when that happens is another question. Pascal _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From jet at flatline.net Thu Jul 20 14:04:46 2006 From: jet at flatline.net (j eric townsend) Date: Thu, 20 Jul 2006 14:04:46 -0400 Subject: [SC-L] code review tools for tcl? In-Reply-To: <5e01c29a0607191553o62e16598lb647c332df9324c2@mail.gmail.com> References: <9AE3FC06F0A89A43A4D6F667955082C402D358@sbsmain.Vulscan.local> <5e01c29a0607181759x13d531f4n95972f5b60c189d2@mail.gmail.com> <5e01c29a0607191553o62e16598lb647c332df9324c2@mail.gmail.com> Message-ID: I've been asked to review some tcl code that works on data from untrusted sources. I've dabbled in tcl a couple of times, but don't consider myself any sort of expert and I'm looking for a bit of automated help. Anyone know of a tool like rats, its4, or codeassure that works on tcl source, or pointers to advice on secure development in tcl? thx, --jet -- jet / KG6ZVQ http://www.flatline.net pgp: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8 From BlueBoar at thievco.com Thu Jul 20 14:54:02 2006 From: BlueBoar at thievco.com (Blue Boar) Date: Thu, 20 Jul 2006 11:54:02 -0700 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB74271A@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB74271A@va-mail.cigital.com> Message-ID: <44BFD14A.4070704@thievco.com> Gary McGraw wrote: > And don't forget about the compiler you will no doubt have to use. Do you trust that? > > You might want to read Thompson's classic "reflections on trusting trust". www.acm.org/classics/sep95 > > All your compilers are belong to us. While that is always a good read, I'm not so sure it's that relevant anymore. There is a LOT of binary analysis going on these days. BB From fw at deneb.enyo.de Thu Jul 20 15:11:29 2006 From: fw at deneb.enyo.de (Florian Weimer) Date: Thu, 20 Jul 2006 21:11:29 +0200 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: (Pascal Meunier's message of "Thu, 20 Jul 2006 13:36:52 -0400") References: Message-ID: <874pxcks66.fsf@mid.deneb.enyo.de> * Pascal Meunier: > Also, writing it twice with different languages, especially at different > levels of abstraction, makes it less likely that the same bugs will appear > in both. Algorithmic issues such as denial of service attacks through unbalanced binary trees or hash table collisions are pretty independent of the programming language and have been observed in many incarnations. If you implement the same protocol, it's likely that you end up with similar bugs. The DNS compression loop bug was reinvented many times. The fundamental mismatch in OpenPGP between key certification (key plus user ID) and key usage (just the key alone) affected many independently developed implementations. Chrome spoofing is ubiquitous in web browsers. Most things in this list are implemented in C or C++, but the problems are at such a high level that it's unlikely that a different choice of wildly different programming language would make a huge difference. If you look at lower-level bugs, such as buffer overflows, I hope that nobody still thinks that multiple code versions help -- just look at the long list (even after discounting direct code copies) of botched ASN.1 decoders. Some protocols are extremly hard to implement correctly, I'm afraid. (And not all protocols are unnecessarily complex.) From pmeunier at cerias.purdue.edu Thu Jul 20 15:11:06 2006 From: pmeunier at cerias.purdue.edu (Pascal Meunier) Date: Thu, 20 Jul 2006 15:11:06 -0400 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB742727@va-mail.cigital.com> Message-ID: On 7/20/06 1:57 PM, "Gary McGraw" wrote: > I'm afraid that's not true. John Knight has a famous paper that shows that > design/requirements bugs persist in n-version programming paradigms. I'll let > the interested people google that one up for themselves. > > gem But it's true for stupid bugs like buffer overflows and format string vulnerabilities, in which we're still swimming, and the proof is the fact that those aren't possible in some languages. For design/requirements bugs, I'm reading: Why Are Formal Methods Not Used More Widely? John C. Knight Colleen L. DeJong Matthew S. Gibble Lu?s G. Nakano Department of Computer Science University of Virginia Charlottesville, VA 22903 http://www.cs.virginia.edu/~jck/publications/lfm.97.pdf and the evidence is that engineers presented with formal specifications were able to spot many design errors ("Validation by inspection was effective"). Therefore if you have a formal, high-level version it can be validated better, and formal methods give proof that the lower-level code conforms. I call that all-around better, and I'm hoping for more of it and better ways to do it. Now if you order a cat and needed a dog, nobody can help you. Pascal > > -----Original Message----- > From: Pascal Meunier [mailto:pmeunier at cerias.purdue.edu] > Sent: Thu Jul 20 13:54:42 2006 > To: Florian Weimer; der Mouse > Cc: SC-L at securecoding.org > Subject: Re: [SC-L] bumper sticker slogan for secure software > > > > On 7/20/06 11:58 AM, "Florian Weimer" wrote: > >> * der Mouse: >> >>>>> Absolute security is a myth. As is designing absolutely secure >>>>> software. >>> >>>> I have high hopes in formal methods. >>> >>> All formal methods do is push bugs around. Basically, you end up >>> writing in a higher-level language (the spec you are formally verifying >>> the program meets). You are then subject to the bugs present in *that* >>> "program" (the spec) and the bugs present in the "compiler" (the formal >>> verifier). >> >> But people are forced to spend more time with the code, which >> generally helps them (in particular smart people) to eradicate bugs. >> Another way to achieve the same thing is to freeze the code base and >> let it mature over decades, but I don't see the business model for >> that. > > Also, writing it twice with different languages, especially at different > levels of abstraction, makes it less likely that the same bugs will appear > in both. You can choose the higher level language so that it has great > expressive power exactly for the things that are a pain to capture and > verify (and thus a source of bugs) in the lower-level language. Last time I > checked, formal methods were even able to catch design errors in some > networking protocols. But you're right, they are not absolutely perfect > because the tools and operators aren't, etc... That doesn't mean they can't > help a great deal. I have great hopes for their usefulness. Maybe some day > they will help so much that the distinction between what they can produce > and absolutely secure software will become too small to matter. Whether > we'll still be alive when that happens is another question. > > Pascal > > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > > > > > ---------------------------------------------------------------------------- > This electronic message transmission contains information that may be > confidential or privileged. The information contained herein is intended > solely for the recipient and use by any other party is not authorized. If > you are not the intended recipient (or otherwise authorized to receive this > message by the intended recipient), any disclosure, copying, distribution or > use of the contents of the information is prohibited. If you have received > this electronic message transmission in error, please contact the sender by > reply email and delete all copies of this message. Cigital, Inc. accepts no > responsibility for any loss or damage resulting directly or indirectly from > the use of this email or its contents. > Thank You. > ---------------------------------------------------------------------------- > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From leichter_jerrold at emc.com Thu Jul 20 15:33:30 2006 From: leichter_jerrold at emc.com (leichter_jerrold at emc.com) Date: Thu, 20 Jul 2006 15:33:30 -0400 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: | >>>> Absolute security is a myth. As is designing absolutely secure | >>>> software. | >> | >>> I have high hopes in formal methods. | >> | >> All formal methods do is push bugs around... | > | > But people are forced to spend more time with the code, which | > generally helps them (in particular smart people) to eradicate bugs.... | | Also, writing it twice with different languages, especially at different | levels of abstraction, makes it less likely that the same bugs will appear | in both. You can choose the higher level language so that it has great | expressive power exactly for the things that are a pain to capture and | verify (and thus a source of bugs) in the lower-level language.... But always keep in mind a comment (allegedly, I've never actually seen this) present at the top of something Don Knuth wrote: Be careful with this code. I've only proved it correct, not actually tested it. If Don Knuth can say that about code, the rest of us should be very humble about our correctness proofs. -- Jerry From fw at deneb.enyo.de Thu Jul 20 15:46:22 2006 From: fw at deneb.enyo.de (Florian Weimer) Date: Thu, 20 Jul 2006 21:46:22 +0200 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: (Pascal Meunier's message of "Thu, 20 Jul 2006 15:11:06 -0400") References: Message-ID: <87lkqojbzl.fsf@mid.deneb.enyo.de> * Pascal Meunier: > But it's true for stupid bugs like buffer overflows and format string > vulnerabilities, in which we're still swimming, and the proof is the fact > that those aren't possible in some languages. Could you name a few such language implementations? 8-) In most cases, the components that enforces the absence of buffer overflows are written in C. In other cases, languages have the reputation of being free from buffer overflows although it's just not true: You can create a fully conforming Common Lisp implementation where code injection through buffer overflows is possible. On the other hand, it's possible to construct an ISO C implementation where accessing memory beyond the end of a buffer is equivalent to calling abort. (Such CL implementations are very common, but the C implementatins aren't because they would feature a very unusual ABI or suffer from poor performance.) And you need to keep in mind that even with C, we are close to turning buffer overflows into completely reproducible crashes. This is not so much different from supposedly safer programming languages where an exception is raised in such cases. The exception can be handled, sure, but if it is truly unexpected, your system will fail. > For design/requirements bugs, I'm reading: Safety-critical software is a very different beast. You can make much stronger assumptions about the environment. It's not clear if the results apply to software security in open system. I'm not saying that formal methods have no value. But I doubt that comparisons with projects at completely different dollars-per-line-of-code levels give immediate insights. From pmeunier at cerias.purdue.edu Thu Jul 20 16:03:01 2006 From: pmeunier at cerias.purdue.edu (Pascal Meunier) Date: Thu, 20 Jul 2006 16:03:01 -0400 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <874pxcks66.fsf@mid.deneb.enyo.de> Message-ID: On 7/20/06 3:11 PM, "Florian Weimer" wrote: > * Pascal Meunier: > >> Also, writing it twice with different languages, especially at different >> levels of abstraction, makes it less likely that the same bugs will appear >> in both. > > Algorithmic issues such as denial of service attacks through > unbalanced binary trees or hash table collisions are pretty > independent of the programming language and have been observed in many > incarnations. > > If you implement the same protocol, it's likely that you end up with > similar bugs. The DNS compression loop bug was reinvented many times. > The fundamental mismatch in OpenPGP between key certification (key > plus user ID) and key usage (just the key alone) affected many > independently developed implementations. Chrome spoofing is > ubiquitous in web browsers. > > Most things in this list are implemented in C or C++, but the problems > are at such a high level that it's unlikely that a different choice of > wildly different programming language would make a huge difference. > If you look at lower-level bugs, such as buffer overflows, I hope that > nobody still thinks that multiple code versions help -- just look at > the long list (even after discounting direct code copies) of botched > ASN.1 decoders. > > Some protocols are extremly hard to implement correctly, I'm afraid. > (And not all protocols are unnecessarily complex.) > It's obvious that if you just translate a bad, complicated algorithm or protocol from one language to the next, they'll all be bad. It remains that sometimes when you make people say something stupid twice they catch on the second time, especially during code reviews, because they re-express the code using natural language. That's why I said, "less likely". It works with some and not others. Pascal From ljknews at mac.com Thu Jul 20 16:20:07 2006 From: ljknews at mac.com (ljknews) Date: Thu, 20 Jul 2006 16:20:07 -0400 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <874pxcks66.fsf@mid.deneb.enyo.de> References: <874pxcks66.fsf@mid.deneb.enyo.de> Message-ID: At 9:11 PM +0200 7/20/06, Florian Weimer wrote: > Most things in this list are implemented in C or C++, but the problems > are at such a high level that it's unlikely that a different choice of > wildly different programming language would make a huge difference. > If you look at lower-level bugs, such as buffer overflows, I hope that > nobody still thinks that multiple code versions help It helps so long as some of the languages chosen are those immune to buffer overflows. -- Larry Kilgallen From pmeunier at cerias.purdue.edu Thu Jul 20 16:28:07 2006 From: pmeunier at cerias.purdue.edu (Pascal Meunier) Date: Thu, 20 Jul 2006 16:28:07 -0400 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <87lkqojbzl.fsf@mid.deneb.enyo.de> Message-ID: On 7/20/06 3:46 PM, "Florian Weimer" wrote: > * Pascal Meunier: > >> But it's true for stupid bugs like buffer overflows and format string >> vulnerabilities, in which we're still swimming, and the proof is the fact >> that those aren't possible in some languages. > > Could you name a few such language implementations? 8-) > > In most cases, the components that enforces the absence of buffer > overflows are written in C. That's irrelevant. What is important is that some magic formal tool could say that some code in language "A", where bug of type "k" is possible, is not equivalent to the version in language "B", where type "k" bugs are impossible, ergo you have found a type "k" bug (in the absence of any other bug in that section of code...). I know someone is going to ask, "why didn't you code it only in language B then?", to which there can be many different answers, and I don't want to get into that. >> For design/requirements bugs, I'm reading: > > Safety-critical software is a very different beast. You can make much > stronger assumptions about the environment. It's not clear if the > results apply to software security in open system. > > I'm not saying that formal methods have no value. But I doubt that > comparisons with projects at completely different > dollars-per-line-of-code levels give immediate insights. That's one of the things I'm hoping for: that more and better formal methods become more affordable and practical. Spark, for example, demonstrated that the costs of some formal methods were much lower than what people expected, in real projects. That gives me hope. Pascal From ljknews at mac.com Thu Jul 20 16:59:35 2006 From: ljknews at mac.com (ljknews) Date: Thu, 20 Jul 2006 16:59:35 -0400 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <87lkqojbzl.fsf@mid.deneb.enyo.de> References: <87lkqojbzl.fsf@mid.deneb.enyo.de> Message-ID: At 9:46 PM +0200 7/20/06, Florian Weimer wrote: > * Pascal Meunier: > >> But it's true for stupid bugs like buffer overflows and format string >> vulnerabilities, in which we're still swimming, and the proof is the fact >> that those aren't possible in some languages. > > Could you name a few such language implementations? 8-) Ada ! > In most cases, the components that enforces the absence of buffer > overflows are written in C. Not in VAX/DEC/Compaq/HP Ada, which is the one that I use. But the "components" that enforce the absence of buffer overflows are not written in Bliss (the language of the Ada RTL for that compiler) either. They are in the code that is generated, or the failure to generate that code because the problem was caught at compile time. -- Larry Kilgallen From dana at vulscan.com Thu Jul 20 18:44:38 2006 From: dana at vulscan.com (Dana Epp) Date: Thu, 20 Jul 2006 15:44:38 -0700 Subject: [SC-L] bumper sticker slogan for secure software Message-ID: <9AE3FC06F0A89A43A4D6F667955082C402D364@sbsmain.Vulscan.local> Actually, Brian Shea got the points for emailing me that he knew it was the system error "Access Denied". An extra 10 points goes to Andrew van der Stock for his explaination that: "apparently the term originates from radio, where 5x5 means good reception and good signal strength (in that order). So 0x5 means - no reception ("0") - good signal strength ("5") ie, we're doing ok at getting our message out, but people aren't listening yet. " That cracked me up. So fitting for this forum. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ -----Original Message----- From: mikeiscool [mailto:michaelslists at gmail.com] Sent: Thursday, July 20, 2006 3:25 PM To: Wall, Kevin Cc: Dana Epp; SC-L at securecoding.org Subject: Re: [SC-L] bumper sticker slogan for secure software > BTW, does anyone besides me think that it's time to put this thread to > rest? I do. But i'm still waiting for my points from dana ... > -kevin -- mic From johwi at ida.liu.se Fri Jul 21 07:15:01 2006 From: johwi at ida.liu.se (John Wilander) Date: Fri, 21 Jul 2006 13:15:01 +0200 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: Message-ID: <200607211115.k6LBFCoW007733@portofix.ida.liu.se> I've actually been using a secure software slogan for a few years, both in teaching and in pitching business. It's taken from Howard and LeBlanc's book "Writing Secure Code": - Security features are not secure features - The statement mesmerizes people and aguably needs a "necessarily" to be more precise. But it's short and does the trick for me---it separates adding security functions from trying to secure all functions in the system (during all phases). Regards, John ____________________________ John Wilander, PhD Student Computer and Information Sc. Linkoping University, Sweden http://www.ida.liu.se/~johwi From michaelslists at gmail.com Thu Jul 20 18:26:13 2006 From: michaelslists at gmail.com (mikeiscool) Date: Fri, 21 Jul 2006 08:26:13 +1000 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <87lkqop8zq.fsf@mid.deneb.enyo.de> References: <17EF6F3064F79040A085A09975A8595305B7F5CC@ex2k.bankofamerica.com> <87lkqop8zq.fsf@mid.deneb.enyo.de> Message-ID: <5e01c29a0607201526h78810b6ajb78d7fa92d3ab6d3@mail.gmail.com> On 7/21/06, Florian Weimer wrote: > * Brian A. Shea: > > > My slogan: > > > > Unsecured Applications = Unsecured Business > > Which is completely acceptable if you and your business partners are > aware of the risk level at which your are running your company. > > Secure software costs more, requires more user training, and fails in > hard-to-understand patterns. If you really need it, you lose. Really secure software should require _less_ user training, not more. -- mic From michaelslists at gmail.com Thu Jul 20 18:48:51 2006 From: michaelslists at gmail.com (mikeiscool) Date: Fri, 21 Jul 2006 08:48:51 +1000 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <9AE3FC06F0A89A43A4D6F667955082C402D360@sbsmain.Vulscan.local> References: <9AE3FC06F0A89A43A4D6F667955082C402D360@sbsmain.Vulscan.local> Message-ID: <5e01c29a0607201548v500b1e13wc2e7ceb6787c0791@mail.gmail.com> On 7/21/06, Dana Epp wrote: > > yeah. > > but none of this changes the fact that it IS possible to write > completely secure code. > > -- mic > > And it IS possible that a man will walk on Mars someday. But its not > practical or realistic in the society we live in today. I'm sorry mic, > but I have to disagree with you here. > > It is EXTREMELY difficult to have code be 100% correct if an application > has any level of real use or complexity. There will be security defects. Why? Why accept this as a fact? It is not a fact. If you put procedures in place and appropriately review and test you can be confident. > The weakest link here is the human factor, and people make mistakes. Yes they do. So help them to stop it by teaching and testing and reviewing. > More importantly, threats are constantly evolving and what you may > consider completely secure today may not be tomorrow when a new attack > vector is recognized that may attack your software. This isn't as true and as wide spread as you make it sound. Consider, for example, "SQL Injection". Assuming I do not upgrade my database, and do not change my code and server (i.e. do not change my environment at all), then if I have prevented this attack initially nothing new will come up to suddenly make it work. If the environment IS changed, however, then of course it's expected that the program should be reviewed and checked again. > And unless you wrote > every single line of code yourself without calling out to ANY libraries, > you cannot rely on the security of other libraries or components that > may NOT have the same engineering discipline that you may have on your > own code base. Not true; you can call other libraries happily and with confidence if you handle the case of them going all kinds of wrong. > Ross Anderson once said that secure software engineering is about > building systems to remain dependable in the face of malice, error, or > mischance. I think he has something there. If we build systems to > maintain confidentiality, integrity and availability, we have the > ability to fail gracefully in a manner to recover from unknown or > changing problems in our software without being detrimental to the user, > or their data. > > I don't think we should ever stop striving to reach secure coding > nirvana. But I also understand that in the real world we are still in > our infancy when it comes to secure software as a discipline, and we > still have much to learn before we will reach it. Yes, Much to learn. Like the fact that it _is_ reachable if you believe you can reach it. And, you know, study yoga and live in a cliff for a few years. > Regards, > Dana Epp > [Microsoft Security MVP] > http://silverstr.ufies.org/blog/ -- mic From mouse at Rodents.Montreal.QC.CA Thu Jul 20 18:48:10 2006 From: mouse at Rodents.Montreal.QC.CA (der Mouse) Date: Thu, 20 Jul 2006 18:48:10 -0400 (EDT) Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <44BFD14A.4070704@thievco.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB74271A@va-mail.cigital.com> <44BFD14A.4070704@thievco.com> Message-ID: <200607202258.SAA00520@Sparkle.Rodents.Montreal.QC.CA> >> You might want to read Thompson's classic "reflections on trusting >> trust". www.acm.org/classics/sep95 > While that is always a good read, I'm not so sure it's that relevant > anymore. There is a LOT of binary analysis going on these days. Yes - but you're trusting your binary analysis tools to be intact. You're trusting the OS to give you honest copies of what's on disk. You're trusting lots of things which could be subverted - you could be talking to a complete funkspiel, in theory. At some point you have to say "the chance of the system being subverted here is low enough I'm going to ignore it". For example, when I buy transistors from the electronics shop, I don't worry about the possibility that they have enough smarts inside them to act in weird ways when used in certain applications. As a theoretical example of the kind of thing I mean, consider a transistor that, when used as a switch in a serial-line level-shifter, replaces the incoming data with other data. I choose to trust that the stuff inside the package is sufficiently close to what I think it is to not introduce any insecurities relevant to my threat model. But if my threat model included an adversary sufficiently resourceful and subtle to subvert the electronic-part distribution chain upstream of me, and the price of getting subverted were high enough, I might want to set up a small smelter/forge/whatever to make my own transistors. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From mouse at Rodents.Montreal.QC.CA Thu Jul 20 19:24:16 2006 From: mouse at Rodents.Montreal.QC.CA (der Mouse) Date: Thu, 20 Jul 2006 19:24:16 -0400 (EDT) Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: References: Message-ID: <200607202327.TAA00748@Sparkle.Rodents.Montreal.QC.CA> > What is important is that some magic formal tool could say that some > code in language "A", where bug of type "k" is possible, is not > equivalent to the version in language "B", where type "k" bugs are > impossible, ergo you have found a type "k" bug (in the absence of any > other bug in that section of code...). Well, no. You know that a bug exists. It could be in one version (you don't know which one), or it could be in the verifier. If you assume that the verifier is bug-free, and you assume that the language-A version is semantically correct, then you know that a bug exists in the language-B version. It might be of type k or it might be of some other type (possibly a type that can exist in language A, possibly not). And in any case, you have not found it; you have only demonstrated its existence. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From ken at krvw.com Fri Jul 21 08:11:00 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Fri, 21 Jul 2006 08:11:00 -0400 Subject: [SC-L] Administrivia: Bumper Stickers Message-ID: Greetings SC-L, It's been a busy couple of days here on SC-L. The bumper sticker thread, in particular, has obviously generated a *lot* of (useful and interesting) discussion. While I'm reluctant to stop legitimate and open debate of opinions, I think that it's fair to say that this thread has pretty much run its course. As such, I'm going to be increasingly diligent in rejecting submissions to it that don't carry the debate further. I'd like to ask for everyone's support in helping this thread die its natural death and move on to other subjects. So, to those that want to continue the thread, be prepared to prove to me with each message that your message(s) deserves to be approved for distribution to the list, please. Cheers, Ken Kenneth Van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com From mark at markgraff.com Fri Jul 21 12:28:48 2006 From: mark at markgraff.com (Mark Graff) Date: Fri, 21 Jul 2006 09:28:48 -0700 Subject: [SC-L] bumper sticker slogan for secure software References: Message-ID: <004e01c6ace2$beea2480$0501a8c0@LIBERTY> There's another point to consider, when talking about whether True Security is Possible. And I have to say I've never been happy with the forms I've found so far to express it... Security, in many cases, decays. It's like what we used to call, in the Old Days, "bit rot". Software that has "worked" "perfectly well" for years (that is, failures and mistakes have fallen under the threshold of detection) suddenly stop "working". Often, it's because some element of the environment in which the system runs has changed around it. It could be a library that the program uses, for instance. I suppose it could be a change in the way the software is used, or applied. So while most software decays in some way while it ages, I seem to observe that the security aspect of a program decays faster than the rest of it. (This has some analogies in the "real" world. Some parts of a car, for example, wear out faster than the rest. Tires and Brake pads. It's an interesting feature of good design, of course, to isolate the effects of wear and tear into parts intended to be disposable. But I digress.) I have therefore often wondered if we should be talking, not about how "secure" a system is, in a static sense, but rather what its security half-life is. This is the point of my hoary thought experiment (sorry if you've heard this one) in which we prepare a desktop with the latest and greatest in the way of anti-virus stuff, firewalls, OS patches, and so forth, then spin it down, shrink-wrap it, and put it in a closet. If we take it out a year later and spin it up, that system will be less sure--more likely to successfully be compromised--than it was when it was spun down. How fast security decays will vary, depending mostly on which OS and app software it runs and how corrosive, if you will, that part of the overall operating landscape (the Internet, say) is. This reasoning leads me to the thought that Mac OS X, for example, is "more secure" than Windows XP for reasons having nothing directly to do with design or implementation, but rather pertaining to its very ubiquity. XP, in this sense, is the center of the bullseye. Gee, maybe software systems emanate a modicum of "unsecurity gravity", so that if you get a great many of them together (that is, if millions and millions of people buy the product), security plummets, and declines as the square of the distance to True Dead Center of the day's commonplace platform. Or, to put it another way, this is why XP sucks. Well, I said I've never been happy with the way I've expressed this. -mg- ----- Original Message ----- From: To: Sent: Friday, July 21, 2006 5:05 AM Subject: SC-L Digest, Vol 2, Issue 124 > Send SC-L mailing list submissions to > sc-l at securecoding.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://krvw.com/mailman/listinfo/sc-l > or, via email, send a message with subject or body 'help' to > sc-l-request at securecoding.org > > You can reach the person managing the list at > sc-l-owner at securecoding.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of SC-L digest..." > > > Today's Topics: > > 1. Re: bumper sticker slogan for secure software (Pascal Meunier) > 2. Re: bumper sticker slogan for secure software > (leichter_jerrold at emc.com) > 3. Re: bumper sticker slogan for secure software (Florian Weimer) > 4. Re: bumper sticker slogan for secure software (Pascal Meunier) > 5. Re: bumper sticker slogan for secure software (ljknews) > 6. Re: bumper sticker slogan for secure software (Pascal Meunier) > 7. Re: bumper sticker slogan for secure software (ljknews) > 8. Re: bumper sticker slogan for secure software (Dana Epp) > 9. Re: bumper sticker slogan for secure software (John Wilander) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 20 Jul 2006 15:11:06 -0400 > From: Pascal Meunier > Subject: Re: [SC-L] bumper sticker slogan for secure software > To: Gary McGraw , Florian Weimer , > der Mouse > Cc: SC-L at securecoding.org > Message-ID: > Content-Type: text/plain; charset="ISO-8859-1" > > > > On 7/20/06 1:57 PM, "Gary McGraw" wrote: > >> I'm afraid that's not true. John Knight has a famous paper that shows >> that >> design/requirements bugs persist in n-version programming paradigms. >> I'll let >> the interested people google that one up for themselves. >> >> gem > > But it's true for stupid bugs like buffer overflows and format string > vulnerabilities, in which we're still swimming, and the proof is the fact > that those aren't possible in some languages. For design/requirements > bugs, > I'm reading: > > Why Are Formal Methods Not Used More Widely? > John C. Knight Colleen L. DeJong Matthew S. Gibble Lu?s G. Nakano > Department of Computer Science > University of Virginia > Charlottesville, VA 22903 > > http://www.cs.virginia.edu/~jck/publications/lfm.97.pdf > > and the evidence is that engineers presented with formal specifications > were > able to spot many design errors ("Validation by inspection was > effective"). > Therefore if you have a formal, high-level version it can be validated > better, and formal methods give proof that the lower-level code conforms. > > I call that all-around better, and I'm hoping for more of it and better > ways > to do it. Now if you order a cat and needed a dog, nobody can help you. > > Pascal > > >> >> -----Original Message----- >> From: Pascal Meunier [mailto:pmeunier at cerias.purdue.edu] >> Sent: Thu Jul 20 13:54:42 2006 >> To: Florian Weimer; der Mouse >> Cc: SC-L at securecoding.org >> Subject: Re: [SC-L] bumper sticker slogan for secure software >> >> >> >> On 7/20/06 11:58 AM, "Florian Weimer" wrote: >> >>> * der Mouse: >>> >>>>>> Absolute security is a myth. As is designing absolutely secure >>>>>> software. >>>> >>>>> I have high hopes in formal methods. >>>> >>>> All formal methods do is push bugs around. Basically, you end up >>>> writing in a higher-level language (the spec you are formally verifying >>>> the program meets). You are then subject to the bugs present in *that* >>>> "program" (the spec) and the bugs present in the "compiler" (the formal >>>> verifier). >>> >>> But people are forced to spend more time with the code, which >>> generally helps them (in particular smart people) to eradicate bugs. >>> Another way to achieve the same thing is to freeze the code base and >>> let it mature over decades, but I don't see the business model for >>> that. >> >> Also, writing it twice with different languages, especially at different >> levels of abstraction, makes it less likely that the same bugs will >> appear >> in both. You can choose the higher level language so that it has great >> expressive power exactly for the things that are a pain to capture and >> verify (and thus a source of bugs) in the lower-level language. Last >> time I >> checked, formal methods were even able to catch design errors in some >> networking protocols. But you're right, they are not absolutely perfect >> because the tools and operators aren't, etc... That doesn't mean they >> can't >> help a great deal. I have great hopes for their usefulness. Maybe some >> day >> they will help so much that the distinction between what they can produce >> and absolutely secure software will become too small to matter. Whether >> we'll still be alive when that happens is another question. >> >> Pascal >> >> >> >> _______________________________________________ >> Secure Coding mailing list (SC-L) >> SC-L at securecoding.org >> List information, subscriptions, etc - >> http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> >> >> >> >> ---------------------------------------------------------------------------- >> This electronic message transmission contains information that may be >> confidential or privileged. The information contained herein is intended >> solely for the recipient and use by any other party is not authorized. >> If >> you are not the intended recipient (or otherwise authorized to receive >> this >> message by the intended recipient), any disclosure, copying, distribution >> or >> use of the contents of the information is prohibited. If you have >> received >> this electronic message transmission in error, please contact the sender >> by >> reply email and delete all copies of this message. Cigital, Inc. accepts >> no >> responsibility for any loss or damage resulting directly or indirectly >> from >> the use of this email or its contents. >> Thank You. >> ---------------------------------------------------------------------------- >> >> _______________________________________________ >> Secure Coding mailing list (SC-L) >> SC-L at securecoding.org >> List information, subscriptions, etc - >> http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> > > > > > > ------------------------------ > > Message: 2 > Date: Thu, 20 Jul 2006 15:33:30 -0400 > From: leichter_jerrold at emc.com > Subject: Re: [SC-L] bumper sticker slogan for secure software > To: pmeunier at cerias.purdue.edu > Cc: mouse at rodents.montreal.qc.ca, SC-L at securecoding.org > Message-ID: > Content-Type: text/plain; charset="iso-8859-1" > > | >>>> Absolute security is a myth. As is designing absolutely secure > | >>>> software. > | >> > | >>> I have high hopes in formal methods. > | >> > | >> All formal methods do is push bugs around... > | > > | > But people are forced to spend more time with the code, which > | > generally helps them (in particular smart people) to eradicate > bugs.... > | > | Also, writing it twice with different languages, especially at different > | levels of abstraction, makes it less likely that the same bugs will > appear > | in both. You can choose the higher level language so that it has great > | expressive power exactly for the things that are a pain to capture and > | verify (and thus a source of bugs) in the lower-level language.... > But always keep in mind a comment (allegedly, I've never actually > seen this) present at the top of something Don Knuth wrote: > > Be careful with this code. I've only proved > it correct, not actually tested it. > > If Don Knuth can say that about code, the rest of us should be very > humble about our correctness proofs. > -- Jerry > > > ------------------------------ > > Message: 3 > Date: Thu, 20 Jul 2006 21:46:22 +0200 > From: Florian Weimer > Subject: Re: [SC-L] bumper sticker slogan for secure software > To: Pascal Meunier > Cc: der Mouse , SC-L at securecoding.org > Message-ID: <87lkqojbzl.fsf at mid.deneb.enyo.de> > Content-Type: text/plain; charset=us-ascii > > * Pascal Meunier: > >> But it's true for stupid bugs like buffer overflows and format string >> vulnerabilities, in which we're still swimming, and the proof is the fact >> that those aren't possible in some languages. > > Could you name a few such language implementations? 8-) > > In most cases, the components that enforces the absence of buffer > overflows are written in C. In other cases, languages have the > reputation of being free from buffer overflows although it's just not > true: You can create a fully conforming Common Lisp implementation > where code injection through buffer overflows is possible. On the > other hand, it's possible to construct an ISO C implementation where > accessing memory beyond the end of a buffer is equivalent to calling > abort. (Such CL implementations are very common, but the C > implementatins aren't because they would feature a very unusual ABI or > suffer from poor performance.) > > And you need to keep in mind that even with C, we are close to turning > buffer overflows into completely reproducible crashes. This is not so > much different from supposedly safer programming languages where an > exception is raised in such cases. The exception can be handled, > sure, but if it is truly unexpected, your system will fail. > >> For design/requirements bugs, I'm reading: > > Safety-critical software is a very different beast. You can make much > stronger assumptions about the environment. It's not clear if the > results apply to software security in open system. > > I'm not saying that formal methods have no value. But I doubt that > comparisons with projects at completely different > dollars-per-line-of-code levels give immediate insights. > > > ------------------------------ > > Message: 4 > Date: Thu, 20 Jul 2006 16:03:01 -0400 > From: Pascal Meunier > Subject: Re: [SC-L] bumper sticker slogan for secure software > To: Florian Weimer > Cc: der Mouse , SC-L at securecoding.org > Message-ID: > Content-Type: text/plain; charset="US-ASCII" > > > > > On 7/20/06 3:11 PM, "Florian Weimer" wrote: > >> * Pascal Meunier: >> >>> Also, writing it twice with different languages, especially at different >>> levels of abstraction, makes it less likely that the same bugs will >>> appear >>> in both. >> >> Algorithmic issues such as denial of service attacks through >> unbalanced binary trees or hash table collisions are pretty >> independent of the programming language and have been observed in many >> incarnations. >> >> If you implement the same protocol, it's likely that you end up with >> similar bugs. The DNS compression loop bug was reinvented many times. >> The fundamental mismatch in OpenPGP between key certification (key >> plus user ID) and key usage (just the key alone) affected many >> independently developed implementations. Chrome spoofing is >> ubiquitous in web browsers. >> >> Most things in this list are implemented in C or C++, but the problems >> are at such a high level that it's unlikely that a different choice of >> wildly different programming language would make a huge difference. >> If you look at lower-level bugs, such as buffer overflows, I hope that >> nobody still thinks that multiple code versions help -- just look at >> the long list (even after discounting direct code copies) of botched >> ASN.1 decoders. >> >> Some protocols are extremly hard to implement correctly, I'm afraid. >> (And not all protocols are unnecessarily complex.) >> > > It's obvious that if you just translate a bad, complicated algorithm or > protocol from one language to the next, they'll all be bad. It remains > that > sometimes when you make people say something stupid twice they catch on > the > second time, especially during code reviews, because they re-express the > code using natural language. That's why I said, "less likely". It works > with some and not others. > > Pascal > > > > > ------------------------------ > > Message: 5 > Date: Thu, 20 Jul 2006 16:20:07 -0400 > From: ljknews > Subject: Re: [SC-L] bumper sticker slogan for secure software > To: SC-L at securecoding.org > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > At 9:11 PM +0200 7/20/06, Florian Weimer wrote: > >> Most things in this list are implemented in C or C++, but the problems >> are at such a high level that it's unlikely that a different choice of >> wildly different programming language would make a huge difference. >> If you look at lower-level bugs, such as buffer overflows, I hope that >> nobody still thinks that multiple code versions help > > It helps so long as some of the languages chosen are those immune to > buffer overflows. > -- > Larry Kilgallen > > > ------------------------------ > > Message: 6 > Date: Thu, 20 Jul 2006 16:28:07 -0400 > From: Pascal Meunier > Subject: Re: [SC-L] bumper sticker slogan for secure software > To: Florian Weimer > Cc: der Mouse , SC-L at securecoding.org > Message-ID: > Content-Type: text/plain; charset="US-ASCII" > > > > > On 7/20/06 3:46 PM, "Florian Weimer" wrote: > >> * Pascal Meunier: >> >>> But it's true for stupid bugs like buffer overflows and format string >>> vulnerabilities, in which we're still swimming, and the proof is the >>> fact >>> that those aren't possible in some languages. >> >> Could you name a few such language implementations? 8-) >> >> In most cases, the components that enforces the absence of buffer >> overflows are written in C. > > > That's irrelevant. What is important is that some magic formal tool could > say that some code in language "A", where bug of type "k" is possible, is > not equivalent to the version in language "B", where type "k" bugs are > impossible, ergo you have found a type "k" bug (in the absence of any > other > bug in that section of code...). > > I know someone is going to ask, "why didn't you code it only in language B > then?", to which there can be many different answers, and I don't want to > get into that. > > >>> For design/requirements bugs, I'm reading: >> >> Safety-critical software is a very different beast. You can make much >> stronger assumptions about the environment. It's not clear if the >> results apply to software security in open system. >> >> I'm not saying that formal methods have no value. But I doubt that >> comparisons with projects at completely different >> dollars-per-line-of-code levels give immediate insights. > > That's one of the things I'm hoping for: that more and better formal > methods become more affordable and practical. Spark, for example, > demonstrated that the costs of some formal methods were much lower than > what > people expected, in real projects. That gives me hope. > > Pascal > > > > > > > ------------------------------ > > Message: 7 > Date: Thu, 20 Jul 2006 16:59:35 -0400 > From: ljknews > Subject: Re: [SC-L] bumper sticker slogan for secure software > To: SC-L at securecoding.org > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > At 9:46 PM +0200 7/20/06, Florian Weimer wrote: >> * Pascal Meunier: >> >>> But it's true for stupid bugs like buffer overflows and format string >>> vulnerabilities, in which we're still swimming, and the proof is the >>> fact >>> that those aren't possible in some languages. >> >> Could you name a few such language implementations? 8-) > > Ada ! > >> In most cases, the components that enforces the absence of buffer >> overflows are written in C. > > Not in VAX/DEC/Compaq/HP Ada, which is the one that I use. > > But the "components" that enforce the absence of buffer overflows are > not written in Bliss (the language of the Ada RTL for that compiler) > either. They are in the code that is generated, or the failure to > generate that code because the problem was caught at compile time. > -- > Larry Kilgallen > > > ------------------------------ > > Message: 8 > Date: Thu, 20 Jul 2006 15:44:38 -0700 > From: "Dana Epp" > Subject: Re: [SC-L] bumper sticker slogan for secure software > To: , "Wall, Kevin" > Cc: SC-L at securecoding.org > Message-ID: > <9AE3FC06F0A89A43A4D6F667955082C402D364 at sbsmain.Vulscan.local> > Content-Type: text/plain; charset="us-ascii" > > Actually, Brian Shea got the points for emailing me that he knew it was > the system error "Access Denied". > > An extra 10 points goes to Andrew van der Stock for his explaination > that: > > "apparently the term originates from radio, where 5x5 means good > reception and good signal strength (in that order). So > > 0x5 > > means > > - no reception ("0") > - good signal strength ("5") > > ie, we're doing ok at getting our message out, but people aren't > listening yet. " > > That cracked me up. So fitting for this forum. > > > Regards, > Dana Epp > [Microsoft Security MVP] > http://silverstr.ufies.org/blog/ > > -----Original Message----- > From: mikeiscool [mailto:michaelslists at gmail.com] > Sent: Thursday, July 20, 2006 3:25 PM > To: Wall, Kevin > Cc: Dana Epp; SC-L at securecoding.org > Subject: Re: [SC-L] bumper sticker slogan for secure software > >> BTW, does anyone besides me think that it's time to put this thread to > >> rest? > > I do. > > But i'm still waiting for my points from dana ... > > >> -kevin > > -- mic > > > > ------------------------------ > > Message: 9 > Date: Fri, 21 Jul 2006 13:15:01 +0200 > From: John Wilander > Subject: Re: [SC-L] bumper sticker slogan for secure software > To: SC-L at securecoding.org > Message-ID: <200607211115.k6LBFCoW007733 at portofix.ida.liu.se> > Content-Type: text/plain; charset=us-ascii > > I've actually been using a secure software slogan for a few years, both in > teaching and in pitching business. It's taken from Howard and LeBlanc's > book "Writing Secure Code": > > - Security features are not secure features - > > The statement mesmerizes people and aguably needs a "necessarily" to be > more precise. But it's short and does the trick for me---it separates > adding security functions from trying to secure all functions in the > system (during all phases). > > Regards, John > > ____________________________ > John Wilander, PhD Student > Computer and Information Sc. > Linkoping University, Sweden > http://www.ida.liu.se/~johwi > > > ------------------------------ > > _______________________________________________ > SC-L mailing list > SC-L at securecoding.org > http://krvw.com/mailman/listinfo/sc-l > > > End of SC-L Digest, Vol 2, Issue 124 > ************************************ > From crispin at novell.com Fri Jul 21 13:44:49 2006 From: crispin at novell.com (Crispin Cowan) Date: Fri, 21 Jul 2006 10:44:49 -0700 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <5e01c29a0607201548v500b1e13wc2e7ceb6787c0791@mail.gmail.com> References: <9AE3FC06F0A89A43A4D6F667955082C402D360@sbsmain.Vulscan.local> <5e01c29a0607201548v500b1e13wc2e7ceb6787c0791@mail.gmail.com> Message-ID: <44C11291.4020807@novell.com> mikeiscool wrote: > On 7/21/06, Dana Epp wrote: > >>> yeah. >>> but none of this changes the fact that it IS possible to write completely secure code. >>> >> And it IS possible that a man will walk on Mars someday. But its not >> practical or realistic in the society we live in today. I'm sorry mic, >> but I have to disagree with you here. >> >> It is EXTREMELY difficult to have code be 100% correct if an application >> has any level of real use or complexity. There will be security defects. >> > Why? Why accept this as a fact? It is not a fact. If you put > procedures in place and appropriately review and test you can be > confident. > Sorry, but it is a fact. Yes, you can have provably correct code. Cost is approximately $20,000 per line of code. That is what the "procedures" required for correct code cost. Oh, and they are kind of super-linear, so one program of 200 lines costs more than 2 programs of 100 lines. >> More importantly, threats are constantly evolving and what you may >> consider completely secure today may not be tomorrow when a new attack >> vector is recognized that may attack your software. >> > This isn't as true and as wide spread as you make it sound. Consider, > for example, "SQL Injection". Assuming I do not upgrade my database, > and do not change my code and server (i.e. do not change my > environment at all), then if I have prevented this attack initially > nothing new will come up to suddenly make it work. > Indeed, consider SQL injection attacks. They didn't exist 5 years ago, because no one had thought of them. Same with XSS bugs. Same with printf format string attacks. All of them are examples of processing user input without validation, but they are all really big classes of such, and they were discovered to occur in very large numbers in common code. What Dana is trying to tell you is that some time in the next year or so, someone is going to discover yet another of these major vulnerability classes that no one has thought of before. At that point, a lot of code that was thought to be reasonably secure suddenly is vulnerable. >> And unless you wrote >> every single line of code yourself without calling out to ANY libraries, >> you cannot rely on the security of other libraries or components that >> may NOT have the same engineering discipline that you may have on your >> own code base. >> > Not true; you can call other libraries happily and with confidence if > you handle the case of them going all kinds of wrong. > This also is false. Consider the JPG bug that badly 0wned Microsoft desktops a while back. It was a bug in an image processing library. You try to view an image by processing it with the library, and the result is that the attacker can execute arbitrary code in your process. That is pretty difficult to defensively program against. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unaticipated problem Hacker: one who is adroit at pounding round pegs into square holes From securecoding2dave at davearonson.com Fri Jul 21 19:43:43 2006 From: securecoding2dave at davearonson.com (securecoding2dave at davearonson.com) Date: Fri, 21 Jul 2006 19:43:43 -0400 Subject: [SC-L] security half-life and critical mass In-Reply-To: <004e01c6ace2$beea2480$0501a8c0@LIBERTY> References: <004e01c6ace2$beea2480$0501a8c0@LIBERTY> Message-ID: <44C166AF.3050802@davearonson.com> Mark Graff wrote: > I have therefore often wondered if we should be talking, not about how > "secure" a system is, in a static sense, but rather what its security > half-life is. Interesting point! > This reasoning leads me to the > thought that Mac OS X, for example, is "more secure" than Windows XP for > reasons having nothing directly to do with design or implementation, but > rather pertaining to its very ubiquity. XP, in this sense, is the center of > the bullseye. This one however has been raised many times before. Yes, if MacOS (or Linux or BSD or OS/2 or whatever) had a much larger market share, there would be many more attacks developed against it than now. However, from all I've read (not having actually TRIED to attack it myself), it is indeed much more securely designed, implemented, and typically deployed, installed, and maintained, than Windows. So, assuming equal market share, I predict that you'd have several times the viruses, worms, rootkits, etc. directed against Windows, simply because there are several times as many chinks in its armor, and, just as now, gazillions of times as many Windows machines actually broken into or otherwise damaged due to bad security, as Mac. > Gee, maybe software systems emanate a modicum of "unsecurity gravity", so > that if you get a great many of them together (that is, if millions and > millions of people buy the product), security plummets, and declines as the > square of the distance to True Dead Center of the day's commonplace > platform. Or, to put it another way, this is why XP sucks. It's one factor. If the market share figures were reversed, there would probably not be as many attacks written for it, and certainly there would be fewer worm-infected machines trying to attack other XP boxen. But it's far from the only reason. > ----- Original Message ----- > From: > To: > Sent: Friday, July 21, 2006 5:05 AM > Subject: SC-L Digest, Vol 2, Issue 124 Please trim your quoted matter to just what's necessary to give us a clue what you're talking about. Google nettiquette. -Dave From dcrocker at eschertech.com Fri Jul 21 17:57:17 2006 From: dcrocker at eschertech.com (David Crocker) Date: Fri, 21 Jul 2006 22:57:17 +0100 Subject: [SC-L] Cost of provably-correct code (was: bumper sticker slogan for secure software) In-Reply-To: <44C11291.4020807@novell.com> Message-ID: <00f701c6ad10$a35a8ba0$cb00000a@escheradmin> Crispin Cowan wrote on 21 July 2006 18:45: >> Yes, you can have provably correct code. Cost is approximately $20,000 per line of code. That is what the "procedures" required for correct code cost. Oh, and they are kind of super-linear, so one program of 200 lines costs more than 2 programs of 100 lines. << To arrive at that cost, I can only assume that you are referring to a process in which all the proofs are done by hand, as was attempted for a few projects in the 1980s. We current achieve automatic proof rates of 98% to 100% (using PD), and I hear that Praxis also achieves automatic proof rates well over 90% (using Spark) these days. This has brought down the cost of producing provable code enormously. You are perhaps also including the cost of verifying the object code against the source code. Although this is sometimes a requirement in the safety-critical software world, I think it unlikely to be necessary for all but a very few secure applications, assuming a mature compiler is used. >> Indeed, consider SQL injection attacks. They didn't exist 5 years ago, because no one had thought of them. Same with XSS bugs. Same with printf format string attacks. All of them are examples of processing user input without validation, but they are all really big classes of such, and they were discovered to occur in very large numbers in common code. What Dana is trying to tell you is that some time in the next year or so, someone is going to discover yet another of these major vulnerability classes that no one has thought of before. At that point, a lot of code that was thought to be reasonably secure suddenly is vulnerable. << I agree, a new class of vulnerability may well be discovered. However, if the code was specified and developed so as to be provably correct, then it is highly likely that immunity to a new class of attack can be expressed by adding additional formal requirements, allowing an immediate evaluation of where in the design and implementation the vulnerabilities (if any) lie. David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com From mouse at Rodents.Montreal.QC.CA Sat Jul 22 15:46:18 2006 From: mouse at Rodents.Montreal.QC.CA (der Mouse) Date: Sat, 22 Jul 2006 15:46:18 -0400 (EDT) Subject: [SC-L] Cost of provably-correct code (was: bumper sticker slogan for secure software) In-Reply-To: <00f701c6ad10$a35a8ba0$cb00000a@escheradmin> References: <00f701c6ad10$a35a8ba0$cb00000a@escheradmin> Message-ID: <200607221952.PAA29490@Sparkle.Rodents.Montreal.QC.CA> >> Yes, you can have provably correct code. Perhaps. But then you have bugs in the prover (and thus proof) instead. Human mistakes if it's human proof, bugs in the code for automated proof. You also have bugs in the spec that you're proving the code conforms to (unless you're simply trying to prove something like "this code never writes outside an array's dimentioned bounds", which is not what I usually take "provably correct code" to mean). /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From crispin at novell.com Sun Jul 23 13:18:43 2006 From: crispin at novell.com (Crispin Cowan) Date: Sun, 23 Jul 2006 10:18:43 -0700 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <5e01c29a0607201526h78810b6ajb78d7fa92d3ab6d3@mail.gmail.com> References: <17EF6F3064F79040A085A09975A8595305B7F5CC@ex2k.bankofamerica.com> <87lkqop8zq.fsf@mid.deneb.enyo.de> <5e01c29a0607201526h78810b6ajb78d7fa92d3ab6d3@mail.gmail.com> Message-ID: <44C3AF73.6050105@novell.com> mikeiscool wrote: > On 7/21/06, Florian Weimer wrote: > >> Secure software costs more, requires more user training, and fails in >> hard-to-understand patterns. If you really need it, you lose. >> > Really secure software should require _less_ user training, not more. > That depends. If "really secure" means "free of defects", then yes, it should be easier to use, because it will have fewer surprising quirks. However, since there is so little defect-free software, most often a "really secure" system is one with lots of belt-and-suspenders access controls and authentication checks all over the place. "Security" is the business of saying "no" to the bad guys, so it necessarily involves saying "no" if you don't have all your ducks in a row. As a result, really secure systems tend to require lots of user training and are a hassle to use because they require permission all the time. Imagine if every door in your house was spring loaded and closed itself after you went through. And locked itself. And you had to use a key to open it each time. And each door had a different key. That would be really secure, but it would also not be very convenient. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unaticipated problem Hacker: one who is adroit at pounding round pegs into square holes From michaelslists at gmail.com Sun Jul 23 18:42:10 2006 From: michaelslists at gmail.com (mikeiscool) Date: Mon, 24 Jul 2006 08:42:10 +1000 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <44C3AF73.6050105@novell.com> References: <17EF6F3064F79040A085A09975A8595305B7F5CC@ex2k.bankofamerica.com> <87lkqop8zq.fsf@mid.deneb.enyo.de> <5e01c29a0607201526h78810b6ajb78d7fa92d3ab6d3@mail.gmail.com> <44C3AF73.6050105@novell.com> Message-ID: <5e01c29a0607231542n76030436ia000e6c6cdd1a7f1@mail.gmail.com> > As a result, really secure systems tend to require lots of user training > and are a hassle to use because they require permission all the time. No I disagree still. Consider a smart card. Far easier to use then the silly bank logins that are available these days. Far easier then even bothering to check if the address bar is yellow, due to FF, or some other useless addon. You just plug it in, and away you go, pretty much. And requiring user permission does not make a system harder to use (per se). It can be implemented well, and implemented badly. > Imagine if every door in your house was spring loaded and closed itself > after you went through. And locked itself. And you had to use a key to > open it each time. And each door had a different key. That would be > really secure, but it would also not be very convenient. We're talking computers here. Technology lets you automate things. > Crispin -- mic From michaelslists at gmail.com Sun Jul 23 19:13:49 2006 From: michaelslists at gmail.com (mikeiscool) Date: Mon, 24 Jul 2006 09:13:49 +1000 Subject: [SC-L] bumper sticker slogan for secure software In-Reply-To: <44C11291.4020807@novell.com> References: <9AE3FC06F0A89A43A4D6F667955082C402D360@sbsmain.Vulscan.local> <5e01c29a0607201548v500b1e13wc2e7ceb6787c0791@mail.gmail.com> <44C11291.4020807@novell.com> Message-ID: <5e01c29a0607231613w72f01a3o970c1d8c43b1d153@mail.gmail.com> > Sorry, but it is a fact. Yes, you can have provably correct code. Cost > is approximately $20,000 per line of code. That is what the "procedures" > required for correct code cost. Oh, and they are kind of super-linear, > so one program of 200 lines costs more than 2 programs of 100 lines. Someone already pointed this out but your numbers here have no basis. Provide references or something, otherwise they are meaningless. > > This isn't as true and as wide spread as you make it sound. Consider, > > for example, "SQL Injection". Assuming I do not upgrade my database, > > and do not change my code and server (i.e. do not change my > > environment at all), then if I have prevented this attack initially > > nothing new will come up to suddenly make it work. > > Indeed, consider SQL injection attacks. They didn't exist 5 years ago, Prove it. > because no one had thought of them. Same with XSS bugs. Again prove it. I might say that they didn't exist at a given time because apps that were affected weren't widely deployed. Online BBS's are relatively new, and that, to my memory, was the first place for XSS bugs. > What Dana is trying to tell you is that some time in the next year or > so, someone is going to discover yet another of these major > vulnerability classes that no one has thought of before. At that point, > a lot of code that was thought to be reasonably secure suddenly is > vulnerable. Right, but if your environment is unchanged and you've looked at all angles, then you will not be affected. Note that I'm not saying it's easy, but .. > > Not true; you can call other libraries happily and with confidence if > > you handle the case of them going all kinds of wrong. > > This also is false. Consider the JPG bug that badly 0wned Microsoft > desktops a while back. It was a bug in an image processing library. You > try to view an image by processing it with the library, and the result > is that the attacker can execute arbitrary code in your process. That is > pretty difficult to defensively program against. Why? > Crispin -- mic From crispin at novell.com Sun Jul 23 23:59:42 2006 From: crispin at novell.com (Crispin Cowan) Date: Sun, 23 Jul 2006 20:59:42 -0700 Subject: [SC-L] Cost of provably-correct code In-Reply-To: <00f701c6ad10$a35a8ba0$cb00000a@escheradmin> References: <00f701c6ad10$a35a8ba0$cb00000a@escheradmin> Message-ID: <44C445AE.7010102@novell.com> David Crocker wrote: > Crispin Cowan wrote on 21 July 2006 18:45: > >> Yes, you can have provably correct code. Cost is approximately $20,000 per line >> of code. That is what the "procedures" required for correct code cost. Oh, and >> they are kind of super-linear, so one program of 200 lines costs more than 2 >L programs of 100 lines. > > To arrive at that cost, I can only assume that you are referring to a process in > which all the proofs are done by hand, as was attempted for a few projects in > the 1980s. I did not arrive at it. It is (allegedly) the NSA's estimate of cost per LOC for EAL7 provably correct assurance. This was quoted to me from a friend at a company who has an A1 (orange book) secure microkernel. >> We current achieve automatic proof rates of 98% to 100% (using PD), >> and I hear that Praxis also achieves automatic proof rates well over 90% (using >> Spark) these days. This has brought down the cost of producing provable code >> enormously. Interesting. That could possibly bring down the cost of High Assurance software enormously. How would your prover work on (say) something like the Xen hypervisor? Or the L4 microkernel? Caveat: they are C code :( Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From dana at vulscan.com Mon Jul 24 12:47:19 2006 From: dana at vulscan.com (Dana Epp) Date: Mon, 24 Jul 2006 09:47:19 -0700 Subject: [SC-L] "Bumper sticker" definition of secure software Message-ID: <9AE3FC06F0A89A43A4D6F667955082C402D367@sbsmain.Vulscan.local> But secure software is not a technology problem, it's a business one. Focused on people. If smartcards were so great, why isn't every single computer in the world equipped with a reader? There will always be technology safeguards we can put in place to mitigate particular problems. But technology is not a panacea here. There will always be trade-offs that will trump secure design and deployment of safeguards. It's not about putting ABSOLUTE security in... It's about putting just enough security in to mitigate risks to acceptable levels to the business scenario at hand, and at a cost that is justifiable. Smartcard readers aren't deployed everywhere as they simply are too costly to deploy, against particular PERCEIVED threats that may or not be part of an application's threat profile. I agree that we can significantly lessen the technology integration problem with computers. We are, after all, supposed to be competent developers that can leverage the IT infrastructure to our bidding. The problem is when we keep our head in the technology bubble without thinking about the business impacts and costs, wasting resources in the wrong areas. It is no different than "network security professionals" that deploy $30,000 firewalls to protect digital assets worth less than the computer they are on. (I once saw a huge Checkpoint firewall protecting an MP3 server. Talk about waste.) Those guys should be shot for ever making that recommendation. As should secure software engineers who think they can solve all problems with technology without considering all risks and impacts to the business. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of mikeiscool Sent: Sunday, July 23, 2006 3:42 PM To: Crispin Cowan Cc: Secure Coding Mailing List Subject: Re: [SC-L] "Bumper sticker" definition of secure software > As a result, really secure systems tend to require lots of user > training and are a hassle to use because they require permission all the time. No I disagree still. Consider a smart card. Far easier to use then the silly bank logins that are available these days. Far easier then even bothering to check if the address bar is yellow, due to FF, or some other useless addon. You just plug it in, and away you go, pretty much. And requiring user permission does not make a system harder to use (per se). It can be implemented well, and implemented badly. > Imagine if every door in your house was spring loaded and closed > itself after you went through. And locked itself. And you had to use a > key to open it each time. And each door had a different key. That > would be really secure, but it would also not be very convenient. We're talking computers here. Technology lets you automate things. > Crispin -- mic _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php From Ed.Reed at aesec.com Mon Jul 24 15:06:34 2006 From: Ed.Reed at aesec.com (Ed Reed (Aesec)) Date: Mon, 24 Jul 2006 15:06:34 -0400 Subject: [SC-L] Cost of provably-correct code In-Reply-To: References: Message-ID: <44C51A3A.7050301@aesec.com> > > David Crocker wrote: > >> > Crispin Cowan wrote on 21 July 2006 18:45: >> > >> >>> >> Yes, you can have provably correct code. Cost is approximately $20,000 per line >>> >> of code. That is what the "procedures" required for correct code cost. Oh, and >>> >> they are kind of super-linear, so one program of 200 lines costs more than 2 >>> >> >L programs of 100 lines. >> > >> > To arrive at that cost, I can only assume that you are referring to a process in >> > which all the proofs are done by hand, as was attempted for a few projects in >> > the 1980s. >> > I did not arrive at it. It is (allegedly) the NSA's estimate of cost per > LOC for EAL7 provably correct assurance. This was quoted to me from a > friend at a company who has an A1 (orange book) secure microkernel. > Well, not specifically for an EAL7 program, perhaps, but rather for a Class A1 system like ours, which is arguably a superset of an EAL7 protection profile corresponding to the Mandatory Component (only) functional requirements for a Class A1 system under the Trusted Network Interpretation of the TCSEC. That is, for a reference monitor verifiably enforcing the Mandatory Access Control (both integrity and secrecy) security policy (for Multi-Level Security), including formal top level specification and correspondence mapping to the implementation, including trusted distribution and RAMP (Ratings Assurance Maintenance Phase, which allows changes to the system to be evaluated incrementally rather than requiring re-examination of the whole system each time). The system has a formally layered architecture (without loops) and can be configured with no covert storage channels (the only general purpose system we know of that can make such a claim), Proving a software system is correct is one thing. Proving it is correct as part of the hardware/software system of which it is a part is a second thing. And proving you can securely deliver it and security revise it is yet something else, I suppose. I expect that such a high cost estimate would include everything from clean-sheet design through evaluated configuration delivery of the product. It's not the cost to prove something. It's the cost to design and develop something you can prove, and then do so. > >>> >> We current achieve automatic proof rates of 98% to 100% (using PD), >>> >> and I hear that Praxis also achieves automatic proof rates well over 90% (using >>> >> Spark) these days. This has brought down the cost of producing provable code >>> >> enormously. >>> > > Interesting. That could possibly bring down the cost of High Assurance > software enormously. > > How would your prover work on (say) something like the Xen hypervisor? > Or the L4 microkernel? > > Caveat: they are C code :( > > Crispin The class A1 system referenced uses Pascal for the reference monitor / security kernel, with a small amount of assembler to handle hardware-interface things that couldn't be done any other way. Pascal was chosen because it seemed a better fit than PL1, I suppose...for the 286-architecture environment for which it was originally developed. It presently runs on Pentium-class processors. A type-safe language was deemed necessary to support the assurance evaluation effort, as I understand it. The formal internal model and top level specification is written in Ina Jo, the specification language of the Unisys Formal Development Methodology. Reference section 7.6 "Design Specification and Verification" of the Final Evaluation Report for further details and section 8.18 "Design Specification and Verification" for the evaluators comments. The Class A1 certificate is available at http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-94-008.html or our copy at http://www.aesec.com/eval/CSC-EPL-94-008.html (alas, the Evaluated Products List is no longer generally accessible, outside the .mil domain, at least - I'll be happy to provide a postscript or Acrobat PDF copy of the FER to anyone who asks me off line for it - please don't blast the list with such requests, though). Ed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060724/0721a432/attachment.html From michaelslists at gmail.com Mon Jul 24 18:48:04 2006 From: michaelslists at gmail.com (mikeiscool) Date: Tue, 25 Jul 2006 08:48:04 +1000 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <9AE3FC06F0A89A43A4D6F667955082C402D367@sbsmain.Vulscan.local> References: <9AE3FC06F0A89A43A4D6F667955082C402D367@sbsmain.Vulscan.local> Message-ID: <5e01c29a0607241548o6d5e8b8bg57505274412f38c@mail.gmail.com> On 7/25/06, Dana Epp wrote: > But secure software is not a technology problem, Yes it is. > it's a business one. > Focused on people. This is part of the issue, not the whole issue. > If smartcards were so great, why isn't every single computer in the > world equipped with a reader? The answer isn't that smart cards aren't great, it's that it's not a practical possibility. Maybe oneday it will be. > There will always be technology safeguards > we can put in place to mitigate particular problems. But technology is > not a panacea here. *sigh* I never said it was. No one said it was. > It is no different than "network security professionals" that deploy > $30,000 firewalls to protect digital assets worth less than the computer > they are on. (I once saw a huge Checkpoint firewall protecting an MP3 > server. Talk about waste.) Those guys should be shot for ever making > that recommendation. As should secure software engineers who think they > can solve all problems with technology without considering all risks and > impacts to the business. All this is interesting but useless for this discussion. Nobody said you should try and solve all problems with technology without consider the impacts to the business. Please go back and read the original posts to find out what we were talking about before going off on a boring, totally unoriginal, rant, that everyone here is already intimately familiar with. > Regards, > Dana Epp -- mic From vanderaj at greebo.net Mon Jul 24 19:24:12 2006 From: vanderaj at greebo.net (Andrew van der Stock) Date: Mon, 24 Jul 2006 16:24:12 -0700 Subject: [SC-L] "Bumper sticker" definition of secure software In-Reply-To: <5e01c29a0607231542n76030436ia000e6c6cdd1a7f1@mail.gmail.com> References: <17EF6F3064F79040A085A09975A8595305B7F5CC@ex2k.bankofamerica.com> <87lkqop8zq.fsf@mid.deneb.enyo.de> <5e01c29a0607201526h78810b6ajb78d7fa92d3ab6d3@mail.gmail.com> <44C3AF73.6050105@novell.com> <5e01c29a0607231542n76030436ia000e6c6cdd1a7f1@mail.gmail.com> Message-ID: NB: I am not speaking on behalf of my employer and this is my personal opinion. Banks in general do not use smart cards as they suffer from the same issue as two factor non-transaction signing fobs - they are somewhat trivial to trick users into giving up a credential. Connected keys are the worst - they induce laziness in the user and infer security which is not actually there. Smart card integration over web apps is non-existent. The HTTP 1.1 protocol does not support two factor transaction signing nor smart cards in general (unless you are just using SSL with a client-side cert, which is just as vulnerable as a normal IB app today if the attacker chooses a CSRF attack). Therefore, you need *something* extra to make 2FA USB fob authentication work. RSA has an ActiveX plugin (Keon WebPassport) which works great in an Intranet environment and you control all the resources. However, such solutions have a support overhead and locks users into just Win32 platform, and locks out pretty much any site that blocks ActiveX controls on their PCs. Here's why such devices will not fly: *) costs money to ensure that the crypto is compliant with national and international standards *) costs money to develop and deploy secure internal PKI and secure operational procedures to issue certificates for the devices. For the average institution, this is a lot of overhead. *) costs money to deploy (need to send out software, instructions, device, smart card) *) costs money to register users securely (is sending through the mail acceptable?) <- this step was stuffed up in the UK's Chip and Pin roll out, so we have an excellent data point already http://www.theregister.co.uk/2004/09/16/chip_pin_crime_wave/ *) costs money to train users to only insert their smart card when your app is running and not just leave it in *) costs money to support users when your software gets the blame for their user's support woes (whether true or not) *) doesn't improve security if the user can just say yes. The typical dialog for these things is "Please press Submit to pay Nice Person $100 using your token". If the app suffers from an XSS, why is this prompt safe? Can you trust "Nice Person" or $100? Disconnected trx signing devices are simple, cheap, and have *fewer* costs. Note I do not say none of the costs, but it is significantly less and at least we don't trust the user's browser, the user's browser can be any platform (MacOS X, Linux, FreeBSD, Win95, XP, Vista), we don't end up supporting the user's desktop, and we don't need to train the users so much. That's why smart cards will not be used if the Bank has done a proper side-by-side comparison, and compared the relative risk versus cost. Smart cards (and anything which requires platform support) are less secure, less trustworthy, take more effort, and cost more. thanks, Andrew On 23/07/2006, at 3:42 PM, mikeiscool wrote: > No I disagree still. Consider a smart card. Far easier to use then the > silly bank logins that are available these days. Far easier then even > bothering to check if the address bar is yellow, due to FF, or some > other useless addon. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2234 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20060724/21195f27/attachment.bin From ken at krvw.com Tue Jul 25 13:04:37 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Tue, 25 Jul 2006 13:04:37 -0400 Subject: [SC-L] Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis Message-ID: Here's an interesting article from Dark Reading regarding a software attack on the existing Vista beta: http://www.darkreading.com/document.asp? doc_id=99780&f_src=darkreading_section_296 I noticed, in particular, that the attack is against a design weakness of Vista -- "The attack doesn't use your typical buffer overflow or other bug, but basically exploits a Vista (and Windows) design problem -- that user-mode applications are allowed to access raw disk sectors, Rutkowska says." The attack, which is being described in detail at Blackhat, looks for "interesting" OS code to be paged out and then carefully modifies the contents of the page file in order to dupe Vista into loading the corrupt page data. Cheers, Ken Kenneth Van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060725/08cd73e8/attachment.html From petesh at indigo.ie Tue Jul 25 15:31:02 2006 From: petesh at indigo.ie (Pete Shanahan) Date: Tue, 25 Jul 2006 20:31:02 +0100 Subject: [SC-L] Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis In-Reply-To: References: Message-ID: <44C67176.30301@indigo.ie> Hang on a minute, I thought you had to have administrator access before you were permitted raw access to the hard drive. The createfile documentation tells us that opening a physical disk / Volume requires that the caller must have administrative privileges. I'm just wondering how flawed the implementation of the windows paging model is that it would allow for this kind of breach. The standard model I'm familiar with would simply flush the page from memory, and would not keep a copy in the external page-file, instead relying on the copy that already exists on the disk. Obviously I need to read more on this. Kenneth Van Wyk wrote: > Here's an interesting article from Dark Reading regarding a software > attack on the existing Vista beta: > > http://www.darkreading.com/document.asp?doc_id=99780&f_src=darkreading_section_296 > > > I noticed, in particular, that the attack is against a design weakness > of Vista -- "The attack doesn't use your typical buffer overflow or > other bug, but basically exploits a Vista (and Windows) design problem > -- that user-mode applications are allowed to access raw disk sectors, > Rutkowska says." > > The attack, which is being described in detail at Blackhat, looks for > "interesting" OS code to be paged out and then carefully modifies the > contents of the page file in order to dupe Vista into loading the > corrupt page data. -- Pete +353 (87) 412 9576 [M] Where there's a will, there's an Inheritance Tax. From secureCoding2dave at davearonson.com Tue Jul 25 16:15:46 2006 From: secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson) Date: Tue, 25 Jul 2006 20:15:46 +0000 Subject: [SC-L] Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis Message-ID: Pete Shanahan [mailto:petesh at indigo.ie] writes: > I'm just wondering how flawed the implementation of the windows > paging model is that it would allow for this kind of breach. The > standard model I'm familiar with would simply flush the page from > memory, and would not keep a copy in the external page-file, > instead relying on the copy that already exists on the disk. Perhaps the code in question is stored compressed, so that there is no verbatim copy already on disk. (I have no clue if Windows does this.) -Dave From Ken at krvw.com Tue Jul 25 18:43:34 2006 From: Ken at krvw.com (Kenneth Van Wyk) Date: Tue, 25 Jul 2006 18:43:34 -0400 Subject: [SC-L] Forwarded: PHP encryption for the common man Message-ID: <4F5FA1FA-7B69-471A-BFF0-0210B78C3EA4@krvw.com> FYI, I saw an interesting article today on IBM's web site detailing how to (and how NOT to) use encryption within PHP code. Those interested can find the article at: http://www-128.ibm.com/developerworks/library/os-php-encrypt/ index.html?ca=drs- Cheers, Ken Kenneth Van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060725/de5f0d9e/attachment.html From michaelslists at gmail.com Tue Jul 25 19:14:10 2006 From: michaelslists at gmail.com (mikeiscool) Date: Wed, 26 Jul 2006 09:14:10 +1000 Subject: [SC-L] Forwarded: PHP encryption for the common man In-Reply-To: <4F5FA1FA-7B69-471A-BFF0-0210B78C3EA4@krvw.com> References: <4F5FA1FA-7B69-471A-BFF0-0210B78C3EA4@krvw.com> Message-ID: <5e01c29a0607251614q70675c22yab0c9fb1b662ce11@mail.gmail.com> On 7/26/06, Kenneth Van Wyk wrote: > > FYI, I saw an interesting article today on IBM's web site detailing how to > (and how NOT to) use encryption within PHP code. Those interested can find > the article at: > > http://www-128.ibm.com/developerworks/library/os-php-encrypt/index.html?ca=drs- This doesn't seem like a _great_ article, for the 'common man', as it involves, at least in the last step, executing a binary with propsed input from the user (i.e. a username, or something) as command line parameters. It validates one (the 'msg' from the form), but not the others that may be adjusted to accept input as well. Not only is the binary ran, but it would imply that the script as executable permissions on at least that file, if not the entire directory, or even entire system. All of which are bad. It also recommends to use md5, which is totally broken as a secure hashing function and should not be used at all. > Cheers, > > Ken -- mic From rcs at cert.org Tue Jul 25 19:23:18 2006 From: rcs at cert.org (Robert C. Seacord) Date: Tue, 25 Jul 2006 19:23:18 -0400 Subject: [SC-L] Dark Reading - CERT Seeks Secure Coding Input In-Reply-To: <44C67176.30301@indigo.ie> References: <44C67176.30301@indigo.ie> Message-ID: <44C6A7E6.8050609@cert.org> Speaking of interesting articles from Dark Reading: http://www.darkreading.com/document.asp?doc_id=99807&WT.svl=news1_1 This is relatively early exposure for this effort. I am hoping to engage the folks on this list (and elsewhere) in this effort in the fall once the public wiki is stood up. In completely unrelated news, a Korean translation of "Secure Coding in C and C++" (http://www.cert.org/books/secure-coding/) is now available, although I don't know how you would buy it except maybe by contacting Pearson Education Asia at http://www.pearsoned-asia.com/ Thanks- rCs From petesh at indigo.ie Wed Jul 26 12:49:31 2006 From: petesh at indigo.ie (Pete Shanahan) Date: Wed, 26 Jul 2006 17:49:31 +0100 Subject: [SC-L] Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis In-Reply-To: <378dde5d0607260822h43fedc41n7a90152580037113@mail.gmail.com> References: <378dde5d0607260822h43fedc41n7a90152580037113@mail.gmail.com> Message-ID: <44C79D1B.5080605@indigo.ie> Ken Buchanan wrote: >> I thought you had to have administrator access before you were > If you took Joanna to mean 'User privileges' when she said > 'user-mode', then you were mistaken. The opposite of user mode is > kernel mode. Yes, I think that would be my foot-in-mouth there. I misread the article, misinterpreting privileges when it meant non-kernel mode. > >> I'm just wondering how flawed the implementation of the windows paging >> model is >> that it would allow for this kind of breach. The standard model I'm >> familiar >> with would simply flush the page from memory, and would not keep a >> copy in the >> external page-file, instead relying on the copy that already exists on >> the disk. > > Can you explain this objection a little better? I understand Joanna's > attack to imply that she is forcing OS code to be paged out of > memory, meaning it is now on disk and no longer in physical memory. > She modifies the paged-out code using raw disk writes, since > sector-level access bypasses the file system's access control > protection. Then, when the OS code is needed again, it is paged back > into physical memory carrying a whatever little Easter Egg Joanna > cared to hide in it. Again, a slight silliness on my behalf - I was thinking that the modifications were being made to the content of the page-file and not the binary on-disk, as mentioned in the article: This isn't simple for hackers to execute, however. "For the attack to succeed, one needs to find a reliable way to force interesting kernel code to be paged out, then find that code inside a page file and modify it. And finally, the kernel needs to load that code (now modified) again into physical memory and execute it," she says. "The proof-of-concept code I implemented solves all those challenges allowing for very reliable exploitation." I presume the flaw with the OS is that the code signing check only occurs once, at driver load time, rather than every time any part of it gets paged in. I've seen malicious cache page corruption on Solaris, where you corrupt a page that is already loaded in memory, which does not require root access to work. -- Pete +353 (87) 412 9576 [M] The first time, it's a KLUDGE! The second, a trick. Later, it's a well-established technique! -- Mike Broido, Intermetrics From dave.wichers at aspectsecurity.com Wed Jul 26 14:57:00 2006 From: dave.wichers at aspectsecurity.com (Dave Wichers) Date: Wed, 26 Jul 2006 14:57:00 -0400 Subject: [SC-L] ANNOUNCING: 3rd annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA Message-ID: <02e101c6b0e5$46c82900$6564a8c0@intranet.aspectsecurity.com> Dear Colleague, OWASP is proud to announce its third annual U.S. Application Security Conference. This year's conference will be held October 16-18 at the Bell Harbor International Conference Center right on the waterfront in downtown Seattle, WA. Please reserve these dates!! The first two conferences were on the East coast so we felt it was the West coast's turn. This facility looks to be the nicest facility we have had the opportunity to use yet. This conference will include: - Training (On Oct 16): various 1-day application security courses are being offered the day prior to the conference - Main Conference (Oct 17-18) This year's conference will include presentations and also some panels to help encourage discussion amongst the attendees - Evening Social Event (Oct 17) - We are planning a social event as we do each conference which facilitates the attendees ability to mingle and get to know each other better. Current details on the conference are available on the OWASP website at http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006 This year's conference will be kicked off with a keynote by Michael Howard from Microsoft on "The Benefits of the SDL initiative to Microsoft and its Customers". Mike is a top member of Microsoft's security team and a coauthor of several application security books including Writing Secure Code, 2nd Ed., and 19 Deadly Sins of Software Security. He will be talking about the Microsoft Security Development Lifecycle (SDL) and the benefits Microsoft has gained by developing and adopting it. OWASP's AppSec conferences are dedicated to real-world application security issues and solutions. You'll learn many aspects of application security, including people, process, and technology perspectives. You'll hear presentations on topics like: - Web Services Security - Securing AJAX Applications - The Microsoft Secure Development Lifecycle - The benefits of various new and enhanced OWASP projects, like: - OWASP Software Assurance Metrics - OWASP Code Review Standards - OWASP Java Project - OWASP .Net Project The two panels are going to be on: - Lessons learned from Major Application Security Initiatives - What is in your application security toolbox? The exact agenda is still being developed and will be posted to the site as soon as possible. REGISTRATION DETAILS: As a non-profit charitable organization, OWASP has been able to keep the cost to $400 per seat if you are able to register prior to Sept. 18, 2006. The cost to OWASP Members is only $350 prior to Sept. 18th. Registration is not available yet, but should be in the next week or so. Please reserve these dates in the mean time. PLEASE NOTE THAT ALL TICKETS WILL BE NON REFUNDABLE TO REDUCE ADMINISTRATION COSTS TRAINING COURSES (October 16): These classes will be held at the Bell Harbor International Conference Center. Each class is $675 for conference attendees (and includes lunch). Registration for the courses will be available via the conference registration page. - FOUNDATIONS OF APPLICATION SECURITY - WEB SERVICES AND XML SECURITY - ADVANCED .NET SECURITY (planned) More details on these training courses are available at: http://www.owasp.org/index.php/AppSec_Seattle_2006/Training EVENING SOCIAL EVENT - Oct 17: An optional dinner event is being planned. Stay tuned for more details. This event involves a dinner at a nearby location from 7-9 PM, followed by drinks local watering holes. We hope to see all of you there as this is a great chance to mingle and meet many members of the OWASP community. ACCOMMODATIONS: Information about local accommodations, including reduced rate rooms will be available at: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006#Accommodations If you know others that would be interested in attending the 3rd annual US OWASP conference, please forward them this email and let them know about this opportunity. Please contact me with any questions. Looking forward to seeing you all there! Thanks, Dave Dave Wichers, OWASP Conferences Chair The OWASP Foundation http://www.owasp.org From gem at cigital.com Mon Jul 31 17:51:12 2006 From: gem at cigital.com (Gary McGraw) Date: Mon, 31 Jul 2006 17:51:12 -0400 Subject: [SC-L] Silver bullet Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB742996@va-mail.cigital.com> Hi all, International man of mystery Dana Epp is my guest in the episode of silver bullet that went up seconds ago: http://www.cigital.com/silverbullet/show-004/ Dana is a long time software security guy and has a great blog to boot. Check it out (and feel free to post some comments on the site). gem company www.cigital.com book www.swsec.com podcast www.cigital.com/silverbullet Sent from my treo. ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From peter.amey at praxis-his.com Thu Aug 3 03:32:07 2006 From: peter.amey at praxis-his.com (Peter Amey) Date: Thu, 3 Aug 2006 08:32:07 +0100 Subject: [SC-L] Cost of provably-correct code Message-ID: <4BF0455B353E524FBEA15C3A490F7DFE3236FC@EVS01.praxis.local> [Re-send, I am not sure the first copy made it to the list] > -----Original Message----- > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org ] On Behalf Of Crispin Cowan > Sent: 21 July 2006 18:45 > To: mikeiscool > Cc: SC-L at securecoding.org > Subject: Re: [SC-L] bumper sticker slogan for secure software > > mikeiscool wrote: > > On 7/21/06, Dana Epp wrote: > > > >>> yeah. > >>> but none of this changes the fact that it IS possible to > write completely secure code. > >>> > >> And it IS possible that a man will walk on Mars someday. > But its not > >> practical or realistic in the society we live in today. I'm sorry > >> mic, but I have to disagree with you here. > >> > >> It is EXTREMELY difficult to have code be 100% correct if an > >> application has any level of real use or complexity. There > will be security defects. > >> > > Why? Why accept this as a fact? It is not a fact. If you put > > procedures in place and appropriately review and test you can be > > confident. > > > Sorry, but it is a fact. Yes, you can have provably correct code. Cost > is approximately $20,000 per line of code. That is what the > "procedures" > required for correct code cost. Oh, and they are kind of super-linear, > so one program of 200 lines costs more than 2 programs of 100 lines. I would be fascinated to know where this figure comes from. Our experience is that formal development methods, which at least offer the possibility of defect-free software, are /cheaper/ as well as resulting in lower rates of defect. At least one major organization, with rather a strong interest in security, agrees with us (see: http://www.praxis-his.com/news/TokeneerNews.asp or, for the full paper, http://www.praxis-his.com/pdfs/issse2006tokeneer.pdf ). I think we have to /aim/ for zero defects and choose technical approaches that make that aim credible. If we don't then what defect rate shall we aim for and how will we know if we have achieved it? Of course, as good engineers, we should never allow ourselves the hubris of /believing/ we have achieved zero defects but that doesn't invalidate the aim. (Aircraft manufacturers do a great deal of mathematical analysis of stresses in wings but still proof load test each new design; they don't expect to find any problems because of the amount of analysis they have done but, very occasionally, they do). regards Peter ********************************************************************** This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, disclosure, copying or distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If you have received this email in error please contact the sender. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Praxis High Integrity Systems Ltd (Praxis HIS). Although this email and any attachments are believed to be free of any virus or other defect, no responsibility is accepted by Praxis HIS or any of its associated companies for any loss or damage arising in any way from the receipt or use thereof. The IT Department at Praxis HIS can be contacted at it.support at praxis-his.com ********************************************************************** From Ed.Reed at aesec.com Thu Aug 3 14:55:35 2006 From: Ed.Reed at aesec.com (Ed Reed (Aesec)) Date: Thu, 03 Aug 2006 14:55:35 -0400 Subject: [SC-L] Cost of provably-correct code (Peter Amey) In-Reply-To: References: Message-ID: <44D246A7.8050708@aesec.com> > Date: Thu, 3 Aug 2006 08:32:07 +0100 > From: "Peter Amey" > Subject: Re: [SC-L] Cost of provably-correct code > To: > Message-ID: > <4BF0455B353E524FBEA15C3A490F7DFE3236FC at EVS01.praxis.local> > Content-Type: text/plain; charset="US-ASCII" > > [Re-send, I am not sure the first copy made it to the list] > > > I think we have to /aim/ for zero defects and choose technical > approaches that make that aim credible. If we don't then what defect > rate shall we aim for and how will we know if we have achieved it? > > I agree - in the industrial world defects in workmanship and manufacture were taken for granted until product liability laws and ever-more intensive competition drove some desperate soles (the Japanese and Demming come to mind) to seek to differentiate themselves on the basis of low cost through the obsessive analysis and elimination of defects. They went from having a reputation for producing "junk electronics" to setting the standard for high value, low cost products. The insight was that reproduce-able processes could be incrementally improved. It changed many industries. Now we have a couple of decades of experience with efforts (Xerox' Quality Improvement Process, Malcolm Baldridge Awards, Zero-Defect, Six-Sigma programs, etc.) to apply similar monitoring and analysis techniques to a whole range of manufacturing, service, administration and other industries. But not software. Oh, no - not software. Too hard, too complex, some say. I like that the Software Engineering Institute folks at Carnegie-Mellon are working to identify just WHICH process in software development is reproduce-able, so they can develop the analytical tools and processes to control them. So far one they've come up with is the determinedly reproduce-ably way software developers repeat the same mistakes they make, over and over and over again. We're not talking buffer over flows, here - we're talking careless use of scanf() and strcpy(), and other similar "known bad practices". I hope they're successful promoting their programs ("Personal Software Process" and "Team Software Process"), because I believe they'll improve the overall quality of software produced by development organizations that use them. But... I don't think incremental improvement will get you to defect-free code - because incremental improvement is likely to be something of a random-walk sort of search algorithm for perfection. The engineering approach the rest of the world uses, I hope, is a little more structured - Do you know what you want? Do you know what you DON'T want? Can you verify that what you design / built will give you what you want not give you what you don't want? If you can verify, through formal analysis, logical reasoning, and inspectible process discipline (to avoid corruption by subversion), then you can talk about something being both correct (does what it should) and secure (doesn't do what it shouldn't). The effects of Six Sigma processes is supposed to control defects to a rate of 3.4 per million. In conventional software terms, that's .0034 defects per thousand lines of code, if you treat the production of a line of code as the reproduce-able process. Compare that to conventional wisdom of software defect rates for commercially developed code. Indeed, even rates of .1 defect / KLOC (which is very good) are still 2-3 orders of magnitude greater than the goals set out by other industries for their own quality measures (http://www.softwaretechnews.com/stn8-2/praxis.html). But that's what I think we, in the software industry, need to begin aiming for in order to merit calling our discipline "engineering", in my opinion. Other industries are doing this, and they're doing it in the real-world context of customer service departments, documentation writing, electronic and industrial manufacturing. It can be done. It has been done. It is hard. So was programming a GUI application when the Macintosh came out (remember QuickDraw?). We learned to live with it. Ed > Of course, as good engineers, we should never allow ourselves the hubris > of /believing/ we have achieved zero defects but that doesn't invalidate > the aim. (Aircraft manufacturers do a great deal of mathematical > analysis of stresses in wings but still proof load test each new design; > they don't expect to find any problems because of the amount of analysis > they have done but, very occasionally, they do). > > regards > > > > Peter From ken at krvw.com Mon Aug 7 08:55:22 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Mon, 7 Aug 2006 08:55:22 -0400 Subject: [SC-L] Six steps to secure sensitive data in MySQL - Program - MySQL - Builder AU Message-ID: Greetings SC-Lers, FYI, here's a link to an article on MySQL security. Nothing huge, just a short list of useful tips, but I figured it could be of interest here. http://www.builderau.com.au/program/mysql/soa/ Six_steps_to_secure_sensitive_data_in_MySQL/0,39028784,39266102,00.htm Cheers, Ken ----- Kenneth R. Van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060807/c5a655c7/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20060807/c5a655c7/attachment.bin From ken at krvw.com Wed Aug 9 09:20:05 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Wed, 9 Aug 2006 09:20:05 -0400 Subject: [SC-L] A New Open Source Approach to Weakness Message-ID: FYI, here's an article about Fortify's pernicious kingdom taxonomy of common coding defects that I thought would be of interest here: http://www.internetnews.com/dev-news/article.php/3623751 Cheers, Ken ----- Kenneth R. Van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060809/09d4739a/attachment.html From gbuday at gmail.com Wed Aug 9 10:08:29 2006 From: gbuday at gmail.com (Gergely Buday) Date: Wed, 9 Aug 2006 16:08:29 +0200 Subject: [SC-L] A New Open Source Approach to Weakness In-Reply-To: References: Message-ID: <90d975d30608090708t504587c9qf047d91a084e7783@mail.gmail.com> On 09/08/06, Kenneth Van Wyk wrote: > > FYI, here's an article about Fortify's pernicious kingdom taxonomy of common > coding defects that I thought would be of interest here: > > http://www.internetnews.com/dev-news/article.php/3623751 The link to the original paper is: http://vulncat.fortifysoftware.com/docs/tcm_taxonomy_submission.pdf Cheers - Gergely From gem at cigital.com Wed Aug 9 13:24:19 2006 From: gem at cigital.com (Gary McGraw) Date: Wed, 9 Aug 2006 13:24:19 -0400 Subject: [SC-L] A New Open Source Approach to Weakness Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB742A31@va-mail.cigital.com> Also note that there is a chapter in "software security" about the pernicious kingdoms...www.swsec.com. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: Gergely Buday [mailto:gbuday at gmail.com] Sent: Wed Aug 09 10:53:52 2006 To: Secure Coding Subject: Re: [SC-L] A New Open Source Approach to Weakness On 09/08/06, Kenneth Van Wyk wrote: > > FYI, here's an article about Fortify's pernicious kingdom taxonomy of common > coding defects that I thought would be of interest here: > > http://www.internetnews.com/dev-news/article.php/3623751 The link to the original paper is: http://vulncat.fortifysoftware.com/docs/tcm_taxonomy_submission.pdf Cheers - Gergely _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From jeff.williams at aspectsecurity.com Wed Aug 9 11:50:23 2006 From: jeff.williams at aspectsecurity.com (Jeff Williams) Date: Wed, 9 Aug 2006 11:50:23 -0400 Subject: [SC-L] A New Open Source Approach to Weakness In-Reply-To: <90d975d30608090708t504587c9qf047d91a084e7783@mail.gmail.com> Message-ID: Fortify has graciously donated these vulnerability writeups to OWASP, where they will be maintained wikipedia-style. We have a strong team of reviewers in place to review all changes daily. There are a total of almost 500 vulnerabilities now, from Fortify, CLASP, and many other sources. We're creating an interlinked knowledgebase of common application security principles, threats, attacks, vulnerabilities, and countermeasures. Anyone can participate, so come help us out. http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project --Jeff -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Gergely Buday Sent: Wednesday, August 09, 2006 10:08 AM To: Secure Coding Subject: [***SPAM (header)***] - Re: [SC-L] A New Open Source Approach to Weakness - Email found in subject On 09/08/06, Kenneth Van Wyk wrote: > > FYI, here's an article about Fortify's pernicious kingdom taxonomy of common > coding defects that I thought would be of interest here: > > http://www.internetnews.com/dev-news/article.php/3623751 The link to the original paper is: http://vulncat.fortifysoftware.com/docs/tcm_taxonomy_submission.pdf Cheers - Gergely _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php From mcgegick at ncsu.edu Thu Aug 10 19:06:19 2006 From: mcgegick at ncsu.edu (mcgegick at ncsu.edu) Date: Thu, 10 Aug 2006 19:06:19 -0400 (EDT) Subject: [SC-L] A New Open Source Approach to Weakness In-Reply-To: References: Message-ID: <24254.64.80.176.20.1155251179.squirrel@webmail.ncsu.edu> The Honeycomb project seems interesting. This sounds a lot like the Common Weakness Enumeration (CWE ? see http://cwe.mitre.org) effort that has been going on for the past year as part of the DHS software assurance metrics and tool evaluation project. The CWE is an aggregation of sources including Seven Pernicious Kingdoms, CLASP, PLOVER, ten from OWASP, the Web Security Threat Classification, 19 Deadly Sins, etc. that describes software weaknesses (to date ~500 of them) in a consistently named fashion and provides a taxonomy to organize the relationships between the weaknesses. The classification comes with the help of a large community effort including NIST, MITRE, DHS, NSA, many commercial organizations, academia, and the public. And, I believe there are currently 15-20 tool vendors, including Fortify Software and Secure Software, that are contributing and mapping their content to the CWE. Thanks, Michael Gegick From jeff.williams at aspectsecurity.com Thu Aug 10 22:56:05 2006 From: jeff.williams at aspectsecurity.com (Jeff Williams) Date: Thu, 10 Aug 2006 22:56:05 -0400 Subject: [SC-L] A New Open Source Approach to Weakness In-Reply-To: <24254.64.80.176.20.1155251179.squirrel@webmail.ncsu.edu> Message-ID: We're familiar with the CWE project and there's a lot of overlap between our vulnerabilities - not surprising given that most came from the same sources. Where possible we're trying to keep the same names. We've found that some of the topics are really attacks, and have organized them accordingly. One of the really great things that CWE has done is providing links to actual CVE entries demonstrating each of the vulnerabilities. We started Honeycomb to: - create a complete library of application security building-blocks, including principles, threats, attacks, vulnerabilities, and countermeasures - enable the rich interconnection of those building-blocks in ways that a strict one-dimensional taxonomy cannot allow - encourage security experts in the community to share their knowledge, argue, edit, discuss, and resolve in wisdom of crowds fashion --Jeff -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of mcgegick at ncsu.edu Sent: Thursday, August 10, 2006 7:06 PM To: sc-l at securecoding.org Subject: [***SPAM (header)***] - Re: [SC-L] A New Open Source Approach to Weakness - Email found in subject The Honeycomb project seems interesting. This sounds a lot like the Common Weakness Enumeration (CWE - see http://cwe.mitre.org) effort that has been going on for the past year as part of the DHS software assurance metrics and tool evaluation project. The CWE is an aggregation of sources including Seven Pernicious Kingdoms, CLASP, PLOVER, ten from OWASP, the Web Security Threat Classification, 19 Deadly Sins, etc. that describes software weaknesses (to date ~500 of them) in a consistently named fashion and provides a taxonomy to organize the relationships between the weaknesses. The classification comes with the help of a large community effort including NIST, MITRE, DHS, NSA, many commercial organizations, academia, and the public. And, I believe there are currently 15-20 tool vendors, including Fortify Software and Secure Software, that are contributing and mapping their content to the CWE. Thanks, Michael Gegick _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php From livshits at cs.stanford.edu Fri Aug 11 14:41:46 2006 From: livshits at cs.stanford.edu (Benjamin Livshits) Date: Fri, 11 Aug 2006 11:41:46 -0700 Subject: [SC-L] LAPSE: code auditing tool for Java Message-ID: <004b01c6bd75$ccc9fa50$bcae0c80@oberon> We are happy to announce the first public release of LAPSE: a source code security scanner for Java. LAPSE is an Eclipse plugin that helps automate the code review process for Java J2EE applications. LAPSE is inspired by existing lightweight security auditing tools such as RATS, pscan, and FlawFinder. Unlike those tools, however, LAPSE addresses Web applications vulnerabilities such as SQL injection, cross-site scripting, path traversal, etc. LAPSE is not intended as a comprehensive solution for Web application security, but rather as an aid in the code review process. More information about LAPSE can be found at http://suif.stanford.edu/~livshits/work/lapse/ Enjoy. -Ben http://www.stanford.edu/~livshits/ From dave.wichers at aspectsecurity.com Sun Aug 13 18:39:35 2006 From: dave.wichers at aspectsecurity.com (Dave Wichers) Date: Sun, 13 Aug 2006 18:39:35 -0400 Subject: [SC-L] ANNOUNCING: 3rd Annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA Message-ID: Many more details for the OWASP conference have been settled and are now available on the OWASP site, including: 1) Most of the agenda is set: See: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006/Agenda 2) Conference hotel discounts have been negotiated and I'd strongly recommend making your reservations early as many of the rates expire after Sept 15. And downtown Seattle hotels are expensive so locking in the conference rates will be helpful. See: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006#Accommodations 3) The dinner event is now planned for Anthony's Pier 66, right near the conference center. See: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006#Evening_Social_ Event_-_Oct_17th 4) All the pricing details are now on the site as well, repeated from the message below. See: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006#Conference_Fees The only thing missing is opening registration for the conference :-( Due to unforeseen difficulties with our credit card processing accounts, we haven't been able to open registration yet. It SHOULD be open in the next 2-3 days. I'll send out another announcement when registration is open. In the mean time, I'd recommend booking your hotel and flights to lock in advanced pricing!!!! Thanks, Dave Dave Wichers OWASP Conferences Chair -----Original Message----- From: Dave Wichers [mailto:dave.wichers at aspectsecurity.com] Sent: Wednesday, July 26, 2006 2:57 PM To: 'SC-L at securecoding.org'; 'webappsec at securityfocus.com' Subject: ANNOUNCING: 3rd Annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA Dear Colleague, OWASP is proud to announce its third annual U.S. Application Security Conference. This year's conference will be held October 16-18 at the Bell Harbor International Conference Center right on the waterfront in downtown Seattle, WA. Please reserve these dates!! The first two conferences were on the East coast so we felt it was the West coast's turn. This facility looks to be the nicest facility we have had the opportunity to use yet. This conference will include: - Training (On Oct 16): various 1-day application security courses are being offered the day prior to the conference - Main Conference (Oct 17-18) This year's conference will include presentations and also some panels to help encourage discussion amongst the attendees - Evening Social Event (Oct 17) - We are planning a social event as we do each conference which facilitates the attendees ability to mingle and get to know each other better. Current details on the conference are available on the OWASP website at http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006 This year's conference will be kicked off with a keynote by Michael Howard from Microsoft on "The Benefits of the SDL initiative to Microsoft and its Customers". Mike is a top member of Microsoft's security team and a coauthor of several application security books including Writing Secure Code, 2nd Ed., and 19 Deadly Sins of Software Security. He will be talking about the Microsoft Security Development Lifecycle (SDL) and the benefits Microsoft has gained by developing and adopting it. OWASP's AppSec conferences are dedicated to real-world application security issues and solutions. You'll learn many aspects of application security, including people, process, and technology perspectives. You'll hear presentations on topics like: - Web Services Security - Securing AJAX Applications - The Microsoft Secure Development Lifecycle - The benefits of various new and enhanced OWASP projects, like: - OWASP Software Assurance Metrics - OWASP Code Review Standards - OWASP Java Project - OWASP .Net Project The two panels are going to be on: - Lessons learned from Major Application Security Initiatives - What is in your application security toolbox? The current agenda is available at: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006/Agenda REGISTRATION DETAILS: As a non-profit charitable organization, OWASP has been able to keep the cost to $400 per seat if you are able to register prior to Sept. 18, 2006. The cost to OWASP Members is only $350 prior to Sept. 18th. Registration is not available yet, but should be in the next week or so. Please reserve these dates in the mean time. PLEASE NOTE THAT ALL TICKETS WILL BE NON REFUNDABLE TO REDUCE ADMINISTRATION COSTS TRAINING COURSES (October 16): These classes will be held at the Bell Harbor International Conference Center. Each class is $675 for conference attendees (and includes lunch). Registration for the courses will be available via the conference registration page. - FOUNDATIONS OF APPLICATION SECURITY - WEB SERVICES AND XML SECURITY - ADVANCED .NET SECURITY More details on these training courses are available at: http://www.owasp.org/index.php/AppSec_Seattle_2006/Training EVENING SOCIAL EVENT - Oct 17: An optional dinner event is being planned. Stay tuned for more details. This event involves a dinner at a nearby location from 7-9 PM, followed by drinks local watering holes. We hope to see all of you there as this is a great chance to mingle and meet many members of the OWASP community. ACCOMMODATIONS: Information about local accommodations, including reduced rate rooms will be available at: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006#Accommodations If you know others that would be interested in attending the 3rd annual US OWASP conference, please forward them this email and let them know about this opportunity. Please contact me with any questions. Looking forward to seeing you all there! Thanks, Dave Dave Wichers, OWASP Conferences Chair The OWASP Foundation http://www.owasp.org From gem at cigital.com Mon Aug 14 14:35:39 2006 From: gem at cigital.com (Gary McGraw) Date: Mon, 14 Aug 2006 14:35:39 -0400 Subject: [SC-L] Cheating Online Games and why Google is Evil Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB421495@va-mail.cigital.com> Hi all, Just back from vacation and digging out from the pile. Ironic that a vacation seems to be a necessity to catch up from vacation! A couple of things popped while I was flying around (sans toothpaste there at the end). At Blackhat a couple of weeks ago, Greg Hoglund gave a talk called "Hacking World of Warcraft(r): An Exercise in Advanced Rootkit Design" . Greg and I are working on a book together called "Exploiting Online Games". AWL released a "short cut" which is basically part of the unfinished book in pdf form called "Cheating Online Games" . The short cut concept is a new for AWL, and we're the guinea pigs...what do you think? Greg and I think that online games make an excellent petri dish for studying advanced concepts in distributed systems and software security. Lots of cool tech, and an arms race that is second to none. During vacation (deadlines never cease) I also wrote a piece for darkreading called "Why Google is Evil" . This is about the idea of using Google to look for targets and sploits, something that has come up on sc-l in the past. If you're really psyched about mis-using Google, check out Johnny Long's book. Feedback is always welcome. Happy August 14th. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From johwi at ida.liu.se Tue Aug 15 04:03:07 2006 From: johwi at ida.liu.se (John Wilander) Date: Tue, 15 Aug 2006 10:03:07 +0200 Subject: [SC-L] Web Services vs. Minimizing Attack Surface Message-ID: <44E17FBB.60800@ida.liu.se> Hi! The security principle of minimizing your attack surface (Writing Secure Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints, named pipes etc. that facilitate network communication between applications. Web services and Service Oriented Architecture on the other hand are all about exposing functionality to offer interoperability. Have any of you had discussions on the seemingly obvious conflict between these things? I would be very happy to hear your conclusions and opinions! Regards, John ____________________________ John Wilander, PhD student Computer and Information Sc. Linkoping University, Sweden http://www.ida.liu.se/~johwi From gunnar at arctecgroup.net Tue Aug 15 10:15:55 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Tue, 15 Aug 2006 09:15:55 -0500 Subject: [SC-L] Web Services vs. Minimizing Attack Surface In-Reply-To: <44E17FBB.60800@ida.liu.se> Message-ID: There may be a conflict here depending on the implementation in practice, but not necessarily. SOA and Web Services often aggregate lots of endpoints (enterprise service buses do this for example) into a smaller set of service interfaces. A couple of weeks ago at MetriCon, Pratyusa Manadhata gave a talk on attack surface metrics which decoupled the attack surface into methods, channel, and data the same way Web Services does. (http://1raindrop.typepad.com/1_raindrop/2006/08/metricon_softwa.html) -gp On 8/15/06 3:03 AM, "John Wilander" wrote: > Hi! > > The security principle of minimizing your attack surface (Writing Secure > Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints, > named pipes etc. that facilitate network communication between > applications. Web services and Service Oriented Architecture on the > other hand are all about exposing functionality to offer interoperability. > Have any of you had discussions on the seemingly obvious conflict > between these things? I would be very happy to hear your conclusions and > opinions! > > Regards, John > > ____________________________ > John Wilander, PhD student > Computer and Information Sc. > Linkoping University, Sweden > http://www.ida.liu.se/~johwi > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php From Holger.Peine at iese.fraunhofer.de Tue Aug 15 10:28:46 2006 From: Holger.Peine at iese.fraunhofer.de (Holger.Peine at iese.fraunhofer.de) Date: Tue, 15 Aug 2006 16:28:46 +0200 Subject: [SC-L] Web Services vs. Minimizing Attack Surface Message-ID: <687F148231CEBF449E6206E3FA7AAC3F135F97@hermes.iese.fhg.de> > [mailto:sc-l-bounces at securecoding.org] On Behalf Of John Wilander > Sent: Dienstag, 15. August 2006 10:03 > Subject: [SC-L] Web Services vs. Minimizing Attack Surface > > Hi! > > The security principle of minimizing your attack surface > (Writing Secure > Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints, > named pipes etc. that facilitate network communication between > applications. Web services and Service Oriented Architecture on the > other hand are all about exposing functionality to offer > interoperability. I don't see a conflict here: A web service (just as any network-accessible service, no matter whether programmed using sockets, Java RMI, SOAP or whatever) is _intended_ to provide some function to the outside world, so you have to open _some_ door into your system. The advice about minimizing the attack surface is about not opening any doors you don't really need (or worse, didn't even intend to open). Another matter is the question of whether it might be easier to produce a vulnerability when providing some function in the form of a web service as opposed to another technique. One could argue in this direction, e.g. because of creating new attack vectors such as XML injection, or helping the attacker by providing the WSDL. But again, this does not make web services incompatible with the principle of minimal attack surface per se. Kind regards, Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1899 (shared) PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 From nash at solace.net Tue Aug 15 10:48:09 2006 From: nash at solace.net (Nash) Date: Tue, 15 Aug 2006 10:48:09 -0400 Subject: [SC-L] Web Services vs. Minimizing Attack Surface In-Reply-To: <44E17FBB.60800@ida.liu.se> References: <44E17FBB.60800@ida.liu.se> Message-ID: <20060815144809.GN25558@quack.solace.net> Thinking about "attackable surface area" is a good metaphor, but I think it's breaking down on you. Think about a classic forms-driven (MVC) web application. If it's at all complex, it'll contain a variety of form processing programs that are all interlinked with a complex state-sharing mechanism. Such an application might be hosted on just a single "port" or "service", but it has huge surface area. It's also devilishly difficult to verify the code. On the other hand, many web services look like lots and lots of "services", but each of them has extremely limited surface area on its own. WS programs are typically smaller than their forms-processing cousins-- even with all the automagic frameworks for MVC. Web services tend to be specified syntactically as opposed to semantically. In other words, the behavior of the RPC service is defined by how you've structured your requests and is often not based upon the content of an server-internal state sharing mechanism. This is a huge advantage for security because it means that the scope of a WS service is narrowly limited to its syntactic function. It shouldn't tend to bleed out into other functional areas. Finally, because web services are smaller and easier to write, they should be (much) easier to verify for correctness. Many WS frameworks also provide really nice abstractions of authentication and authorization, so that you can check those separately without even having to look at business logic in the process. So, point being that I think that claiming that WS/SOA architectures have greater "surface area" is ignoring the big picture. Our notion of surface area needs to become more sophisticated to account for the architectural differences between WS and classic-MVC apps. If web developers want to use web services, I can't see why shouldn't do so immediately. It shouldn't be THAT difficult for WS/SOA to make a net positive impact on security. Security folks shouldn't be scared of WS/SOA, we should be welcoming it. It's a great opportunity to reintegrate seurity in a way that we just never had with the Web 1.0 universe. -nash On Tue, Aug 15, 2006 at 10:03:07AM +0200, John Wilander wrote: > Hi! > > The security principle of minimizing your attack surface (Writing > Secure Code, 2nd Ed.) is all about minimizing open sockets, rpc > endpoints, named pipes etc. that facilitate network communication > between applications. Web services and Service Oriented Architecture > on the other hand are all about exposing functionality to offer > interoperability. Have any of you had discussions on the seemingly > obvious conflict between these things? I would be very happy to hear > your conclusions and opinions! > > Regards, John > > ____________________________ John Wilander, PhD student Computer and > Information Sc. Linkoping University, Sweden > http://www.ida.liu.se/~johwi > _______________________________________________ Secure Coding > mailing list (SC-L) SC-L at securecoding.org List information, > subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List > charter available at - http://www.securecoding.org/list/charter.php -- Please do not mock other religons in your quest for the Spaghetti god. - anonymous From ge at linuxbox.org Tue Aug 15 16:02:02 2006 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 15 Aug 2006 15:02:02 -0500 (CDT) Subject: [SC-L] Web Services vs. Minimizing Attack Surface In-Reply-To: <687F148231CEBF449E6206E3FA7AAC3F135F97@hermes.iese.fhg.de> Message-ID: ou get to play with the code, in some cases anyway.Other than that and the fact the code runs, mostly, locally, there is no difference. The one major different is that with some services, the vulnerability is local as everybody builds their own. The main issue here is that web services allow for easy access to the machine, and for access to many third party and unrelated scripts and modules that will not be accessible by most other programs, once already connected. Gadi. On Tue, 15 Aug 2006 Holger.Peine at iese.fraunhofer.de wrote: > > [mailto:sc-l-bounces at securecoding.org] On Behalf Of John Wilander > > Sent: Dienstag, 15. August 2006 10:03 > > Subject: [SC-L] Web Services vs. Minimizing Attack Surface > > > > Hi! > > > > The security principle of minimizing your attack surface > > (Writing Secure > > Code, 2nd Ed.) is all about minimizing open sockets, rpc endpoints, > > named pipes etc. that facilitate network communication between > > applications. Web services and Service Oriented Architecture on the > > other hand are all about exposing functionality to offer > > interoperability. > > I don't see a conflict here: A web service (just as any > network-accessible > service, no matter whether programmed using sockets, Java RMI, SOAP or > whatever) is _intended_ to provide some function to the outside world, > so you have to open _some_ door into your system. The advice about > minimizing the attack surface is about not opening any doors you don't > really need (or worse, didn't even intend to open). > > Another matter is the question of whether it might be easier to > produce a vulnerability when providing some function in the form of a > web service as opposed to another technique. One could argue in this > direction, e.g. because of creating new attack vectors such as XML > injection, or helping the attacker by providing the WSDL. But again, > this does not make web services incompatible with the principle of > minimal attack surface per se. > > Kind regards, > Holger Peine > > -- > Dr. Holger Peine, Security and Safety > Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany > Phone +49-631-6800-2134, Fax -1899 (shared) > PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE > 2BBB C126 A592 48EA F9F8 > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From johwi at ida.liu.se Wed Aug 16 05:22:36 2006 From: johwi at ida.liu.se (John Wilander) Date: Wed, 16 Aug 2006 11:22:36 +0200 Subject: [SC-L] Web Services vs. Minimizing Attack Surface In-Reply-To: <687F148231CEBF449E6206E3FA7AAC3F135F97@hermes.iese.fhg.de> References: <687F148231CEBF449E6206E3FA7AAC3F135F97@hermes.iese.fhg.de> Message-ID: <44E2E3DC.6040601@ida.liu.se> Thanks for all the replies so far! I would just like to comment on Holger Peine's and Mike Hines' viewpoints. Holger.Peine at iese.fraunhofer.de wrote: > I don't see a conflict here: A web service (just as any > network-accessible > service, no matter whether programmed using sockets, Java RMI, SOAP or > whatever) is _intended_ to provide some function to the outside world, > so you have to open _some_ door into your system. The advice about > minimizing the attack surface is about not opening any doors you don't > really need (or worse, didn't even intend to open). As you say, any kind of system is _intended_ to provide some function. But security bugs often hide in unintended, undocumented or unknown functionality. By increasing the attack surface you also increase the risk of adding unknown functions. Mike Hines commented on web services running everything through port 80 (HTTP) as negating "... any value of firewalls and most likely intrusion detection systems". Indeed, web services tunnel a lot of functionality through port 80, effectively hiding it from many system monitoring defense measures. The security will rely on validating SOAP envelopes and prevention at the application/run-time system level. It seems to me like a huge burden. Regards, John ____________________________ John Wilander, PhD student Computer and Information Sc. Linkoping University, Sweden http://www.ida.liu.se/~johwi From michaelslists at gmail.com Wed Aug 16 07:23:33 2006 From: michaelslists at gmail.com (mikeiscool) Date: Wed, 16 Aug 2006 21:23:33 +1000 Subject: [SC-L] Web Services vs. Minimizing Attack Surface In-Reply-To: <44E2E3DC.6040601@ida.liu.se> References: <687F148231CEBF449E6206E3FA7AAC3F135F97@hermes.iese.fhg.de> <44E2E3DC.6040601@ida.liu.se> Message-ID: <5e01c29a0608160423m4a206bc6mf66cc17b10253e15@mail.gmail.com> On 8/16/06, John Wilander wrote: > Thanks for all the replies so far! I would just like to comment on > Holger Peine's and Mike Hines' viewpoints. > > Holger.Peine at iese.fraunhofer.de wrote: > > I don't see a conflict here: A web service (just as any > > network-accessible > > service, no matter whether programmed using sockets, Java RMI, SOAP or > > whatever) is _intended_ to provide some function to the outside world, > > so you have to open _some_ door into your system. The advice about > > minimizing the attack surface is about not opening any doors you don't > > really need (or worse, didn't even intend to open). > > As you say, any kind of system is _intended_ to provide some function. > But security bugs often hide in unintended, undocumented or unknown > functionality. By increasing the attack surface you also increase the > risk of adding unknown functions. > > Mike Hines commented on web services running everything through port 80 > (HTTP) as negating "... any value of firewalls and most likely intrusion > detection systems". Indeed, web services tunnel a lot of functionality > through port 80, effectively hiding it from many system monitoring > defense measures. The security will rely on validating SOAP envelopes > and prevention at the application/run-time system level. It seems to me > like a huge burden. A huge burden or a huge benefit? You can validate everything in one spot, and maybe even solve problems in one spot. Imagine if everything went into the same system; thereby suggesting that all attacks would be similar (i.e. all attacks against the soap parsers of various apps, or something). If it all goes in one hole, you can fix it once with your IDS, or whatever acronym you have installed. You seem to be saying that any given app i want to write, and have publically accessible, I should write to accept connections on another port, or find another channel to operate on (maybe through a website app dll calls, or something). But then, if we do that, we have to re-write everything each time. Doesn't make alot of sense ... > Regards, John -- mic From gunnar at arctecgroup.net Wed Aug 16 09:08:26 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Wed, 16 Aug 2006 08:08:26 -0500 Subject: [SC-L] Web Services vs. Minimizing Attack Surface In-Reply-To: <44E2E3DC.6040601@ida.liu.se> Message-ID: 1) you don't have to run web services over port 80 2) you can run lots of interesting things over port 80 not just web services 3) web services are an incremental improvement over dcom, mq series, and rmi-iiop. I do not see that the IDS and Systems monitoring situation is any worse, since they are weak in these areas as well. 4) the fact that you *can* validate soap envelopes (and body), as opposed to the security services available in the aforementioned technologies, is precisely the point. Web services have a number of interesting ways to deploy security to protect your messages, SAML, WS-Security, WS-Trust, are all improvements over what is available in web services' predecessors for interoperable security services. -gp On 8/16/06 4:22 AM, "John Wilander" wrote: > Thanks for all the replies so far! I would just like to comment on > Holger Peine's and Mike Hines' viewpoints. > > Holger.Peine at iese.fraunhofer.de wrote: >> I don't see a conflict here: A web service (just as any >> network-accessible >> service, no matter whether programmed using sockets, Java RMI, SOAP or >> whatever) is _intended_ to provide some function to the outside world, >> so you have to open _some_ door into your system. The advice about >> minimizing the attack surface is about not opening any doors you don't >> really need (or worse, didn't even intend to open). > > As you say, any kind of system is _intended_ to provide some function. > But security bugs often hide in unintended, undocumented or unknown > functionality. By increasing the attack surface you also increase the > risk of adding unknown functions. > > Mike Hines commented on web services running everything through port 80 > (HTTP) as negating "... any value of firewalls and most likely intrusion > detection systems". Indeed, web services tunnel a lot of functionality > through port 80, effectively hiding it from many system monitoring > defense measures. The security will rely on validating SOAP envelopes > and prevention at the application/run-time system level. It seems to me > like a huge burden. > > Regards, John > > ____________________________ > John Wilander, PhD student > Computer and Information Sc. > Linkoping University, Sweden > http://www.ida.liu.se/~johwi > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php From ge at linuxbox.org Wed Aug 16 09:38:28 2006 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 16 Aug 2006 08:38:28 -0500 (CDT) Subject: [SC-L] Web Services vs. Minimizing Attack Surface In-Reply-To: <5e01c29a0608160423m4a206bc6mf66cc17b10253e15@mail.gmail.com> Message-ID: On Wed, 16 Aug 2006, mikeiscool wrote: > On 8/16/06, John Wilander wrote: > > Thanks for all the replies so far! I would just like to comment on > > Holger Peine's and Mike Hines' viewpoints. > > > > Holger.Peine at iese.fraunhofer.de wrote: > > > I don't see a conflict here: A web service (just as any > > > network-accessible > > > service, no matter whether programmed using sockets, Java RMI, SOAP or > > > whatever) is _intended_ to provide some function to the outside world, > > > so you have to open _some_ door into your system. The advice about > > > minimizing the attack surface is about not opening any doors you don't > > > really need (or worse, didn't even intend to open). > > > > As you say, any kind of system is _intended_ to provide some function. > > But security bugs often hide in unintended, undocumented or unknown > > functionality. By increasing the attack surface you also increase the > > risk of adding unknown functions. > > > > Mike Hines commented on web services running everything through port 80 > > (HTTP) as negating "... any value of firewalls and most likely intrusion > > detection systems". Indeed, web services tunnel a lot of functionality > > through port 80, effectively hiding it from many system monitoring > > defense measures. The security will rely on validating SOAP envelopes > > and prevention at the application/run-time system level. It seems to me > > like a huge burden. > > A huge burden or a huge benefit? You can validate everything in one > spot, and maybe even solve problems in one spot. > > Imagine if everything went into the same system; thereby suggesting > that all attacks would be similar (i.e. all attacks against the soap > parsers of various apps, or something). If it all goes in one hole, > you can fix it once with your IDS, or whatever acronym you have > installed. > > You seem to be saying that any given app i want to write, and have > publically accessible, I should write to accept connections on another > port, or find another channel to operate on (maybe through a website > app dll calls, or something). > > But then, if we do that, we have to re-write everything each time. > Doesn't make alot of sense ... You do realize you just described the Internet, right? Gadi. > > > > Regards, John > > > -- mic > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From dave.wichers at aspectsecurity.com Wed Aug 16 15:19:39 2006 From: dave.wichers at aspectsecurity.com (Dave Wichers) Date: Wed, 16 Aug 2006 15:19:39 -0400 Subject: [SC-L] Registration Now Open!: 3rd Annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA Message-ID: Registration for the 3rd Annual US OWASP Conference is now open. It is available at: http://guest.cvent.com/i.aspx?4W,M3,57a181da-f20b-40fb-80ef-472a647bce7b OWASP is switching to the use of Cvent to help manage the conference registration process. Hopefully this will make it easier and a better experience for everyone. Feedback on this switch is appreciated. For the moment, we are providing all the conference information on both the OWASP portal and Cvent at: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006 and http://guest.cvent.com/i.aspx?5S,M3,57a181da-f20b-40fb-80ef-472a647bce7b Registration is only available at the Cvent link above. Please register early. The most important thing is that the conference hotel prices and availability are only locked in until Sept. 22. After that, the prices may revert to the conference hotel's normal prices or worse, the rooms may simply not be available, so please register for the conference and hotel as soon as possible. For those flying in, you may be better off without a car as the conference, the hotels, and the dinner are all within walking distance of each other and it costs $20+ / night to park your car many places. Thanks, Dave Dave Wichers OWASP Conferences Chair -----Original Message----- From: Dave Wichers [mailto:dave.wichers at aspectsecurity.com] Sent: Wednesday, July 26, 2006 2:57 PM To: 'SC-L at securecoding.org'; 'webappsec at securityfocus.com' Subject: ANNOUNCING: 3rd Annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA Dear Colleague, OWASP is proud to announce its third annual U.S. Application Security Conference. This year's conference will be held October 16-18 at the Bell Harbor International Conference Center right on the waterfront in downtown Seattle, WA. Please reserve these dates!! The first two conferences were on the East coast so we felt it was the West coast's turn. This facility looks to be the nicest facility we have had the opportunity to use yet. This conference will include: - Training (On Oct 16): various 1-day application security courses are being offered the day prior to the conference - Main Conference (Oct 17-18) This year's conference will include presentations and also some panels to help encourage discussion amongst the attendees - Evening Social Event (Oct 17) - We are planning a social event as we do each conference which facilitates the attendees ability to mingle and get to know each other better. Current details on the conference are available on the OWASP website at http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006 This year's conference will be kicked off with a keynote by Michael Howard from Microsoft on "The Benefits of the SDL initiative to Microsoft and its Customers". Mike is a top member of Microsoft's security team and a coauthor of several application security books including Writing Secure Code, 2nd Ed., and 19 Deadly Sins of Software Security. He will be talking about the Microsoft Security Development Lifecycle (SDL) and the benefits Microsoft has gained by developing and adopting it. OWASP's AppSec conferences are dedicated to real-world application security issues and solutions. You'll learn many aspects of application security, including people, process, and technology perspectives. You'll hear presentations on topics like: - Web Services Security - Securing AJAX Applications - The Microsoft Secure Development Lifecycle - The benefits of various new and enhanced OWASP projects, like: - OWASP Software Assurance Metrics - OWASP Code Review Standards - OWASP Java Project - OWASP .Net Project The two panels are going to be on: - Lessons learned from Major Application Security Initiatives - What is in your application security toolbox? The current agenda is available at: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006/Agenda REGISTRATION DETAILS: As a non-profit charitable organization, OWASP has been able to keep the cost to $400 per seat if you are able to register prior to Sept. 18, 2006. The cost to OWASP Members is only $350 prior to Sept. 18th. PLEASE NOTE THAT ALL TICKETS WILL BE NON REFUNDABLE TO REDUCE ADMINISTRATION COSTS TRAINING COURSES (October 16): These classes will be held at the Bell Harbor International Conference Center. Each class is $675 for conference attendees (and includes lunch). Registration for the courses will be available via the conference registration page. - FOUNDATIONS OF APPLICATION SECURITY - WEB SERVICES AND XML SECURITY - ADVANCED .NET SECURITY More details on these training courses are available at: http://www.owasp.org/index.php/AppSec_Seattle_2006/Training EVENING SOCIAL EVENT - Oct 17: An optional dinner event has been planned for Anthony's Pier 66. See the site for more details. This event involves a dinner from 7-9 PM, followed by drinks at local watering holes. We hope to see all of you there as this is a great chance to mingle and meet many members of the OWASP community. ACCOMMODATIONS: Information about local accommodations, including reduced rate rooms will be available at: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006#Accommodations If you know others that would be interested in attending the 3rd annual US OWASP conference, please forward them this email and let them know about this opportunity. Please contact me with any questions. Looking forward to seeing you all there! Thanks, Dave Dave Wichers, OWASP Conferences Chair The OWASP Foundation http://www.owasp.org From ken at krvw.com Wed Aug 16 15:43:59 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Wed, 16 Aug 2006 15:43:59 -0400 Subject: [SC-L] Dr. Dobb's | Whitebox Security Testing Using Code Scanning | August 14, 2006 Message-ID: <2FDD1147-2719-43B1-ABA6-D01A29AF6CDF@krvw.com> FYI, here's an interesting article from Dr. Dobb's Journal regarding the use of static analysis tools for scanning for coding bugs: http://www.ddj.com/dept/security/191901556 Cheers, Ken ----- Kenneth R. Van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060816/33cda057/attachment.html From rcs at cert.org Thu Aug 17 10:04:21 2006 From: rcs at cert.org (Robert C. Seacord) Date: Thu, 17 Aug 2006 10:04:21 -0400 Subject: [SC-L] secure integer library In-Reply-To: References: Message-ID: <44E47765.5020302@cert.org> The CERT/CC has released a beta version of a secure integer library for the C Programming Language. The library is available for download from the CERT/CC Secure Coding Initiative web page at: http://www.cert.org/secure-coding/ The purpose of this library is to provide a collection of utility functions that can assist software developers in writing C programs that are free from common integer problems such as integer overflow, integer truncation, and sign errors that are a common source of software vulnerabilities. Functions have been provided for all integer operations subject to overflow such as addition, subtraction, multiplication, division, unary negation, etc.) for int, long, long long, and size_t integers. The following example illustrates how the library can be used to add two signed long integer values: long retsl, xsl, ysl; xsl = LONG_MAX; ysl = 0; retsl = addsl(xsl,ysl); For short integer types (char and short) it is necessary to truncate the result of the addition using one of the safe conversion functions provided, for example: char retsc, xsc, ysc; xsc = SCHAR_MAX; ysc = 0; retsc = si2sc(addsi(xsc, ysc)); For error handling, the secure integer library uses the mechanism for Runtime-constraint handling defined by TR 24731 "Specification for Safer, More Secure C Library Functions" available at: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1135.pdf The implementation uses the high performance algorithms defined by Henry S. Warren in the book "Hacker's Delight". For more information on vulnerabilities and other problems resulting from the incorrect use of integers in C and C++ please read Chapter 5 of "Secure Coding in C and C++" which is available as a free download from the CERT web site: http://www.cert.org/books/secure-coding/moreinfo.html Please address any defect reports, comments and suggestions concerning the Secure Integer Library or CERT Secure Coding Initiative to me. Thanks to Henry and to Juan Alvarado who coded the implementation. Thanks, rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 From pmeunier at cerias.purdue.edu Thu Aug 17 11:43:09 2006 From: pmeunier at cerias.purdue.edu (Pascal Meunier) Date: Thu, 17 Aug 2006 11:43:09 -0400 Subject: [SC-L] secure integer library In-Reply-To: <44E47765.5020302@cert.org> Message-ID: Nice. I'll mention it in my secure programming class this semester. I'd be interested in any exercises/labs based on it, appropriate for undergrads. Cheers, Pascal On 8/17/06 10:04 AM, "Robert C. Seacord" wrote: > > The CERT/CC has released a beta version of a secure integer library for > the C Programming Language. The library is available for download from > the CERT/CC Secure Coding Initiative web page at: > http://www.cert.org/secure-coding/ > > The purpose of this library is to provide a collection of utility > functions that can assist software developers in writing C programs that > are free from common integer problems such as integer overflow, integer > truncation, and sign errors that are a common source of software > vulnerabilities. > > Functions have been provided for all integer operations subject to > overflow such as addition, subtraction, multiplication, division, unary > negation, etc.) for int, long, long long, and size_t integers. The > following example illustrates how the library can be used to add two > signed long integer values: > > long retsl, xsl, ysl; > xsl = LONG_MAX; > ysl = 0; > retsl = addsl(xsl,ysl); > > For short integer types (char and short) it is necessary to truncate the > result of the addition using one of the safe conversion functions > provided, for example: > > char retsc, xsc, ysc; > xsc = SCHAR_MAX; > ysc = 0; > retsc = si2sc(addsi(xsc, ysc)); > > For error handling, the secure integer library uses the mechanism for > Runtime-constraint handling defined by TR 24731 "Specification for > Safer, More Secure C Library Functions" available at: > http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1135.pdf > > The implementation uses the high performance algorithms defined by Henry > S. Warren in the book "Hacker's Delight". > > For more information on vulnerabilities and other problems resulting > from the incorrect use of integers in C and C++ please read Chapter 5 of > "Secure Coding in C and C++" which is available as a free download from > the CERT web site: > > http://www.cert.org/books/secure-coding/moreinfo.html > > Please address any defect reports, comments and suggestions concerning > the Secure Integer Library or CERT Secure Coding Initiative to me. > Thanks to Henry and to Juan Alvarado who coded the implementation. > > Thanks, > rCs > From rcs at cert.org Thu Aug 17 13:09:18 2006 From: rcs at cert.org (Robert C. Seacord) Date: Thu, 17 Aug 2006 13:09:18 -0400 Subject: [SC-L] secure integer library In-Reply-To: References: Message-ID: <44E4A2BE.6010601@cert.org> Pascal, > Nice. I'll mention it in my secure programming class this semester. I'd be > interested in any exercises/labs based on it, appropriate for undergrads. ok. i'll be teaching an undergraduate elective on secure coding at CMU in the spring so i'll probably need to get to work on that soon. 8^) rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 From Kevin.Wall at qwest.com Mon Aug 28 00:51:47 2006 From: Kevin.Wall at qwest.com (Wall, Kevin) Date: Sun, 27 Aug 2006 23:51:47 -0500 Subject: [SC-L] How can we stop the spreading insecure coding examples at training classes, etc.? Message-ID: First a bit of background and a confession. The background: I recently attended a local 4 hr Microsoft training seminar called "Get Connected with the .NET Framework 2.0 and Visual Studio(c) 2005". However, I want to clarify that this example is NOT just a Microsoft issue. It's an industry-wide issue; only the examples I give are from this most recent Microsoft training seminar. (Actually, calling it "training" is probably a stretch; it was more like and advertisement for .NET Framework 3.0 (a.k.a., "Atlas") and a forthcoming version of Visual Studio, but that's another gripe. ;-) The confession: 90% of the examples presented at this training was in Visual Basic and about 10% was C#. I personally think that VB is horrid as a programming language (for the most part, I concur with Dijkstra about anything BASIC-like; see .sig, below), and so may be causing some bias with my observations. Anyway, back to the main point. At this training seminar, the demo code that they showed (which mostly was about Atlas features, not about .NET Framework 2.0 features) had very little in the way of proper security checks. This was most notable in the almost complete absence of authorization checks and proper data validation checks. Also, most of these quotations below are actually paraphrases (including my own!), but nevertheless, I believe they are fairly accurate and hopefully non-biased. At one point, the speaker asked "what's wrong with this code fragment" (a demo to upload a file). I said "there's no proper data validation, so one can use a series of '..\' in the file name and use it to do directory traversal attacks and overwrite whatever file the user id running the web server has permissions to write to." (Of course, that was the "wrong" answer. Their "proper" answer was that W3C had instituted a max size of 4MB or so on files that could be uploaded in this manner, but they had a mechanism to get around it.) At another point, while Atlas JavaScript gadgets was being demoed, someone asked if one could use XMLHttpRequest (XHR) to invoke _any_ URL. The speaker correctly answered "no; only back to the originating host:port from where the JavaScript was downloaded from". The questioner then remarked something like "oh, that's too bad". But instead of explaining why allowing cross-domain requests is inherently a BAD Thing, the speaker replied "oh, don't worry; we also provide you with some software [apparently a proxy of sorts -kww] that Microsoft wrote that you can put on your web server so your users can call out to any URL that they wish, so it's not limited to calling just pages on your own site." "Great, I thought. Why don't you also provide some mechanisms to automatically insert random XSS and SQL injection vulnerabilities into your code too." Sigh. Now understand, these are only a few recent examples presented at this training. Over the past few years, I've seen numerous other lame examples of demo code elsewhere, ranging from symmetric encryption examples using block ciphers (where it's implied that you should always just use ECB mode; in fact no other cipher modes are even mentioned!), to showing how to create a web service without even mentioning any mechanisms for authentication or authorization. (Actually, many typically don't even _recognize_ the NEED for such things.) Make no mistake in thinking that this poor practice is limited to Microsoft. At one point or another, we probably have all done something like this and then just casually mentioned "of course you need to do X, Y, and Z to make it secure". I understand the the pedagogical need that example code has to be kept simple. Usually much of the error code is completely omitted, not just security-related checks. But most developers have enough sense of the application-related errors to know they need to add the application-level error checking; not so for security-related checks--at least not for your average developer. Of course the big problem with any poor examples is that this is just the type of thing that developers who have little security experience will copy-and-paste into their PRODUCTION code, thus exposing the vulnerabilities. And nowadays, it's even made easier to copy-and-paste this insecure code by either making it available for download from the Internet or passing it out on a CD or DVD. Many of us have probably been guilty of that too, at least once in our lives. But we need to all recognize that there is no reason that the demo code that made available for downloading or on a CD needs to be the exact same code displayed during the training. (N.B.: I've not yet checked the DVD supplied by Microsoft, but the instructors said [paraphrase] we would find "the exact same code were are using in our examples on the DVD".) I think that this practice of leaving out the "security details" to just make the demo code short and sweet has got to stop. Or minimally, we have to make the code that people copy-and-paste from have all the proper security checks even if we don't cover them in training. If we're lucky, maybe they won't delete them when the re-use the code. I was so irate after this whole experience, I filled up the entire comments section of the evaluation form complaining about this and how it was a tragedy given that other parts of Microsoft seem to be working so hard to improve security. But my question is, is that enough? Should I (we) do more, like complaining to someone higher up in security--in this case, to someone at Microsoft, perhaps and advocate such as Michael Howard? And if so, to whom? And what, if anything, can we do collectively to try to prevent these types of insecure demos from making their way into the hands of large numbers of developers? Maybe we are not raising a big enough stink in this regard. Okay; thanks for allowing me to vent. I feel better now, a little... -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From gem at cigital.com Mon Aug 28 15:04:23 2006 From: gem at cigital.com (Gary McGraw) Date: Mon, 28 Aug 2006 15:04:23 -0400 Subject: [SC-L] Silver Bullet #5: Ed Felten Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB742D35@va-mail.cigital.com> Hi all, The latest Silver Bullet Security Podcast features an interview I did with Ed Felten. It just went up today. You can download the podcast and subscribe to the RSS feed here: www.cigital.com/silverbullet In addition, IEEE Security & Privacy magazine has prepared a partial transcript of our conversation which can be found here: http://www.cigital.com/silverbullet/shows/silverbullet-005-efelten.pdf The transcript will be published in the November/December issue of the magazine. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From neumann at csl.sri.com Mon Aug 28 17:28:08 2006 From: neumann at csl.sri.com (Peter G. Neumann) Date: Mon, 28 Aug 2006 14:28:08 PDT Subject: [SC-L] How can we stop the spreading insecure coding examples at training classes, etc.? In-Reply-To: Your message of Sun, 27 Aug 2006 23:51:47 -0500 Message-ID: > But my question is, is that enough? Of course not. It's nowhere near enough. Of course, there is NEVER "ENOUGH" in this business. But what you are suggesting is still very far from what might be thought of as enough under the circumstances. PGN From pmeunier at purdue.edu Mon Aug 28 16:40:45 2006 From: pmeunier at purdue.edu (pmeunier at purdue.edu) Date: Mon, 28 Aug 2006 16:40:45 -0400 Subject: [SC-L] How can we stop the spreading insecure coding examples at training classes, etc.? In-Reply-To: References: Message-ID: <1156797645.44f354cd4623f@webmail.purdue.edu> Quoting "Wall, Kevin" : (clip) > At another point, while Atlas JavaScript gadgets was being demoed, > someone asked if one could use XMLHttpRequest (XHR) to invoke > _any_ URL. The speaker correctly answered "no; only back to the > originating host:port from where the JavaScript was downloaded > from". The questioner then remarked something like "oh, that's too > bad". But instead of explaining why allowing cross-domain requests > is inherently a BAD Thing, the speaker replied "oh, don't worry; > we also provide you with some software [apparently a proxy of > sorts -kww] that Microsoft wrote that you can put on your web > server so your users can call out to any URL that they wish, > so it's not limited to calling just pages on your own site." > "Great, I thought. Why don't you also provide some mechanisms to > automatically insert random XSS and SQL injection vulnerabilities > into your code too." Sigh. > Kevin, Thanks, I almost fell out of my chair laughing. It reminds me of their "SOAP" idea to bypass those pesky firewalls. Apple also finds that security measure "unfortunate" without an explanation of the underlying security reasons: "Second, the domain of the URL request destination must be the same as the one that serves up the page containing the script. This means, unfortunately, that client-side scripts cannot fetch web service data from other sources..." (http://developer.apple.com/internet/webcontent/xmlhttpreq.html) But neverfear, tell your users who use Firefox to install the Greasemonkey extension, and hop, you can bypass this security nuisance (http://blog.monstuff.com/archives/000262.html -- though this entry points out it should be used only for development purposes and otherwise a bad idea). IE users just have to click OK in the "confirmation" dialog box that pops up. I hate JavaScript because it makes me feel so much at the mercy of web developers, who sometimes require it just to emulate an link or a submit button... Pascal From pmeunier at purdue.edu Tue Aug 29 15:48:17 2006 From: pmeunier at purdue.edu (pmeunier at purdue.edu) Date: Tue, 29 Aug 2006 15:48:17 -0400 Subject: [SC-L] How can we stop the spreading insecure coding examples at training classes, etc.? In-Reply-To: References: Message-ID: <1156880897.44f49a01620aa@webmail.purdue.edu> Quoting "Wall, Kevin" : > I think that this practice of leaving out the "security > details" to just make the demo code short and sweet has got > to stop. Or minimally, we have to make the code that people > copy-and-paste from have all the proper security checks even > if we don't cover them in training. If we're lucky, maybe > they won't delete them when the re-use the code. I agree, and would like to extend it: security should be discussed *at the same time* that a topic is. Teaching security in a separate class, like I have been doing, reaches only a fraction of the audience, and reinforces an attitude of security as an afterthought, or security as an option. Comments in the code should explain (or refer to explanations of) why changing or deleting those lines is a bad idea. However, I'm afraid that it would irritate students, and make security the new "grammar and spelling" for which points are deducted from "perfectly valid write-ups" (i.e., "it's my ideas that count, not how well I spell"). So, this idea may be more successful with professionals courses than with undergrads. As far as students go, if it's not on the test it might as well be a policy that isn't enforced, so it's not an option to try to teach it but to not grade based on it. Good luck also in trying to get all professors to update their classes and cover security correctly... Please share any answers or insights as to this dilemma. Thanks, Pascal From Ed.Reed at aesec.com Wed Aug 30 13:17:01 2006 From: Ed.Reed at aesec.com (Ed Reed (Aesec)) Date: Wed, 30 Aug 2006 13:17:01 -0400 Subject: [SC-L] e: How can we stop the spreading insecure coding examples at, training classes, etc.? In-Reply-To: References: Message-ID: <44F5C80D.4030804@aesec.com> > > Message: 1 > Date: Tue, 29 Aug 2006 15:48:17 -0400 > From: pmeunier at purdue.edu > Subject: Re: [SC-L] How can we stop the spreading insecure coding > examples at training classes, etc.? > To: "Wall, Kevin" > Cc: SC-L at securecoding.org > Message-ID: <1156880897.44f49a01620aa at webmail.purdue.edu> > Content-Type: text/plain; charset=ISO-8859-1 > > Quoting "Wall, Kevin" : > > > >> I think that this practice of leaving out the "security >> details" to just make the demo code short and sweet has got >> to stop. Or minimally, we have to make the code that people >> copy-and-paste from have all the proper security checks even >> if we don't cover them in training. If we're lucky, maybe >> they won't delete them when the re-use the code. >> > > I agree, and would like to extend it: security should be discussed *at the same > time* that a topic is. Teaching security in a separate class, like I have been > doing, reaches only a fraction of the audience, and reinforces an attitude of > security as an afterthought, or security as an option. Comments in the code > should explain (or refer to explanations of) why changing or deleting those > lines is a bad idea. > > However, I'm afraid that it would irritate students, and make security the new > "grammar and spelling" for which points are deducted from "perfectly valid > write-ups" (i.e., "it's my ideas that count, not how well I spell"). The same used to be said about unstructured programming examples (computed gotos, spaghetti code, multiple entry and exit points from functions, etc). We got past it. We need a similar revolution in thought with regard to security, and some one to take the lead on providing clear, crisp examples of coding style that is more secure by its nature. I don't have one handy - but that's my wish. Ed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060830/d6c25b2c/attachment.html From tholleb at teknowledge.com Wed Aug 30 13:23:26 2006 From: tholleb at teknowledge.com (Tim Hollebeek) Date: Wed, 30 Aug 2006 10:23:26 -0700 Subject: [SC-L] How can we stop the spreading insecure coding examples attraining classes, etc.? In-Reply-To: Message-ID: <200608301730.k7UHTxtE042126@ratsass.krvw.com> Really, the root of the problem is the fact that the simple version is short and easy to understand, and the secure version is five times longer and completely unreadable. While there always is some additional complexity inherent in a secure version, it is nowhere near as bad as current toolkits make it seem. Demo code generally demonstrates some fairly powerful capability; the reason it is often short and sweet is because lots of effort has gone into making it possible to do useful things with minimal effort. Unfortunately, it is often the case that much less effort has gone into making it possible to do the same thing securely, so that code is quite a bit longer. You're right, if there was more of a pushback against broken demo code, maybe more effort would go into making it easy to do things securely, instead of insecurely. I think part of the problem is that people have fallen into the trap of thinking that security is supposed to be hard and that checking all your errors is supposed to bloat your code by a factor of five, instead of wondering why library functions are designed in such a way that omitting complex logic around them fails in an insecure way. Secure code can be short and sweet, too, just not with most of the languages and tools that are currently popular. This is an old, old problem. strcpy is insecure, and any code involving strncpy or a length check will be longer and/or more complex. But this is really just an artifact of the fact that buffers don't know their own length, making an additional check necessary. There is no reason why the secure version couldn't have been just as short and sweet, it just wasn't done. Tim Hollebeek Research Scientist Teknowledge, Corp. From mshines at purdue.edu Wed Aug 30 14:07:14 2006 From: mshines at purdue.edu (Michael S Hines) Date: Wed, 30 Aug 2006 14:07:14 -0400 Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: <44F5C80D.4030804@aesec.com> Message-ID: <200608301807.k7UI7SVD021973@mailhub128.itcs.purdue.edu> a simple structure that provides for errors would go a long way... If - then - else - on error Do - end - on error Let x = y - on error Let x = function() on error etc... The problem is writing code without thinking of the possible errors that might arise. This forces you to think about the consequences of executing a command... Where 'error' is doing something intelligent when the original command doesn't work... Just a brainstorm....... any merit to it? Mike Hines mshines at purdue.edu _____ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Ed Reed (Aesec) Sent: Wednesday, August 30, 2006 1:17 PM To: sc-l at securecoding.org Subject: [SC-L] e: How can we stop the spreading insecure coding examples at, training classes, etc.? Message: 1 Date: Tue, 29 Aug 2006 15:48:17 -0400 From: pmeunier at purdue.edu Subject: Re: [SC-L] How can we stop the spreading insecure coding examples at training classes, etc.? To: "Wall, Kevin" Cc: SC-L at securecoding.org Message-ID: <1156880897.44f49a01620aa at webmail.purdue.edu> Content-Type: text/plain; charset=ISO-8859-1 Quoting "Wall, Kevin" : I think that this practice of leaving out the "security details" to just make the demo code short and sweet has got to stop. Or minimally, we have to make the code that people copy-and-paste from have all the proper security checks even if we don't cover them in training. If we're lucky, maybe they won't delete them when the re-use the code. I agree, and would like to extend it: security should be discussed *at the same time* that a topic is. Teaching security in a separate class, like I have been doing, reaches only a fraction of the audience, and reinforces an attitude of security as an afterthought, or security as an option. Comments in the code should explain (or refer to explanations of) why changing or deleting those lines is a bad idea. However, I'm afraid that it would irritate students, and make security the new "grammar and spelling" for which points are deducted from "perfectly valid write-ups" (i.e., "it's my ideas that count, not how well I spell"). The same used to be said about unstructured programming examples (computed gotos, spaghetti code, multiple entry and exit points from functions, etc). We got past it. We need a similar revolution in thought with regard to security, and some one to take the lead on providing clear, crisp examples of coding style that is more secure by its nature. I don't have one handy - but that's my wish. Ed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060830/b391a6f1/attachment.html From band at acm.org Wed Aug 30 15:04:32 2006 From: band at acm.org (William L. Anderson) Date: Wed, 30 Aug 2006 14:04:32 -0500 Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: <200608301807.k7UI7SVD021973@mailhub128.itcs.purdue.edu> References: <200608301807.k7UI7SVD021973@mailhub128.itcs.purdue.edu> Message-ID: <44F5E140.9000008@acm.org> Michael, this is an interesting note. Years ago I had to write a Fortran program as part of a job interview. The program problem was quite simple, and I wrote one that checked for as many errors as I could think of. My interviewer wanted to know what took me so long. I didn't get an offer. My 2 cents is that people are not really willing to pay for software with the kinds of qualities that we talk about in this list (which is about more than security). Bill Anderson Michael S Hines wrote: > > a simple structure that provides for errors would go a long way... > > If - then - else - on error > Do - end - on error > Let x = y - on error > Let x = function() on error > etc... > > The problem is writing code without thinking of the possible errors that > might arise. This forces you to think about the consequences of > executing a command... > > Where 'error' is doing something intelligent when the original command > doesn't work... > > Just a brainstorm....... any merit to it? > > Mike Hines > mshines at purdue.edu > > *From:* sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] *On Behalf Of *Ed Reed (Aesec) > *Sent:* Wednesday, August 30, 2006 1:17 PM > *To:* sc-l at securecoding.org > *Subject:* [SC-L] e: How can we stop the spreading insecure coding > examples at, training classes, etc.? > >> Message: 1 >> Date: Tue, 29 Aug 2006 15:48:17 -0400 >> From: pmeunier at purdue.edu >> Subject: Re: [SC-L] How can we stop the spreading insecure coding >> examples at training classes, etc.? >> To: "Wall, Kevin" >> Cc: SC-L at securecoding.org >> Message-ID: <1156880897.44f49a01620aa at webmail.purdue.edu> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Quoting "Wall, Kevin" : >> >> >> >>> I think that this practice of leaving out the "security >>> details" to just make the demo code short and sweet has got >>> to stop. Or minimally, we have to make the code that people >>> copy-and-paste from have all the proper security checks even >>> if we don't cover them in training. If we're lucky, maybe >>> they won't delete them when the re-use the code. >>> >> I agree, and would like to extend it: security should be discussed *at the same >> time* that a topic is. Teaching security in a separate class, like I have been >> doing, reaches only a fraction of the audience, and reinforces an attitude of >> security as an afterthought, or security as an option. Comments in the code >> should explain (or refer to explanations of) why changing or deleting those >> lines is a bad idea. >> >> However, I'm afraid that it would irritate students, and make security the new >> "grammar and spelling" for which points are deducted from "perfectly valid >> write-ups" (i.e., "it's my ideas that count, not how well I spell"). > The same used to be said about unstructured programming examples > (computed gotos, spaghetti code, multiple entry and exit points from > functions, etc). We got past it. > > We need a similar revolution in thought with regard to security, and > some one to take the lead on providing clear, crisp examples of coding > style that is more secure by its nature. I don't have one handy - but > that's my wish. > > Ed > > > ------------------------------------------------------------------------ > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php From tholleb at teknowledge.com Wed Aug 30 15:46:08 2006 From: tholleb at teknowledge.com (Tim Hollebeek) Date: Wed, 30 Aug 2006 12:46:08 -0700 Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: <200608301807.k7UI7SVD021973@mailhub128.itcs.purdue.edu> Message-ID: <200608301952.k7UJq4cM047048@ratsass.krvw.com> What you've proposed are exceptions. They do help (some) in separating the normal logic from error handling, but: (1) they often leave the job "half done" which has its own risks. writing exception safe code can be more of a nightmare than error checking. (2) in many languages, you can't retry or resume the faulting code. Exceptions are really far less useful in this case. (3) you usually end up with some "generic" clean up code, which generally hides more errors than it solves. Tim Hollebeek Research Scientist Teknowledge, Corp. > -----Original Message----- > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Michael S Hines > Sent: Wednesday, August 30, 2006 11:07 AM > To: sc-l at securecoding.org > Subject: [SC-L] Coding with errors in mind - a solution? > > a simple structure that provides for errors would go a long way... > > If - then - else - on error > Do - end - on error > Let x = y - on error > Let x = function() on error > etc... > > The problem is writing code without thinking of the possible > errors that might arise. This forces you to think about the > consequences of executing a command... > > Where 'error' is doing something intelligent when the > original command doesn't work... > > Just a brainstorm....... any merit to it? > > Mike Hines > mshines at purdue.edu > > ________________________________ > > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Ed Reed (Aesec) > Sent: Wednesday, August 30, 2006 1:17 PM > To: sc-l at securecoding.org > Subject: [SC-L] e: How can we stop the spreading insecure > coding examples at, training classes, etc.? > > > > Message: 1 > Date: Tue, 29 Aug 2006 15:48:17 -0400 > From: pmeunier at purdue.edu > Subject: Re: [SC-L] How can we stop the spreading > insecure coding > examples at training classes, etc.? > To: "Wall, Kevin" > > Cc: SC-L at securecoding.org > Message-ID: > <1156880897.44f49a01620aa at webmail.purdue.edu> > > Content-Type: text/plain; charset=ISO-8859-1 > > Quoting "Wall, Kevin" > : > > > > > I think that this practice of leaving out the "security > details" to just make the demo code short and > sweet has got > to stop. Or minimally, we have to make the code > that people > copy-and-paste from have all the proper > security checks even > if we don't cover them in training. If we're > lucky, maybe > they won't delete them when the re-use the code. > > > > I agree, and would like to extend it: security should > be discussed *at the same > time* that a topic is. Teaching security in a separate > class, like I have been > doing, reaches only a fraction of the audience, and > reinforces an attitude of > security as an afterthought, or security as an option. > Comments in the code > should explain (or refer to explanations of) why > changing or deleting those > lines is a bad idea. > > However, I'm afraid that it would irritate students, > and make security the new > "grammar and spelling" for which points are deducted > from "perfectly valid > write-ups" (i.e., "it's my ideas that count, not how > well I spell"). > > The same used to be said about unstructured programming > examples (computed gotos, spaghetti code, multiple entry and > exit points from functions, etc). We got past it. > > We need a similar revolution in thought with regard to > security, and some one to take the lead on providing clear, > crisp examples of coding style that is more secure by its > nature. I don't have one handy - but that's my wish. > > Ed > > From pmeunier at cerias.purdue.edu Wed Aug 30 16:46:34 2006 From: pmeunier at cerias.purdue.edu (Pascal Meunier) Date: Wed, 30 Aug 2006 16:46:34 -0400 Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: <200608301807.k7UI7SVD021973@mailhub128.itcs.purdue.edu> Message-ID: Worse is when it works in unintended ways without producing an error. The code has to detect whenever something doesn't match a white list of expected program states and inputs. I think that in example code, the detection is more important than the subsequent handling because the handling will vary depending on the exact application requirements and framework. The detection is where contracts and correctness are verified, and I'd like to leave the handling of violations to some "law enforcement" module, so to speak. Perhaps a "good enough" approach for teaching would be to raise an exception (or use assert statements for languages that don't have exceptions) whenever a problem is detected, and leave it at that. This way, the handling of the exception (logging, UI, aftermath, etc...) doesn't bloat the code and distract from the main subject, yet all unsafe conditions and errors would be highlighted and caught. It's not revolutionary, but it's better than what we have now. Would it be good enough? I can picture people deleting those assert statements that just make their programs crash ;) Pascal Meunier On 8/30/06 2:07 PM, "Michael S Hines" wrote: > a simple structure that provides for errors would go a long way... > > If - then - else - on error > Do - end - on error > Let x = y - on error > Let x = function() on error > etc... > > The problem is writing code without thinking of the possible errors that > might arise. This forces you to think about the consequences of executing > a command... > > Where 'error' is doing something intelligent when the original command > doesn't work... > > Just a brainstorm....... any merit to it? > > Mike Hines > mshines at purdue.edu > > _____ > > From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] > On Behalf Of Ed Reed (Aesec) > Sent: Wednesday, August 30, 2006 1:17 PM > To: sc-l at securecoding.org > Subject: [SC-L] e: How can we stop the spreading insecure coding examples > at, training classes, etc.? > > > > Message: 1 > > Date: Tue, 29 Aug 2006 15:48:17 -0400 > > From: pmeunier at purdue.edu > > Subject: Re: [SC-L] How can we stop the spreading insecure coding > > examples at training classes, etc.? > > To: "Wall, Kevin" > > Cc: SC-L at securecoding.org > > Message-ID: > <1156880897.44f49a01620aa at webmail.purdue.edu> > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Quoting "Wall, Kevin" : > > > > > > > > I think that this practice of leaving out the "security > > details" to just make the demo code short and sweet has got > > to stop. Or minimally, we have to make the code that people > > copy-and-paste from have all the proper security checks even > > if we don't cover them in training. If we're lucky, maybe > > they won't delete them when the re-use the code. > > > > > > I agree, and would like to extend it: security should be discussed *at the > same > > time* that a topic is. Teaching security in a separate class, like I have > been > > doing, reaches only a fraction of the audience, and reinforces an attitude > of > > security as an afterthought, or security as an option. Comments in the code > > should explain (or refer to explanations of) why changing or deleting those > > lines is a bad idea. > > > > However, I'm afraid that it would irritate students, and make security the > new > > "grammar and spelling" for which points are deducted from "perfectly valid > > write-ups" (i.e., "it's my ideas that count, not how well I spell"). > > The same used to be said about unstructured programming examples (computed > gotos, spaghetti code, multiple entry and exit points from functions, etc). > We got past it. > > We need a similar revolution in thought with regard to security, and some > one to take the lead on providing clear, crisp examples of coding style that > is more secure by its nature. I don't have one handy - but that's my wish. > > Ed > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php From secureCoding2dave at davearonson.com Wed Aug 30 17:52:37 2006 From: secureCoding2dave at davearonson.com (Dave Aronson) Date: Wed, 30 Aug 2006 17:52:37 -0400 Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: <44F5E140.9000008@acm.org> References: <200608301807.k7UI7SVD021973@mailhub128.itcs.purdue.edu> <44F5E140.9000008@acm.org> Message-ID: <44F608A5.5020801@davearonson.com> William L. Anderson wrote: > Years ago I had to write a Fortran > program as part of a job interview. The program problem was quite > simple, and I wrote one that checked for as many errors as I could think > of. My interviewer wanted to know what took me so long. I didn't get an > offer. Years ago (probably not as many), I had to write a C program for a job interview. I also had it test for practically every error I could think of, mainly input format errors. I did get the offer, but I was told that the company placed such a premium on performance (it was telephony stuff) that I should not be quite so thorough on the errorchecking. Silly me, I had thought that they would also value reliability.... > My 2 cents is that people are not really willing to pay for software > with the kinds of qualities that we talk about in this list (which is > about more than security). Well, *most* people anyway. The avionics, medical, and suchlike fields are quite another story. > Bill Anderson Is this perchance the Bill Anderson who was my "great grandboss" until he left BAE for Cryptek? -- Dave Aronson http://www.davearonson.com/ "Specialization is for insects." -Heinlein From Kevin.Wall at qwest.com Thu Aug 31 00:56:13 2006 From: Kevin.Wall at qwest.com (Wall, Kevin) Date: Wed, 30 Aug 2006 23:56:13 -0500 Subject: [SC-L] How can we stop the spreading insecure coding examplesattraining classes, etc.? Message-ID: Tim Hollebeek writes... > Really, the root of the problem is the fact that the simple version > is short and easy to understand, and the secure version is five > times longer and completely unreadable. While there always is some > additional complexity inherent in a secure version, it is nowhere > near as bad as current toolkits make it seem. I would say that secure versions that are *not* well thought out (particularly where security wasn't part of the original design) may tend to be FIVE times longer, but I don't think that's the typical case with code that is well designed. These security checks can be be modularized and reused like most other code. However, it may very well be that it is five times more difficult to develop the examples in the first place though, and THAT'S probably a major reason that we don't see it more often in example code. > Demo code generally demonstrates some fairly powerful capability; > the reason it is often short and sweet is because lots of effort > has gone into making it possible to do useful things with minimal > effort. Unfortunately, it is often the case that much less effort > has gone into making it possible to do the same thing securely, so > that code is quite a bit longer. You're right, if there was more > of a pushback against broken demo code, maybe more effort would go > into making it easy to do things securely, instead of insecurely. Well, I'm going to start pushing back when I can. Tomorrow I get the chance to bend the ear of some security folks from the Live.com site. I'm definitely going to be letting them know of my dissatisfaction wrt recent MS Atlas training and asking what I can do about it (other than completing the training evaluation). Every little bit helps. As Ed Reed pointed out, as an industry we did manage to get rid of computed gotos, spaghetti code, etc., so maybe there's hope. (But the pessimist in me says that it's probably easier to get people to _stop_ doing some poor practice than to start doing some good practice. I hope I'm wrong there.)-: For the moment, perhaps all we can do is try to publically shame them and bring about peer presure that way. I dunno. I think it's primarilly a people problem rather than simply a technological one, which is why it's so hard to solve. So while doing things like showing people secure coding idioms and secure design patterns (ala Marcus Schumacher) will only have minor impact until there is some major attitude change with both developers and upper management. > I think part of the problem is that people have fallen into the > trap of thinking that security is supposed to be hard and that > checking all your errors is supposed to bloat your code by a factor > of five, instead of wondering why library functions are designed > in such a way that omitting complex logic around them fails in an > insecure way. Secure code can be short and sweet, too, just not > with most of the languages and tools that are currently popular. That's definitely a large part of it. Historically, most libraries haven't taken much of a security slant unless they've been crypto related. Most often, they first become well entrenched, and *then* there's an outpour of security vulnerabilites discovered as the library usage builds up a critical mass of usage. E.g., libc was this way. It wasn't until the Morris Internet worm in 1988 that people really started paying much attention to libc security issues. By that time libc was pretty much everywhere and what's worse, there wasn't really any viable alternative unless you wanted to roll your own. (That was long before GNU was prevalent.) And yes, buffer overflows were known very early, before Unix/C were widespread. But it was a different world then. > This is an old, old problem. strcpy is insecure, and any code > involving strncpy or a length check will be longer and/or more > complex. But this is really just an artifact of the fact that > buffers don't know their own length, making an additional check > necessary. There is no reason why the secure version couldn't > have been just as short and sweet, it just wasn't done. Or when strcpy() and its ilk were originally written, no one was concerned about buffer overflows...they were more concerned with program speed and size. The world changes. IMO, if you are still writing in a unsafe language like C or C++ when you don't really have to and are only using it because that's ALL YOU KNOW, then someone should take away your keyboard. Obviously there are legitimate reasons for using C/C++ and other "pointy" languages, but those reasons are holding less and less water every day. In the security class I've taught for the past 4.5 yrs or so, one of the things I tell my students is, "if you have a choice, select a 'safe' language like Java or C# where you don't need to worry about buffer overflows or heap corruption. Not only is it safer, but it is also likely to improve your productivity." But at this point, I'd be (somewhat) okay with those showing example code while instructing to show it WITHOUT proper the security checks AS LONG AS: 1) They mention that these checks have been omitted to make the example code simpler to follow in the alotted time and emphasize that if you even think about using any of these examples in production code without those security checks then not only are you a fool, but you should have your fingers amputated so you can no longer code again. 2) The distributed code (whether from a web/ftp site or on a CD/DVD) has ALL the proper security codes checks in place and also a comment warning not to remove them. (Gee, could we come up with a version of something like GPL that would prohibit removing certain code fragments? Any lawyers out there?) For code that is likely to be used within IDEs, perhaps "hints" could be given in the code to the IDE that allow the code (but not the warning comment) to be hidden via collapsing, etc. For live instruction, I think that this is a reasonable compromise. For the most part, that leaves the issue of printed matter. Arguably there's merit to both side's argument. There, I would propose that the security checks are left in UNLESS the example is long and there is demo code WITH the ALL security checks on an accompanying CD/DVD at the back of the book...the assumption being is that most will copy the code from the CD rather than typing it in or scanning it and then using OCR to convert it to text. There no doubt would be exceptions to that, but I think if everyone practiced this, then it would at least get us a lot farther along than we are now. Also, perhaps we, as a group could start posting what we consider to be GOOD (security-worthy) examples and contrasting that with POOR (insecure) examples. I'm not sure where we'd put them. We'd need a repository and some way to reasonably search through them. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From peter.amey at praxis-his.com Thu Aug 31 03:19:00 2006 From: peter.amey at praxis-his.com (Peter Amey) Date: Thu, 31 Aug 2006 08:19:00 +0100 Subject: [SC-L] How can we stop the spreading insecure coding examplesattraining classes, etc.? Message-ID: <4BF0455B353E524FBEA15C3A490F7DFE433DEC@EVS01.praxis.local> > -----Original Message----- > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Tim Hollebeek > Sent: 30 August 2006 18:23 > To: 'Wall, Kevin'; SC-L at securecoding.org > Subject: Re: [SC-L] How can we stop the spreading insecure > coding examplesattraining classes, etc.? > > > Really, the root of the problem is the fact that the simple > version is short and easy to understand, and the secure > version is five times longer and completely unreadable. > While there always is some additional complexity inherent in > a secure version, it is nowhere near as bad as current > toolkits make it seem. > No, the root cause of the problem is the use of inadequate notations so that we have to make secure versions 5 times as long in order to overcome those inadequacies. From my experience a typical secure SPARK implementation (which we have proved to be free from buffer overflow, numeric range violation etc.) is no longer or more complex than its simple version. Peter ********************************************************************** This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, disclosure, copying or distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If you have received this email in error please contact the sender. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Praxis High Integrity Systems Ltd (Praxis HIS). Although this email and any attachments are believed to be free of any virus or other defect, no responsibility is accepted by Praxis HIS or any of its associated companies for any loss or damage arising in any way from the receipt or use thereof. The IT Department at Praxis HIS can be contacted at it.support at praxis-his.com ********************************************************************** From gem at cigital.com Thu Aug 31 08:29:56 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 31 Aug 2006 08:29:56 -0400 Subject: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.? Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB742E0A@va-mail.cigital.com> >as an industry we did manage to get >rid of computed gotos, spaghetti code, etc., so maybe there's >hope. ever heard of exceptions? They're basically goto plus limited state. Spaghetti lives! gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From gem at cigital.com Thu Aug 31 11:46:07 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 31 Aug 2006 11:46:07 -0400 Subject: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.? Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB742E2D@va-mail.cigital.com> SYNTAX ERROR ON LINE 0: > I take exception (haha!) at having them dismissed like this. It sounds like KEYWORD "(haha!)" ILLEGALLY NEGATED PLEASE RESUBMIT ARTICLE gem ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From pmeunier at cerias.net Thu Aug 31 11:39:16 2006 From: pmeunier at cerias.net (Pascal Meunier) Date: Thu, 31 Aug 2006 11:39:16 -0400 Subject: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.? In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB742E0A@va-mail.cigital.com> Message-ID: I take exception (haha!) at having them dismissed like this. It sounds like you encountered some badly written exception handling code. Error handling can also be really bad, where at every call layer the original error gets filtered or translated to a point where you just know something went wrong somewhere but have little idea what. Then you have to trace (yuck) and waste hours trying to identify the problem. I'll take limited state over no state any day (Ruby even tells you which line numbers of which files were involved). Pascal On 8/31/06 8:29 AM, "Gary McGraw" wrote: >> as an industry we did manage to get >> rid of computed gotos, spaghetti code, etc., so maybe there's >> hope. > > ever heard of exceptions? They're basically goto plus limited state. > Spaghetti lives! > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > book www.swsec.com > > > > > ---------------------------------------------------------------------------- > This electronic message transmission contains information that may be > confidential or privileged. The information contained herein is intended > solely for the recipient and use by any other party is not authorized. If > you are not the intended recipient (or otherwise authorized to receive this > message by the intended recipient), any disclosure, copying, distribution or > use of the contents of the information is prohibited. If you have received > this electronic message transmission in error, please contact the sender by > reply email and delete all copies of this message. Cigital, Inc. accepts no > responsibility for any loss or damage resulting directly or indirectly from > the use of this email or its contents. > Thank You. > ---------------------------------------------------------------------------- > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From gem at cigital.com Thu Aug 31 13:10:31 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 31 Aug 2006 13:10:31 -0400 Subject: [SC-L] (free) Software Security seminar next week in silicon valley Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB4214AF@va-mail.cigital.com> Hi all, I'm going to be giving a free seminar about software security along with Greg Rose from Qualcomm in Menlo Park on Thursday. More about the seminar here: http://www.cigital.com/news/cigital_seminar.pdf If you are in the area and you would like to attend, please drop me a quick note. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From rcs at cert.org Thu Aug 31 10:49:49 2006 From: rcs at cert.org (Robert C. Seacord) Date: Thu, 31 Aug 2006 10:49:49 -0400 Subject: [SC-L] CERT C Programming Language Secure Coding Standard In-Reply-To: References: Message-ID: <44F6F70D.6080509@cert.org> I would like to suggest an approach to solving Kevin's problem of "How can we stop the spreading insecure coding examples at training classes, etc.?" The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. Each rule and recommendation contains at least one non-compliant coding example (the sort of thing you are likely to see in a poor training class) and at least one safe, secure "compliant solution" that shows how you can do the same thing safely. We are depending on the active involvement of the secure coding community (you) and relevant standards bodies to make this effort a success. I invite you to participate in this effort by reviewing content on the web site and providing comments, or by contributing new rules and recommendations for secure c coding. These can be sent to me directly or to secure-coding at cert dot com. I am attaching a press-release like article we wrote below to announce the effort. There is also a rationale section on the web site that provides more details as to what we are doing and why. Thanks, rCs ------------------- The Carnegie Mellon Software Engineering Institute (SEI) CERT? Program has deployed a secure coding Web site at www.securecoding.cert.org to cooperate with the software development community in codifying a practical and effective set of secure coding practices for popular programming languages. These coding practices can then be used by software developers to eliminate vulnerabilities before software is operationally deployed. The purpose of this project is that the practices can be used by developers for professional development and as the basis for organizational coding standards supporting the quality of their products. Jeffrey Carpenter, manager of the CERT Coordination Center, says that the project is part of a larger secure coding initiative within the CERT/CC to eliminate dangerous coding practices that can result in exploitable software vulnerabilities. According to Carpenter, "CERT is in a unique position to coordinate development of a set of secure coding practices because of its long history in analyzing and responding to software vulnerabilities." CERT's initial efforts are focused on the development of secure coding practices for the C and C++ programming languages. CERT senior vulnerability analyst Robert Seacord is leading the secure coding initiative. Seacord is a leading authority on secure coding, author of the book Secure Coding in C and C++ [Seacord 05], and technical expert for the ISO/IEC JTC1/SC22/WG14 international standardization working group for the programming language C. "C and C++ were selected because a large percentage of critical infrastructures are developed and maintained using these programming languages," Seacord says. "C and C++ are popular and viable languages although they have characteristics that make them prone to security flaws." "Today's dependency on networked software systems has been matched by an increase in the number of attacks against governments, corporations, educational institutions, and individuals. These attacks result in the loss and compromise of sensitive data, system damage, lost productivity, and financial loss," says Seacord. To address this growing threat, the introduction of software vulnerabilities during development and ongoing maintenance must be significantly reduced, if not eliminated. CERT recognizes that there are a number of available resources, both online and in print, containing coding guidelines, best practices, suggestions, and tips. The Motor Industry Software Reliability Association (MISRA) developed guidelines for the use of the C language in critical systems [MISRA 04], and more recently the U.S. Department of Homeland Security launched its Build Security In web site (https://buildsecurityin.us-cert.gov) to promote the codification of practices and rules. These sources, however, do not provide a prescriptive set of secure coding practices that can be uniformly applied in the development of a software system. "Without secure coding practices, software vulnerability reports are likely to continue on an upward trend," Seacord says. "At CERT/CC, we have had nearly 4,000 vulnerabilities reported in the first half of 2006. To stop the threats, we need to develop secure software from the outset." The secure coding practices proposed by CERT are based on standard language versions as defined by official or de facto standards organizations such as ISO/IEC. CERT is not an internationally recognized standards body, but plans to work with organizations such as ISO/IEC to advance the state of the practice in secure coding. The ISO/IEC JTC1/SC22 WG14 international standardization working group for the programming language C, for example, has offered to provide direction in the development of the C language secure coding practices and to review and comment on drafts of the informal CERT standard. According to WG14 convener John Benito, "The secure coding standard is going in the correct direction, and I have confidence the final product will be useful to the community." CERT is also working with standards groups, such as the ISO/IEC working group on Guidance for Avoiding Vulnerabilities through Language Use (OWGV). While the ISO/IEC group is working on providing language-independent guidance, the CERT effort is working on developing and consolidating the language-specific guidance that provides the foundations for the ambitious goals of OWGV. Jim Moore, convener of OWGV, states that "CERT's efforts in identifying and documenting secure coding practices for C and C++ will contribute to the standardization of these practices and advance the goals of the OWGV." Community Involvement The success of the secure coding standards depends largely on the active involvement of members of the secure software and C and C++ development communities. Rules and recommendations for each coding practice are solicited from the communities involved in the development and application of each programming language, including the formal or de facto standard bodies responsible for the documented standard. These rules and recommendations are edited by CERT senior members of the technical staff for content and style, and placed in Secure Coding Standards Web site for comment and review. The user community is invited to discuss and comment on the publicly posted content. Once a consensus develops that the rule or recommendation is appropriate and correct, the final rule is incorporated into the coding standard. Once practices are documented, tools can be developed or modified to verify compliance. Compliant software systems may then be certified as compliant by a properly authorized certification body. Seacord also envisions a training and development program to educate software professionals regarding the appropriate application of secure coding practices. The development of secure coding practices is a necessary step to stem the ever-increasing threat from software vulnerabilities. CERT's goal is that the enumeration of secure code practices will allow for a common set of criteria that can be used to measure and evaluate software development efforts. The public can review or comment on the existing content at the secure coding Web site or submit new ideas for secure coding practices by e-mailing secure-coding at cert.org. Robert Seacord can be reached at rcs at cert.org. ******************************* [1] Seacord, R. Secure Coding in C and C++. Addison-Wesley, 2005. See http://www.cert.org/books/secure-coding for news and errata. [2] MISRA C: 2004 Guidelines for the use of the C language in Critical systems. MIRA Limited. Warsickshire, UK. October 2004. ISBN 0 9524156. -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 From pmeunier at cerias.net Thu Aug 31 15:43:34 2006 From: pmeunier at cerias.net (Pascal Meunier) Date: Thu, 31 Aug 2006 15:43:34 -0400 Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: <200608301952.k7UJq4cM047048@ratsass.krvw.com> Message-ID: On 8/30/06 3:46 PM, "Tim Hollebeek" wrote: > > What you've proposed are exceptions. They do help (some) in separating > the normal logic from error handling, but: > > (1) they often leave the job "half done" which has its own risks. > writing exception safe code can be more of a nightmare than error > checking. I can't help noticing... In Ruby there's an "ensure" clause that allows you to bring closure to half-done operations. Perhaps your point is that some languages have poor exception support, just like some languages don't provide safe string handling functions? > > (2) in many languages, you can't retry or resume the faulting code. > Exceptions are really far less useful in this case. See above. (Yes, Ruby supports retrying). > > (3) you usually end up with some "generic" clean up code, which generally > hides more errors than it solves. I don't think that's fair. Yes, you can write poor exception handling code, but it's far easier to simply ignore or overlook errors or write poor error handling code to the point where the error is effectively ignored (or "hidden") or the cause of the error becomes unidentifiable. Exceptions allow me to reduce code duplication (and lower the chance of inconsistent treatment and bugs), simplify the code (which makes it easier to understand and therefore audit) as well as handle problems at an appropriate layer in the code. I'm not saying that exceptions are always the best way to handle things, but they can be part of good programming practices. Pascal Meunier > > Tim Hollebeek > Research Scientist > Teknowledge, Corp. > >> -----Original Message----- >> From: sc-l-bounces at securecoding.org >> [mailto:sc-l-bounces at securecoding.org] On Behalf Of Michael S Hines >> Sent: Wednesday, August 30, 2006 11:07 AM >> To: sc-l at securecoding.org >> Subject: [SC-L] Coding with errors in mind - a solution? >> >> a simple structure that provides for errors would go a long way... >> >> If - then - else - on error >> Do - end - on error >> Let x = y - on error >> Let x = function() on error >> etc... >> >> The problem is writing code without thinking of the possible >> errors that might arise. This forces you to think about the >> consequences of executing a command... >> >> Where 'error' is doing something intelligent when the >> original command doesn't work... >> >> Just a brainstorm....... any merit to it? >> >> Mike Hines >> mshines at purdue.edu >> >> ________________________________ >> >> From: sc-l-bounces at securecoding.org >> [mailto:sc-l-bounces at securecoding.org] On Behalf Of Ed Reed (Aesec) >> Sent: Wednesday, August 30, 2006 1:17 PM >> To: sc-l at securecoding.org >> Subject: [SC-L] e: How can we stop the spreading insecure >> coding examples at, training classes, etc.? >> >> >> >> Message: 1 >> Date: Tue, 29 Aug 2006 15:48:17 -0400 >> From: pmeunier at purdue.edu >> Subject: Re: [SC-L] How can we stop the spreading >> insecure coding >> examples at training classes, etc.? >> To: "Wall, Kevin" >> >> Cc: SC-L at securecoding.org >> Message-ID: >> <1156880897.44f49a01620aa at webmail.purdue.edu> >> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Quoting "Wall, Kevin" >> : >> >> >> >> >> I think that this practice of leaving out the "security >> details" to just make the demo code short and >> sweet has got >> to stop. Or minimally, we have to make the code >> that people >> copy-and-paste from have all the proper >> security checks even >> if we don't cover them in training. If we're >> lucky, maybe >> they won't delete them when the re-use the code. >> >> >> >> I agree, and would like to extend it: security should >> be discussed *at the same >> time* that a topic is. Teaching security in a separate >> class, like I have been >> doing, reaches only a fraction of the audience, and >> reinforces an attitude of >> security as an afterthought, or security as an option. >> Comments in the code >> should explain (or refer to explanations of) why >> changing or deleting those >> lines is a bad idea. >> >> However, I'm afraid that it would irritate students, >> and make security the new >> "grammar and spelling" for which points are deducted >> from "perfectly valid >> write-ups" (i.e., "it's my ideas that count, not how >> well I spell"). >> >> The same used to be said about unstructured programming >> examples (computed gotos, spaghetti code, multiple entry and >> exit points from functions, etc). We got past it. >> >> We need a similar revolution in thought with regard to >> security, and some one to take the lead on providing clear, >> crisp examples of coding style that is more secure by its >> nature. I don't have one handy - but that's my wish. >> >> Ed >> >> > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From mouse at Rodents.Montreal.QC.CA Thu Aug 31 17:44:56 2006 From: mouse at Rodents.Montreal.QC.CA (der Mouse) Date: Thu, 31 Aug 2006 17:44:56 -0400 (EDT) Subject: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.? In-Reply-To: References: Message-ID: <200608312151.RAA21113@Sparkle.Rodents.Montreal.QC.CA> >> ever heard of exceptions? They're basically goto plus limited >> state. Spaghetti lives! Not at all. Exceptions are not like gotos; in particular, an exception cannot be used to jump *into* a construct. The major problems with gotos are that they can be used to do branches that are downward or sideways in the code parse tree (versus "structured" constructs, which do such branches upward only). Exceptions are upward-only branches, and as a result don't have most of the problems gotos do. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From dinis at ddplus.net Thu Aug 31 18:27:29 2006 From: dinis at ddplus.net (Dinis Cruz) Date: Thu, 31 Aug 2006 18:27:29 -0400 Subject: [SC-L] OWASP Autumn Of Code 2006 Message-ID: <3c2c12adfd974fddb297f48a61827f71@ddplus.net> OWASP Autumn Of Code 2006 London, United Kingdom, August 31, 2006 The Open Web Application Security Project (OWASP) is launching today a new project aimed at financially sponsoring contributions to OWASP Projects. The new project, called "OWASP Autumn of Code 2006", aims to sponsor 8 individuals (4 at $3,500 USD and 4 at $5,000 USD) to work on existing OWASP Projects. The objective is to improve the selected projects to a the level of completeness and professionalism required for its wide use and deployment. There are no geographical, age or any other form of restrictions of who can apply for an "OWASP Autumn of Code 2006" sponsorship. The only requirement is that the candidate shows the potential to accomplish the project's objectives and the commitment to dedicate the time required to complete it in the allocated time frame (projects must be completed by 31st December 2006). Prospective candidates should visit the page https://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006 for project ideas, rules and information on how to apply. Project Schedule: 31th August - 'OWASP Autumn of Code' initiative is officially launched 18th September - Deadline for project proposals 25th September - Publish of selected projects 1st October - Project starts 15th October - Update of Project status on OWASP Conference in Seattle 15th November - Participants and to report on project status 31st December - Project Completion The "OWASP Autumn of Code 2006" project leader is Dinis Cruz (based in London, UK) who can be contacted for further details. About OWASP The Open Web Application Security Project (OWASP) is 501c3 not-for-profit foundation dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP's open source projects and local chapters produce free, unbiased, open-source documentation and tools. The OWASP community also facilitates conferences, local chapters, papers, presentations, and mailing lists. More information can be found at www.owasp.org. Contacts Dinis Cruz, OWASP Autumn of Code Project Leader, E-mail: dinis.cruz at owasp.net Andrew van der Stock, OWASP Executive Director, E-mail: vanderaj at owasp.org Jeff Williams, OWASP Chair (Alternative contact for all OWASP matters), E-mail:jeff.williams at owasp.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060831/8aaa3278/attachment.html From michaelslists at gmail.com Thu Aug 31 20:05:32 2006 From: michaelslists at gmail.com (mikeiscool) Date: Fri, 1 Sep 2006 10:05:32 +1000 Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: References: <200608301952.k7UJq4cM047048@ratsass.krvw.com> Message-ID: <5e01c29a0608311705j3a2d6f25wc927097513c33790@mail.gmail.com> On 9/1/06, Pascal Meunier wrote: > > > > On 8/30/06 3:46 PM, "Tim Hollebeek" wrote: > > > > > What you've proposed are exceptions. They do help (some) in separating > > the normal logic from error handling, but: > > > > (1) they often leave the job "half done" which has its own risks. > > writing exception safe code can be more of a nightmare than error > > checking. > > I can't help noticing... In Ruby there's an "ensure" clause that allows you > to bring closure to half-done operations. Perhaps your point is that some > languages have poor exception support, just like some languages don't > provide safe string handling functions? His point, I think, is that if you wrap a series of statements in an try/catch block, you might not roll back every statement you needed to, or checked appropriate conditions. For example: try { openFile(); getData(); writeToFile(); setSomeFlag() moveFile(); deleteTempThings(); } catch(Exception e){ ... } Now obviously that's a statement that could be written far better, but the point is that with the lazy/bad/accidental-bug-producing programmer it might be common. > > > > (2) in many languages, you can't retry or resume the faulting code. > > Exceptions are really far less useful in this case. > > See above. (Yes, Ruby supports retrying). > > > > > (3) you usually end up with some "generic" clean up code, which generally > > hides more errors than it solves. > > I don't think that's fair. Yes, you can write poor exception handling code, > but it's far easier to simply ignore or overlook errors or write poor error > handling code to the point where the error is effectively ignored (or > "hidden") or the cause of the error becomes unidentifiable. Exceptions > allow me to reduce code duplication (and lower the chance of inconsistent > treatment and bugs), simplify the code (which makes it easier to understand > and therefore audit) as well as handle problems at an appropriate layer in > the code. Exceptions simplify the code? I don't think so. They also don't reduce code duplication [per se] you need to add extra functions, etc, to do that. > I'm not saying that exceptions are always the best way to handle things, but > they can be part of good programming practices. They _can_ be, but often aren't. > Pascal Meunier -- mic From pmeunier at cerias.net Fri Sep 1 10:41:23 2006 From: pmeunier at cerias.net (Pascal Meunier) Date: Fri, 01 Sep 2006 10:41:23 -0400 Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: <5e01c29a0608311705j3a2d6f25wc927097513c33790@mail.gmail.com> Message-ID: On 8/31/06 8:05 PM, "mikeiscool" wrote: > On 9/1/06, Pascal Meunier wrote: >> >> >> >> On 8/30/06 3:46 PM, "Tim Hollebeek" wrote: >> >>> >>> What you've proposed are exceptions. They do help (some) in separating >>> the normal logic from error handling, but: >>> >>> (1) they often leave the job "half done" which has its own risks. >>> writing exception safe code can be more of a nightmare than error >>> checking. >> >> I can't help noticing... In Ruby there's an "ensure" clause that allows you >> to bring closure to half-done operations. Perhaps your point is that some >> languages have poor exception support, just like some languages don't >> provide safe string handling functions? > > His point, I think, is that if you wrap a series of statements in an > try/catch block, you might not roll back every statement you needed > to, or checked appropriate conditions. > > For example: > try { > openFile(); > getData(); > writeToFile(); > setSomeFlag() > moveFile(); > deleteTempThings(); > } catch(Exception e){ > ... > } > > Now obviously that's a statement that could be written far better, but > the point is that with the lazy/bad/accidental-bug-producing > programmer it might be common. Ah, yes, I can see a bad (or under pressure) programmer lumping together the handling of exceptions that should be handled separately, or making just one giant try block so when there's an exception, even if you specify the type there's still ambiguity as to where it came from and therefore can't handle it properly. That could be quite a mess. Thanks. >Exceptions simplify the code? I don't think so. They also don't reduce >code duplication [per se] you need to add extra functions, etc, to do >that. They can simplify the code because -as previously mentioned by Tim, they separate error handling from normal logic, so the code is easier to read (it is simpler from a human reader's perspective). I have found bugs in my own code by going from error handling to exceptions -- it made the mistake plain to see. -if an exception is handled several call layers above, you don't have to copy/translate and relay the error at each layer, with the attached loss of context and possible translation mistakes (error #3 in one layer/module may mean something different in another...). So, there's less (duplicated) code. -It is common (and bad, IMO) practice for errors to be signified to callers by returning an out of range or different type (or null) value when something else is semantically expected. The result is that if the caller forgets to check for errors, a bad value is used by the remaining code. If the caller checks for errors, an often used way to do this is to tuck the assignment inside an if statement. Then, even if the error is checked for, subsequent code may assume that the assigned variable still contains a semantically correct value (e.g., the previous value) which causes bugs and possibly vulnerabilities (I remember seeing an instance of this). So (and for additional reasons that could be chalked up to coding style preferences), a good practice is to decouple the error channel from the data channel (e.g., pass additional variables by reference or use exceptions as the error channel). By passing a variable by reference, its value can be left intact if there's an error in the called function (I *really* like to have variables that always contain a semantically correct, or valid, range and type). Obviously passing additional variables by reference up and down calling chains complicates the code, whereas exceptions are transparent. As with most everything else, all this (simplifying the code and reducing code duplication) depends on having a programmer with coding style and skills that can take advantage of the provided opportunities. Pascal From dcrocker at eschertech.com Fri Sep 1 15:29:11 2006 From: dcrocker at eschertech.com (David Crocker) Date: Fri, 1 Sep 2006 20:29:11 +0100 Subject: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.? In-Reply-To: <200608312151.RAA21113@Sparkle.Rodents.Montreal.QC.CA> Message-ID: <017101c6cdfc$e8f7bb80$cb00000a@escheradmin> Also, exceptions (unlike gotos) cannot be used to jump backward, thereby creating hidden loops. Used correctly, exceptions eliminate large amounts of code that would otherwise be required to handle unexpected failures at every level in a function call stack and propagate such failures upwards by way of return codes etc. to a point at which some remedial action can be taken. Exceptions can certainly be misused, but they are much better than the alternatives in many situations. David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of der Mouse Sent: 31 August 2006 22:45 To: SC-L at securecoding.org Subject: Re: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.? >> ever heard of exceptions? They're basically goto plus limited state. >> Spaghetti lives! Not at all. Exceptions are not like gotos; in particular, an exception cannot be used to jump *into* a construct. The major problems with gotos are that they can be used to do branches that are downward or sideways in the code parse tree (versus "structured" constructs, which do such branches upward only). Exceptions are upward-only branches, and as a result don't have most of the problems gotos do. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php From jleffler at us.ibm.com Fri Sep 1 15:44:15 2006 From: jleffler at us.ibm.com (Jonathan Leffler) Date: Fri, 1 Sep 2006 12:44:15 -0700 Subject: [SC-L] Retrying exceptions - was 'Coding with errors in mind' In-Reply-To: Message-ID: Pascal Meunier wrote: >Tim Hollebeek wrote: >> (2) in many languages, you can't retry or resume the faulting code. >> Exceptions are really far less useful in this case. > >See above. (Yes, Ruby supports retrying). Bjorn Stroustrup discusses retrying exceptions in "Design and Evolution of C++" (http://www.research.att.com/~bs/dne.html). In particular, he described one system where the language supported exceptions, and after some number of years, a code review found that there was only one retryable exception left - and IIRC the code review decided they were better off without it. How much are retryable exceptions really used, in Ruby or anywhere else that supports them? -- Jonathan Leffler (jleffler at us.ibm.com) STSM, Informix Database Engineering, IBM Information Management Division 4100 Bohannon Drive, Menlo Park, CA 94025-1013 Tel: +1 650-926-6921 Tie-Line: 630-6921 "I don't suffer from insanity; I enjoy every minute of it!" From leichter_jerrold at emc.com Fri Sep 1 17:05:17 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Fri, 1 Sep 2006 17:05:17 -0400 (EDT) Subject: [SC-L] Retrying exceptions - was 'Coding with errors in mind' In-Reply-To: References: Message-ID: On Fri, 1 Sep 2006, Jonathan Leffler wrote: | Pascal Meunier wrote: | >Tim Hollebeek wrote: | >> (2) in many languages, you can't retry or resume the faulting code. | >> Exceptions are really far less useful in this case. | > | >See above. (Yes, Ruby supports retrying). | | Bjorn Stroustrup discusses retrying exceptions in "Design and Evolution of | C++" (http://www.research.att.com/~bs/dne.html). In particular, he | described one system where the language supported exceptions, and after | some number of years, a code review found that there was only one | retryable exception left - and IIRC the code review decided they were | better off without it. This is an over-simplification of the story. I may get some of the details wrong, but.... This dates back to work done at Xerox PARC in the late 70's-early 80's - about the same time that Smalltalk was being developed. There was a separate group that developed system programming languages and workstation OS's built on them. For a number of years, they worked on and with a language named Mesa. Mesa had extensive support for exceptions, including a resumption semantics. If you think of exceptions as a kind of software analogue to a hardware interrupt, then you can see why you'd expect to need resumption. And, indeed, the OS that they built initially used resumption in a number of places. What was observed by the guys working on the system was that the number of uses of resumption was declining over time. In fact, I vaguely remember that when they decided to go and look, they were using resumption in exactly two places in their entire code base - OS, compilers, windowing system, various tools. (Exceptions were used extensively - but resumption hardly at all.) It's not that anyone deliberately set out to remove uses of resumption. Rather, as the code was maintained, it repeatedly turned out that resumption was simply the wrong semantics. It just did not lead to reliable code; there were better, more understandable, more robust ways to do things that, over time and without plan, came to dominate. Somewhere, I still have - if I could ever find it in my garage - the paper that described this. (It was a retrospective on the effort, almost certainly published as one of the PARC tech reports.) Mesa was replaced by Cedar, which was a simpler language. (Another lesson was that many of the very complex coercion and automatic conversion mechanisms that Mesa weren't needed.) I think Cedar discarded Mesa's exception resumption semantics. Many of the people involved in these projects later moved to DEC SRC, where they used the ideas from Mesa and Cedar in Modula2+ and later Modula3 - a dramatically simpler language than its older Xerox forbearers. It also used exceptions heavily - but never had resumption semantics. Much of the basic design of Java and C# goes back to Modula3. | How much are retryable exceptions really used, in | Ruby or anywhere else that supports them? Not only how much are they used, but how well do they work? Remember, if you'd look at *early* instances of Mesa code, you might well have concluded that they were an important idea. It may well be that for quick one-off solutions, resumption is handy - e.g., for building "advise"-like mechanisms to add special cases to existing code. But as we should all know by now, what works in-the-small and in-the-quick is not necessarily what works when you need security/reliability/ maintainability/supportability. -- Jerry From mshines at purdue.edu Tue Sep 5 08:25:42 2006 From: mshines at purdue.edu (Michael S Hines) Date: Tue, 5 Sep 2006 08:25:42 -0400 Subject: [SC-L] Retrying exceptions - was 'Coding with errors in mind' In-Reply-To: Message-ID: <200609051226.k85CQ0fY025937@mailhub131.itcs.purdue.edu> That's a rather pragmatic view, isn't it? Perhaps if other language constructs are not used, they should be removed? OTOH - perhaps the fault is not the language but the coder of the language? - lack of knowledge - pressure to complete lines of code - lack of [management] focus on security - or 100s of other reasons not to do the right thing... Sort of like life, isn't it? Mike Hines -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Jonathan Leffler Sent: Friday, September 01, 2006 3:44 PM To: sc-l at securecoding.org Subject: [SC-L] Retrying exceptions - was 'Coding with errors in mind' Pascal Meunier wrote: >Tim Hollebeek wrote: >> (2) in many languages, you can't retry or resume the faulting code. >> Exceptions are really far less useful in this case. > >See above. (Yes, Ruby supports retrying). Bjorn Stroustrup discusses retrying exceptions in "Design and Evolution of C++" (http://www.research.att.com/~bs/dne.html). In particular, he described one system where the language supported exceptions, and after some number of years, a code review found that there was only one retryable exception left - and IIRC the code review decided they were better off without it. How much are retryable exceptions really used, in Ruby or anywhere else that supports them? -- Jonathan Leffler (jleffler at us.ibm.com) STSM, Informix Database Engineering, IBM Information Management Division 4100 Bohannon Drive, Menlo Park, CA 94025-1013 Tel: +1 650-926-6921 Tie-Line: 630-6921 "I don't suffer from insanity; I enjoy every minute of it!" _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php From leichter_jerrold at emc.com Tue Sep 5 11:54:16 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Tue, 5 Sep 2006 11:54:16 -0400 (EDT) Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: References: Message-ID: [Picking out one minor point:] | [Exceptions] can simplify the code because | -as previously mentioned by Tim, they separate error handling from normal | logic, so the code is easier to read (it is simpler from a human reader's | perspective). I have found bugs in my own code by going from error handling | to exceptions -- it made the mistake plain to see. I agree with this ... but: - Many years ago, I worked in a language called BASIC PLUS. (This was an extension to BASIC that DEC bought along with the RSTS operating system. It was actually a surprisingly productive environment. But the details aren't really relevant here.) BASIC PLUS had a simple "exception handling" approach: You specified "ON ERROR ", which requested that if any system-detected error occurred (and, in modern terms, BASIC PLUS was a "safe" language, so *all* errors were detected by the run-time system) then the given statement was to be executed. Almost universally, was a GOTO to a particular line number. At that line, you had access to the particular error that occurred (and error number); the line number on which it occurred; the current state of any variables; and the ability to resume execution (with some funny limitations). This provided exactly the separation of normal code flow from error handling that seems like a fine idea ... until you try to do anything with it other than logging the error and aborting at some high level of abstraction. I wrote an incredibly hacky error handler and a function called FNSET() that was used essentially as follows: IF (FNSET(errs)) THEN ELSE "errs" encoded the error numbers that would be handled by ; any errors not on the list took the usual log-and-abort route. So ... this was essentially a try/catch block (which I don't think I'd seen - this was in 1976 or thereabouts), with the odd filip that you declared the error conditions you handled in the "try" rather than in the "catch". It worked very well, and supplanted the old monolithic error handlers that preceded it. But notice that it moved the error handlers right up close to the normal operational code. Yes, it's not as close as a test after every call - *some* degree of separation is good. Really, what I think matters is that the error handling code live at the right semantic level relative to the code that it's covering. It's fine for the try/catch to be three levels of call up from where the throw occurs *if it the semantics it reflects are those of the code explicitly in its try block, not the semantics three levels down*. This is also what goes wrong with a try block containing 5 calls, whose catch block is then stuck with figuring out how far into the block we got in order to understand how to unwind properly. *Those 5 calls together* form the semantic unit being protected, and the catch should be written at that level. If it can't be, the organization of the code needs to be re-thought. (Notice that in this case you can end up with a try/catch per function call. That's a bad result: Returning a status value and testing it would probably be more readable than all those individual try/catches!) - On a much broader level: Consider the traditional place where "exceptions" and "errors" occur - on an assembly line, where the process has "bugs", which are detected by QA inspections (software analogue: Assertions) which then lead to rework (exception handling). In the manufacturing world, the lesson of the past 50 years or so is that *this approach is fundamentally flawed*. You shouldn't allow failures and then catch them later; you should work to make failures impossible. Too much of our software effort is directed at better expression (try/catch) and implementation (safe languages, assertions, contract checking) of the "assume it will fail, send it back for rework" approach. Much, much better is to aim for designs that make failure impossible to begin with. Consider all the blood spilled over buffer overflows that occur because buffers don't know their own sizes. After much pain, we're fixing that ... but in many cases what we do is change an unchecked assertion (which ends up being "checked" by unrelated code whose invariants get tromped on) into a checked one. But then what do we do when the checked assertion is triggered? Wouldn't it be better to grow the buffer dynamically so that no failure is possible at all? Yes, there are always edge cases, like running out of memory to expand the buffer. But (a) those (b) many can be very, very rare, so handled by catch-alls; of them can be avoided by proper design to begin with. The way to handled running out of memory because a hacked field in a message indicates that some object is of a huge length is not to worry about elegant ways to handle out-of-memory conditions - it's to enforce constraints in the message definition and the implementation of the code that handles such messages. I'm not arguing that error checking, error handling, and such are not important. They are and always will be. I'm arguing that error *prevention* - by design, by implementation of error *amelioration* at the earliest and most appropriate semantic level - is a much better approach. And, yes, we need libraries and languages and tools to support this approach - libraries and languages and tools that don't really exist today. -- Jerry From tholleb at teknowledge.com Tue Sep 5 14:10:51 2006 From: tholleb at teknowledge.com (Tim Hollebeek) Date: Tue, 5 Sep 2006 11:10:51 -0700 Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: Message-ID: <200609051818.k85IInxq057601@ratsass.krvw.com> > -----Original Message----- > From: Pascal Meunier [mailto:pmeunier at cerias.net] > Sent: Friday, September 01, 2006 7:41 AM > To: michaelslists at gmail.com > Cc: Tim Hollebeek; sc-l at securecoding.org > Subject: Re: [SC-L] Coding with errors in mind - a solution? > > On 8/31/06 8:05 PM, "mikeiscool" wrote: > > > His point, I think, is that if you wrap a series of > statements in an > > try/catch block, you might not roll back every statement you needed > > to, or checked appropriate conditions. > > > > For example: > > try { > > openFile(); > > getData(); > > writeToFile(); > > setSomeFlag() > > moveFile(); > > deleteTempThings(); > > } catch(Exception e){ > > ... > > } > > [...] > > Ah, yes, I can see a bad (or under pressure) programmer > lumping together the handling of exceptions that should be > handled separately, or making just one giant try block so > when there's an exception, even if you specify the type > there's still ambiguity as to where it came from and > therefore can't handle it properly. That could be quite a > mess. Thanks. > > >Exceptions simplify the code? I don't think so. They also > don't reduce > >code duplication [per se] you need to add extra functions, > etc, to do > >that. > > They can simplify the code because > -as previously mentioned by Tim, they separate error handling > from normal logic, so the code is easier to read (it is > simpler from a human reader's perspective). But they only really "separate" the error handling if you have one big try block, and that can make proper diagnosis difficult. For example, in the above case, if you get a FileNotFound exception, did it come from openFile or moveFile? It may be possible to figure that out, but the extra logic will be more than you would have had if you had just checked the return value of the call. > -if an exception is handled several call layers above, you > don't have to copy/translate and relay the error at each > layer, with the attached loss of context and possible > translation mistakes (error #3 in one layer/module may mean > something different in another...). So, there's less > (duplicated) code. But the intervening stack frames have to be (painfully) aware of the fact that they might terminate abruptly. Experience has shown that getting this right is very hard, offsetting the benefits of being able to quickly pop back up to a frame where the error can be handled. > -It is common (and bad, IMO) practice for errors to be > signified to callers by returning an out of range or > different type (or null) value when something else is > semantically expected. This is especially true when there is only one value available for all errors (like zero). GetLastError/errno is a silly substitute for not having another 'out' parameter, justified on the basis that sometimes you don't care what the error was. Except that you should! Exceptions can be useful, but they really aren't what you want for error handling, and are often cause as many problems as they cause. What you really want is for all the (partial) side effects of a function to disappear when it unrolls, but that's hard to do. Even cleanup code is tough to get right due to the fact that (A)(B)(A^-1) != B (can we reboot the universe with that feature disabled? It causes problems all over the place ...) That said, Windows Vista will have transactions for file system/ registry modifications, so perhaps that will make life a bit easier... -Tim From mouse at Rodents.Montreal.QC.CA Tue Sep 5 14:50:46 2006 From: mouse at Rodents.Montreal.QC.CA (der Mouse) Date: Tue, 5 Sep 2006 14:50:46 -0400 (EDT) Subject: [SC-L] Coding with errors in mind - a solution? In-Reply-To: <200609051818.k85IInxq057601@ratsass.krvw.com> References: <200609051818.k85IInxq057601@ratsass.krvw.com> Message-ID: <200609051854.OAA17613@Sparkle.Rodents.Montreal.QC.CA> >> if an exception is handled several call layers above, you don't have >> to copy/translate and relay the error at each layer, [...] > But the intervening stack frames have to be (painfully) aware of the > fact that they might terminate abruptly. That's what unwind-protect is for. What, you don't have unwind-protect? Perhaps you need to fix that first. :-) Actually, I have found it not all that difficult. I have (ab?)used gcc's nested-function nonlocal-goto support as an error-handling throw facility relatively often, and I've run into very few cases where intervening stack frames have to be aware of the throw-through-them potential, and none where I would say it was painful. Perhaps that's just an artifact of how I design my code.... /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From gunnar at arctecgroup.net Tue Sep 5 17:29:06 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Tue, 5 Sep 2006 16:29:06 -0500 Subject: [SC-L] Retrying exceptions - was 'Coding with errors in mind' In-Reply-To: <200609051226.k85CQ0fY025937@mailhub131.itcs.purdue.edu> References: <200609051226.k85CQ0fY025937@mailhub131.itcs.purdue.edu> Message-ID: <1157491746.44fdec225c315@my.visi.com> I can't say enough good things about this interview: Conversation with Bruce Lindsay Design For Failure http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=233 BL: There are two classes of detection. One is that I looked at my own guts and they didn?t look right, and so I say this is an error situation. The other is I called some other component that failed to perform as requested. In either case, I?m faced with a detected error. The first thing to do is fold your tent?that is, put the state back so that the state that you manage is coherent. Then you report to the guy who called you, possibly making some dumps along the way, or you can attempt alternate logic to circumvent the exception. In our database projects, what typically happens is it gets reported up, up, up the chain until you get to some very high level that then says, ?Oh, I see this as one of those really bad ones. I?m going to initiate the massive dumping now.? When you report an error, you should classify it. You should give it a name. If you?re a component that reports errors, there should be an exhaustive list of the errors that you would report. That?s one of the real problems in today?s programming language architecture for exception handling. Each component should list the exceptions that were raised: typically if I call you and you say that you can raise A, B, and C, but you can call Joe who can raise D, E, and F, and you ignore D, E, and F, then I?m suddenly faced with D, E, and F at my level and there?s nothing in your interface that said D, E, and F errors were things you caused. That seems to be ubiquitous in the programming and the language facilities. You are never required to say these are all the errors that might escape from a call to me. And that?s because you?re allowed to ignore errors. I?ve sometimes advocated that, no, you?re not allowed to ignore any error. You can reclassify an error and report it back up, but you?ve got to get it in the loop. -gp Quoting Michael S Hines : > That's a rather pragmatic view, isn't it? > > Perhaps if other language constructs are not used, they should be removed? > > OTOH - perhaps the fault is not the language but the coder of the language? > > - lack of knowledge > - pressure to complete lines of code > - lack of [management] focus on security > - or 100s of other reasons not to do the right thing... > > Sort of like life, isn't it? > > Mike Hines > > -----Original Message----- > From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] > On Behalf Of Jonathan Leffler > Sent: Friday, September 01, 2006 3:44 PM > To: sc-l at securecoding.org > Subject: [SC-L] Retrying exceptions - was 'Coding with errors in mind' > > Pascal Meunier wrote: > >Tim Hollebeek wrote: > >> (2) in many languages, you can't retry or resume the faulting code. > >> Exceptions are really far less useful in this case. > > > >See above. (Yes, Ruby supports retrying). > > Bjorn Stroustrup discusses retrying exceptions in "Design and Evolution of > C++" (http://www.research.att.com/~bs/dne.html). In particular, he > described one system where the language supported exceptions, and after some > number of years, a code review found that there was only one retryable > exception left - and IIRC the code review decided they were better off > without it. How much are retryable exceptions really used, in Ruby or > anywhere else that supports them? > > -- > Jonathan Leffler (jleffler at us.ibm.com) > STSM, Informix Database Engineering, IBM Information Management Division > 4100 Bohannon Drive, Menlo Park, CA 94025-1013 > Tel: +1 650-926-6921 Tie-Line: 630-6921 > "I don't suffer from insanity; I enjoy every minute of it!" > > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From dave.wichers at aspectsecurity.com Tue Sep 5 21:58:57 2006 From: dave.wichers at aspectsecurity.com (Dave Wichers) Date: Tue, 5 Sep 2006 21:58:57 -0400 Subject: [SC-L] Reminder: 3rd Annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA Message-ID: A reminder to everyone that early registration for the OWASP conference in Seattle next month ends on September 21st. There is a $50 discount for early registration. More importantly, the block of rooms and rates at the conference hotels are only guaranteed to be held until around that same date. After that, the rooms and/or the conference rates may not be available. Registration for the conference is available at: http://guest.cvent.com/i.aspx?4W,M3,57a181da-f20b-40fb-80ef-472a647bce7b The agenda for the conference is pretty much set at this point. Please check it out. I hope to see many of you there. This year there are two panels, 3 tutorials prior to the conference, and a host of new speakers on many interesting and up and coming topics in application security. This is the first OWASP conference to be held on the West Coast so I hope to see lots of new faces, and many repeat attendees. The full conference description is available at: http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006 Please contact me with any questions. Looking forward to seeing you all there! Thanks, Dave p.s. I'd encourage everyone to sign up for the dinner event on Tuesday night. These dinners are always a great way to meet lots of people attending the conference. If you've already registered for the conference, you can always go back and add that to your registration. Dave Wichers, OWASP Conferences Chair The OWASP Foundation http://www.owasp.org From mshines at purdue.edu Wed Sep 6 07:42:08 2006 From: mshines at purdue.edu (Michael S Hines) Date: Wed, 6 Sep 2006 07:42:08 -0400 Subject: [SC-L] Retrying exceptions - was 'Coding with errors in mind' In-Reply-To: <1157491746.44fdec225c315@my.visi.com> Message-ID: <200609061142.k86BgQnQ027647@mailhub131.itcs.purdue.edu> Oh, you mean like the calling conventions on the IBM Mainframe where a dump produces a trace back up the call chain to the calling program(s)? Not to mention the trace stack kept within the OS itself for problem solving (including system calls or SVC's as we call them on the mainframe). And when all else fails, there is the stand alone dump program to dump the whole system? Mainframes have been around for years. It's interesting to see "open systems" take on mainframe characteristics after all this time.... Mike Hines Mainframe Systems Programmer -----Original Message----- From: Gunnar Peterson [mailto:gunnar at arctecgroup.net] Sent: Tuesday, September 05, 2006 5:29 PM To: Hines, Michael S. Cc: sc-l at securecoding.org Subject: Re: [SC-L] Retrying exceptions - was 'Coding with errors in mind' I can't say enough good things about this interview: Conversation with Bruce Lindsay Design For Failure http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=233 BL: There are two classes of detection. One is that I looked at my own guts and they didn't look right, and so I say this is an error situation. The other is I called some other component that failed to perform as requested. In either case, I'm faced with a detected error. The first thing to do is fold your tent-that is, put the state back so that the state that you manage is coherent. Then you report to the guy who called you, possibly making some dumps along the way, or you can attempt alternate logic to circumvent the exception. In our database projects, what typically happens is it gets reported up, up, up the chain until you get to some very high level that then says, "Oh, I see this as one of those really bad ones. I'm going to initiate the massive dumping now." When you report an error, you should classify it. You should give it a name. If you're a component that reports errors, there should be an exhaustive list of the errors that you would report. That's one of the real problems in today's programming language architecture for exception handling. Each component should list the exceptions that were raised: typically if I call you and you say that you can raise A, B, and C, but you can call Joe who can raise D, E, and F, and you ignore D, E, and F, then I'm suddenly faced with D, E, and F at my level and there's nothing in your interface that said D, E, and F errors were things you caused. That seems to be ubiquitous in the programming and the language facilities. You are never required to say these are all the errors that might escape from a call to me. And that's because you're allowed to ignore errors. I've sometimes advocated that, no, you're not allowed to ignore any error. You can reclassify an error and report it back up, but you've got to get it in the loop. -gp Quoting Michael S Hines : > That's a rather pragmatic view, isn't it? > > Perhaps if other language constructs are not used, they should be removed? > > OTOH - perhaps the fault is not the language but the coder of the language? > > - lack of knowledge > - pressure to complete lines of code > - lack of [management] focus on security > - or 100s of other reasons not to do the right thing... > > Sort of like life, isn't it? > > Mike Hines > > -----Original Message----- > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] > On Behalf Of Jonathan Leffler > Sent: Friday, September 01, 2006 3:44 PM > To: sc-l at securecoding.org > Subject: [SC-L] Retrying exceptions - was 'Coding with errors in mind' > > Pascal Meunier wrote: > >Tim Hollebeek wrote: > >> (2) in many languages, you can't retry or resume the faulting code. > >> Exceptions are really far less useful in this case. > > > >See above. (Yes, Ruby supports retrying). > > Bjorn Stroustrup discusses retrying exceptions in "Design and > Evolution of > C++" (http://www.research.att.com/~bs/dne.html). In particular, he > described one system where the language supported exceptions, and > after some number of years, a code review found that there was only > one retryable exception left - and IIRC the code review decided they > were better off without it. How much are retryable exceptions really > used, in Ruby or anywhere else that supports them? > > -- > Jonathan Leffler (jleffler at us.ibm.com) STSM, Informix Database > Engineering, IBM Information Management Division 4100 Bohannon Drive, > Menlo Park, CA 94025-1013 > Tel: +1 650-926-6921 Tie-Line: 630-6921 > "I don't suffer from insanity; I enjoy every minute of it!" > > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From leichter_jerrold at emc.com Wed Sep 6 10:07:17 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Wed, 6 Sep 2006 10:07:17 -0400 (EDT) Subject: [SC-L] Retrying exceptions - was 'Coding with errors in mind' In-Reply-To: <200609061142.k86BgQnQ027647@mailhub131.itcs.purdue.edu> References: <200609061142.k86BgQnQ027647@mailhub131.itcs.purdue.edu> Message-ID: | Oh, you mean like the calling conventions on the IBM Mainframe where a dump | produces a trace back up the call chain to the calling program(s)? Not to | mention the trace stack kept within the OS itself for problem solving | (including system calls or SVC's as we call them on the mainframe). And | when all else fails, there is the stand alone dump program to dump the whole | system? | | Mainframes have been around for years. It's interesting to see "open | systems" take on mainframe characteristics after all this time.... All these obsolete ideas. Stack tracebacks. Feh! Years back at Smarts, a company since acquired by the "EMC" you see in my email address, one of the things I added to the system was a set of signal handlers which would print a stack trace. The way to do this was very non-uniform: On Solaris, you had to spawn a standalong program (but you got a stack trace of all threads). On HPUX, there was a function you could call in a system library. On AIX (you'd think IBM, of all vendors, would do better!) and Windows, we had to write this ourselves, with varying degrees of OS support. We also dump - shock! horror! - the values in all the registers. And we (try to) produce a core dump. My experience has been that of crashes in the field, 90% can be fully analyzed based on what we've written to the log file. Of the rest, some percentage - this is harder to estimate because the numbers are lower; - can be fully analyzed using the core dump. The rest basically can't be analyzed without luck and repetition. (I used to say 80-90% for "can be analyzed from core file", but the number is way down now because (a) we've gotten better at getting information into and out of the log files - e.g., we now keep a circular buffer of messages, including those at too low a severity level to be written to the log, and dump that as part of the failure output); (b) the remaining problems are exactly the ones that the current techniques fail to handle - we've fixed the others!) -- Jerry From crispin at novell.com Wed Sep 6 18:12:07 2006 From: crispin at novell.com (Crispin Cowan) Date: Wed, 06 Sep 2006 15:12:07 -0700 Subject: [SC-L] NDSS CFP Due September 10th Message-ID: <44FF47B7.9000505@novell.com> Security researchers with new results may be interested to know that the CFP deadline for NDSS is this Sunday September 10th http://www.isoc.org/isoc/conferences/ndss/07/cfp.shtml NDSS is a high quality academic peer reviewed conference in computer security. Traditionally focused on network security, NDSS now covers all aspects of computer security. This year we have a special interest in practical security issues, and we will be interleaving the peer reviewed technical papers with invited talk presentations from the "hacker" community on the leading edge of security attacks. We expect the blending of the (largely defense oriented) academic security community with the (often attack oriented) hacker community to produce both interesting presentations and interesting "hall track" conversations. Please consider submitting your papers by this Sunday, and also consider attending NDSS next February 28th - March 2nd in San Diego. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From gem at cigital.com Thu Sep 7 13:19:14 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 7 Sep 2006 13:19:14 -0400 Subject: [SC-L] Silver Bullet: Ranum revisited Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB4214B7@va-mail.cigital.com> Hi all, The silver bullet security podcast episode with Marcus Ranum has been transcribed for publication in the Nov/Dec issue of IEEE S&P magazine. You can find the pdf here: http://www.cigital.com/silverbullet/shows/silverbullet-003-mranum.pdf To subscribe to the magazine (without even joining the IEEE), use this URL: www.computer.org/services/nonmem/spbnr gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From gem at cigital.com Thu Sep 7 15:44:13 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 7 Sep 2006 15:44:13 -0400 Subject: [SC-L] Darkreading: epassport and evoting Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB4214B8@va-mail.cigital.com> Hi all, The latest installment of my column on darkreading went up today. This one is titled "Keep Your Laws off my Security." It's about what happens when people in power pay little or no attention to warnings by security engineers. http://www.darkreading.com/document.asp?doc_id=103078&WT.svl=column1_1 Since we're all "technology insiders" here on sc-l, I think it behooves us to get involved in these issues. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From gem at cigital.com Sat Sep 9 14:47:15 2006 From: gem at cigital.com (Gary McGraw) Date: Sat, 9 Sep 2006 14:47:15 -0400 Subject: [SC-L] What happens when security engineering gets ignored Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB4214B9@va-mail.cigital.com> Hi all, My latest column on darkreading shows what can happen when security engineers and technologists are ignored in the rush to embrace hot new technology. Many of us have warned over and over about RFID security and eVoting security, but with very little impact on government behavior. See the article here: http://www.darkreading.com/document.asp?doc_id=103078&WT.svl=column1_1 gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ken at krvw.com Mon Sep 11 01:42:52 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Mon, 11 Sep 2006 01:42:52 -0400 Subject: [SC-L] Fwd: There's More than One Monoculture Message-ID: Greetings SC-L, Check out Peter Coffee's latest column at: http://www.eweek.com/article2/0,1895,2014207,00.asp It's a follow-up to Dan Geer's (et al's) now famous monoculture paper, three years after the paper was published. Among other things, Coffee makes some interesting comparisons to the Internet monoculture situation that existed in November 1988 when Robert Morris unleashed his Internet worm program. Interesting reading, IMHO. Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060911/a0482050/attachment.html From gem at cigital.com Tue Sep 12 10:36:29 2006 From: gem at cigital.com (Gary McGraw) Date: Tue, 12 Sep 2006 10:36:29 -0400 Subject: [SC-L] Security testing Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB743061@va-mail.cigital.com> Hi all, In this podcast interview (the first from sticky minds) I discuss the important differences between security testing and standard functional testing...among other things. Lots of software security stuff in here: http://www.stickyminds.com/Resources/Podcasts.asp gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com Sent from my treo. ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From Ken at krvw.com Wed Sep 27 09:39:32 2006 From: Ken at krvw.com (Kenneth Van Wyk) Date: Wed, 27 Sep 2006 09:39:32 -0400 Subject: [SC-L] IEEE Security and Privacy article on software security training Message-ID: <0C7E516F-BEFE-4EE3-982D-558A4F35B3C2@krvw.com> Wow, it's sure been a quiet few days out here on SC-L. Summer vacations are over, I suppose... In any case, I thought that I'd post a link to a new IEEE Security & Privacy article on training for software security engineers. It was written by Cigital's John Steven and yours truly, and can be found via: http://www.computer.org/portal/site/security Enjoy. Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20060927/ef85dd5b/attachment.bin From gem at cigital.com Thu Sep 28 16:36:38 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 28 Sep 2006 16:36:38 -0400 Subject: [SC-L] Silver Bullet 6: Michael Howard Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7433DE@va-mail.cigital.com> Hi all, You'll probably like this one. The latest installment of the Silver Bullet Security Podcast is an interview with Michael Howard. Do we talk about software security? Well, whatddaya think?! http://www.cigital.com/silverbullet/ The Silver Bullet Security Podcast with Gary McGraw is co-sponsored by Cigital and IEEE Security & Privacy magazine. gem company www.cigital.com book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From dinis at ddplus.net Sat Sep 30 11:02:04 2006 From: dinis at ddplus.net (Dinis Cruz) Date: Sat, 30 Sep 2006 16:02:04 +0100 Subject: [SC-L] Call for panelists: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications" panel in the next OWASP Conference Message-ID: <701fd6b60609300802w5627343cia4e92cd7b7fc2a15@mail.gmail.com> Ok, First a quick apology for sending this request 18 days before the event (too busy, lack of sleep, charging kids nappies (or diapers for the US crowd), etc... :) In the next OWASP conference in Seattle, which will happen on the 17th and 18th of October 2006 (see http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006/Agenda) I managed to convince the organizers (thx Dave) to add the following panel to the line up Thursday 17th, 16:50-18:00 : "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications. Moderator: TBD Panelists: Dinis Cruz, OWASP.Net Project Lead and others TBD " The problem is in that last line: "Moderator: TBD Panelists: Dinis Cruz, OWASP .Net Project Lead and others TBD" since at the moment it is only me :) So I am doing this public call for panelists in the hope that I will find the right ones. Ideally I would like a strong representative from the following camps: - .Net CLR guru (with strong background on CAS (Code Access Security)) - Java JVM guru (with strong background on the Java Security Manager) - Struts guru (with a focus on Struts as a security layer), or other 'developer focused' frameworks - Web Application Security Consultant (somebody focused in 'breaking applications') - Business manager (somebody whose job is to create/deliver applications, and will bring to the table the 'business mind' point of view) To finish off this email here is a quick abstract of what I want to discuss in this panel: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications >From a security point of view, the current development paradigms are mainly based on the concept of 'making no errors'. I.e. if only the developers (and the Software development Livecycle that is supporting them) are able to program 'securely' (what ever that might mean), the security vulnerabilities that we have today will cease to exit. Basically it is the concept of the 'Big Wall of china'. There are some efforts in 'defense in depth', which most of the time are either: a) not implemented, b) only designed to protect the server and not the assets (for example the idea of executing the code under a non-admin account) or c) too complex. This creates an environment where the application asset's CIA (Confidentiality, Integrity and Confidentiality) can be compromised via one single mistake (created accidentally, by lack of knowledge or 'deliberately' ), such as: SQL Injection (the buffer overflows of Web Apps :) ), Authorization/Authentication blind spot, Application logic or malicious file upload/execution. Part of the problem is that this requirement ('make no mistakes') applies to 100% of the code, since all code is executed under the same privileges (from the point of view of the assets). This means that we (the developers and security good guys) need to protect and worry about 100% of the code base (which given a large enough application is just impossible). Basically, we need to be able to "security and safely handle malicious code or benign code manipulated in a malicious way" For me the solution is to create a development model where 85% or 95% of the code base is executed in an environment that doesn't have major security implications). In this world, the exploit vector would have to be in the remaining 15% or 5%, which would be the code base that would be audited, closely analysed and in some cases certified. My view is that this world would deliver secure applications (and an environment where it would be commercially viable to do so), because most developers would be focused on what they are good at and are paid for ( i.e. features, performance and user experience) and only a small number of developers would be involved in security related activities. And of course, the way to create this world is by using development frameworks that 'force' the developer(s) to program is such a way' (and having enough enough commercial preasure). So what I what to talk about in this panel, is how to we get there (and 'are development frameworks a big part of the solution?'). Currently there are two main approaches to solve this problem: There is the 'Operating System' camp, and the 'Managed Environment' camp Examples of the 'Operating System' camp are Microsoft's Vista, SELinux and AppArmour Examples of the 'Managed Environment' camp are the .Net Framework (or mono) and Java The only one that has any real momentum today is the 'Operating System' camp, and in the 'Managed Environment' camp most of the code (probably 99%) is executed in an 'unmanaged environment' (Full Trust in .Net or with the Security Manager/Verifier disabled in Java). Unfortunately, due to the enormous attack surface and the fact that most of the assets are located at the user/identity layer, the 'Operating System' camp is fighting a lost battle (look at Vista's UAC mess and reimplementation of CAS (Code Access Security) at the OS level (best example of this reimplementation is the new Vista Network permissions for processes (which will not work as expected, ironically mainly because of the problems that CAS has today: Policy, Complexity, Perceived value and ultimately Lack Effectiveness)) As you can see in my previous posts, I put more faith in the 'Managed Environment' camp, but at the moment there is no major focus in this direction. My view is that we will have to wait 1 or 2 more years until Vista, Mac Os and Linux show how their are not able to sustain 'unmanaged' malicious code. So, if you have strong opinions on this and have an active role in either camp, join me on this panel at the next OWASP conference." Best regards Dinis Cruz OWASP Autumn of Code 2006, http://www.owasp.org/index.php/OAC OWASP .Net Project, http://www.owasp.org/index.php/.Net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20060930/d7635957/attachment.html From ge at linuxbox.org Thu Oct 5 12:58:18 2006 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 5 Oct 2006 11:58:18 -0500 (CDT) Subject: [SC-L] (no subject) Message-ID: playing with Google Code Search, as Lev Toger just wrote: Google released a code search engine to catch up with Krugle, Koders, and Codease. Like most of the other Google?s tools it can be easily abused for hacking :) To find undisclosed vulnerabilities pass over this code: http://www.google.com/codesearch?q=ugly%7Chack%7Cfixme Or some other interesting combination (Use your favorite ugly code comment). ----- http://blogs.securiteam.com/index.php/archives/659 SO... ugly? dirty hack? Gadi. From ge at linuxbox.org Thu Oct 5 20:45:52 2006 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 5 Oct 2006 19:45:52 -0500 (CDT) Subject: [SC-L] Google code search games In-Reply-To: Message-ID: Another guy just wrote some more fun keyw ords to search for: http://blogs.securiteam.com/index.php/archives/661 On Thu, 5 Oct 2006, Gadi Evron wrote: > playing with Google Code Search, as Lev Toger just wrote: > > Google released a code search engine to catch up with Krugle, Koders, and > Codease. > > Like most of the other Google?s tools it can be easily abused for hacking > :) > > To find undisclosed vulnerabilities pass over this code: > > http://www.google.com/codesearch?q=ugly%7Chack%7Cfixme > > Or some other interesting combination (Use your favorite ugly code > comment). > ----- > > http://blogs.securiteam.com/index.php/archives/659 > > SO... ugly? dirty hack? > > Gadi. > > From stephen at corsaire.com Fri Oct 6 00:52:51 2006 From: stephen at corsaire.com (Stephen de Vries) Date: Fri, 6 Oct 2006 11:52:51 +0700 Subject: [SC-L] Google code search games In-Reply-To: References: Message-ID: Also: XSS in Java apps http://www.google.com/codesearch?hl=en&lr=&q=%3C%25% 3D.*getParameter&btnG=Search (Obvious) SQL Injection in Java apps: http://www.google.com/codesearch? hl=en&lr=&q=executeQuery.*getParameter&btnG=Search XSS in code from O'Reilly and Sun: http://www.google.com/codesearch?hl=en&lr=&q=%3C%25%3D.*getParameter +package%3A%28oreilly.com%7Csun.com%29&btnG=Search El 6 Oct 2006, a las 07:45, Gadi Evron escribi?: > Another guy just wrote some more fun keyw ords to search for: > http://blogs.securiteam.com/index.php/archives/661 > > On Thu, 5 Oct 2006, Gadi Evron wrote: > >> playing with Google Code Search, as Lev Toger just wrote: >> >> Google released a code search engine to catch up with Krugle, >> Koders, and >> Codease. >> >> Like most of the other Google?s tools it can be easily abused for >> hacking >> :) >> >> To find undisclosed vulnerabilities pass over this code: >> >> http://www.google.com/codesearch?q=ugly%7Chack%7Cfixme >> >> Or some other interesting combination (Use your favorite ugly code >> comment). >> ----- >> >> http://blogs.securiteam.com/index.php/archives/659 >> >> SO... ugly? dirty hack? >> >> Gadi. >> >> > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/ > listinfo/sc-l > List charter available at - http://www.securecoding.org/list/ > charter.php -- Stephen de Vries Corsaire Ltd E-mail: stephen at corsaire.com Tel: +44 1483 226014 Fax: +44 1483 226068 Web: http://www.corsaire.com From rcs at cert.org Fri Oct 6 03:14:06 2006 From: rcs at cert.org (Robert C. Seacord) Date: Fri, 06 Oct 2006 03:14:06 -0400 Subject: [SC-L] Google code search games In-Reply-To: References: Message-ID: <4526023E.2000908@cert.org> Gadi, Here are some searches from Derek Jones: The new Google source code search page has opened up some interesting research possibilities. How many instances of: if (...) ; are there out there (skip the first half dozen unusual macro uses)? http://www.google.com/codesearch?hl=en&lr=&q=++%5Csif%5C(%5B%5E)%5D*%5C)%3B+lang%3Ac%2B%2B&btnG=Search Security holes in PHP web applications: http://www.google.com/codesearch?hl=en&lr=&q=Where+%5C%24_POST+-addslashes+lang%3Aphp Back door passwords :-) http://www.google.com/codesearch?q=+%22backdoor+password rCs From rcs at cert.org Fri Oct 6 21:36:36 2006 From: rcs at cert.org (Robert C. Seacord) Date: Fri, 06 Oct 2006 21:36:36 -0400 Subject: [SC-L] Static code analysis via Google code search Message-ID: <452704A4.8060401@cert.org> people are having way too much fun with this: http://asert.arbornetworks.com/2006/10/static-code-analysis-using-google-code-search/ rCs From gunnar at arctecgroup.net Fri Oct 6 18:05:33 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Fri, 06 Oct 2006 17:05:33 -0500 Subject: [SC-L] Google code search games In-Reply-To: <4526023E.2000908@cert.org> Message-ID: DTDs http://www.google.com/codesearch?hl=en&lr=&q=file%3Adtd&btnG=Search -gp On 10/6/06 2:14 AM, "Robert C. Seacord" wrote: > Gadi, > > Here are some searches from Derek Jones: > > The new Google source code search page has opened up > some interesting research possibilities. > > How many instances of: > > if (...) ; > > are there out there (skip the first half dozen unusual macro uses)? > > http://www.google.com/codesearch?hl=en&lr=&q=++%5Csif%5C(%5B%5E)%5D*%5C)%3B+la > ng%3Ac%2B%2B&btnG=Search > > > Security holes in PHP web applications: > > http://www.google.com/codesearch?hl=en&lr=&q=Where+%5C%24_POST+-addslashes+lan > g%3Aphp > > > Back door passwords :-) > > http://www.google.com/codesearch?q=+%22backdoor+password > > rCs > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php From itripn at gmail.com Sun Oct 8 10:04:54 2006 From: itripn at gmail.com (Ron Forrester) Date: Sun, 8 Oct 2006 07:04:54 -0700 Subject: [SC-L] Google code search games In-Reply-To: References: Message-ID: WSDL: http://www.google.com/codesearch?hl=en&lr=&q=file%3A.wsdl%24+transfer&btnG=Search On 10/5/06, Gadi Evron wrote: > > playing with Google Code Search, as Lev Toger just wrote: > > > > Google released a code search engine to catch up with Krugle, Koders, and > > Codease. > > > > Like most of the other Google?s tools it can be easily abused for hacking > > :) -- rjf& From ge at linuxbox.org Sun Oct 8 10:58:01 2006 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 8 Oct 2006 09:58:01 -0500 (CDT) Subject: [SC-L] Google code search games In-Reply-To: Message-ID: On Sun, 8 Oct 2006, Ron Forrester wrote: > WSDL: > > http://www.google.com/codesearch?hl=en&lr=&q=file%3A.wsdl%24+transfer&btnG=Search I am still updating the main post with new search regex as I find them, all the time: http://blogs.securiteam.com/index.php/archives/663 Some other fun was noted on the daily WTF, where the do more funny searches: http://thedailywtf.com/forums/thread/94630.aspx > > > On 10/5/06, Gadi Evron wrote: > > > playing with Google Code Search, as Lev Toger just wrote: > > > > > > Google released a code search engine to catch up with Krugle, Koders, and > > > Codease. > > > > > > Like most of the other Google?s tools it can be easily abused for hacking > > > :) > > > -- > rjf& > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From gem at cigital.com Mon Oct 9 12:19:13 2006 From: gem at cigital.com (Gary McGraw) Date: Mon, 9 Oct 2006 12:19:13 -0400 Subject: [SC-L] darkreading: voting machines Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6FEBA3@va-mail.cigital.com> Hi all, I'm sure that many of you saw the "Ed Felten and friends break Diebold machines" story a couple of weeks ago...maybe in DDJ or on /.. I wrote a piece about the crack for darkreading, which you can find here: http://www.darkreading.com/document.asp?doc_id=105188&WT.svl=column1_1 The most interesting thing from an sc-l perspective about this column is that it emphasizes a client need we're often forced to address---the need for a demo exploit. Sometimes those on the receiving end of a software security vulnerability don't believe that findings are real. An often-repeated excuse for doing nothing is "well, that's just a theoretical attack and it's too academic to matter." I can't tell you how many times I've heard that refrain. When that happens, building an exploit is often the only clear next step. And yet we all know how expensive and hard exploit development is. In this case, Diebold consistently downplay'ed Avi Rubin's results as "academic" or "theoretical." Ed upped the ante. Think it'll work?? gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From jeff.williams at aspectsecurity.com Mon Oct 9 23:34:50 2006 From: jeff.williams at aspectsecurity.com (Jeff Williams) Date: Mon, 9 Oct 2006 23:34:50 -0400 Subject: [SC-L] OWASP webappsec mailing list Message-ID: Hi, I'd like to invite you to join (or rejoin) the OWASP webappsec mailing list. We started this mailing list almost 5 years ago and it has spawned great discussion of application security issues. We're moving the list from its current home to a server controlled by OWASP. This will allow us to provide the high quality moderation the list deserves. You can join (or rejoin) us on the webappsec list by clicking here... http://lists.owasp.org/mailman/listinfo/webappsec If you haven't visited OWASP in a while, please come check out what's going on. The OWASP standard tools, like WebScarab and WebGoat have all been improving steadily over time. And we have tons of new projects, content, and tools, including: - OWASP AJAX Security Project - investigating security of AJAX enabled applications - OWASP CAL9000 Project - a JavaScript based web application security testing suite - OWASP Code Review Project - a new project to capture best practices for reviewing code - OWASP Honeycomb Project - a guide to the building blocks of application security - OWASP LAPSE Project - an Eclipse-based source static analysis tool for Java - OWASP Live CD Project - a CD will application security analysis and testing tools - OWASP Orizon Project - a flexible code review engine - OWASP Pantera Web Assessment Studio Project - a hybrid testing approach - OWASP PHP Project - helping PHP developers build secure applications - OWASP Java Project - helping Java and J2EE developers build secure applications - OWASP SQLiX Project - a full perl-based SQL scanner - OWASP Testing Project - application security testing procedures and checklists - OWASP Validation Project - a project that provides guidance and tools related to validation. As always, OWASP is free and open for everyone. Please forward this message to anyone who is interested in application security. Thanks for your support. --Jeff Jeff Williams, Chair The OWASP Foundation "Dedicated to finding and fighting the causes of insecure software" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061009/b2cce75c/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 1656 bytes Desc: image001.jpg Url : http://krvw.com/pipermail/sc-l/attachments/20061009/b2cce75c/attachment-0001.jpe From Ken at krvw.com Tue Oct 10 12:02:10 2006 From: Ken at krvw.com (Kenneth Van Wyk) Date: Tue, 10 Oct 2006 12:02:10 -0400 Subject: [SC-L] Insecurity in Open Source Message-ID: FYI, there's an interesting opinion article in Business Week by Coverity's CTO, Ben Chelf (see link below). In it, he discusses the results of their scanning of a significant sampling of both open- and closed-source projects. Chelf compares some special purpose proprietary software security/ quality with the best of what's out in the open source world. Further, he opines that the open source guys need to adopt far more rigorous QA testing in order to compete with the best of the proprietary source world. I'm passing this along not to launch into the invariable religious debates of closed- vs. open-source, but to encourage discussion about Chelf's claims with regards to rigorous QA testing. Anyway, here's the article. http://www.businessweek.com/technology/content/oct2006/ tc20061006_394140.htm?campaign_id=bier_tco.g3a.rss1007 Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061010/08e8c1b6/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20061010/08e8c1b6/attachment.bin From jeremy.epstein at webmethods.com Tue Oct 10 12:44:28 2006 From: jeremy.epstein at webmethods.com (Jeremy Epstein) Date: Tue, 10 Oct 2006 12:44:28 -0400 Subject: [SC-L] darkreading: voting machines Message-ID: Gary, Interesting point. I'm on the Virginia state commission charged with making recommendations around voting systems, and we watched the Princeton video as part of our most recent meeting. The reaction from the election officials was amusing and scary: "if this is so real, why don't you hack a real election instead of this pretend stuff in the lab". Pointing out that it would (most likely) be a felony, and people like Rubin, Felten, and others are trying to help security not go to jail didn't seem to impress them. Also pointing out that the Rubin & Felten examples used out-of-date code because vendors won't share anything up-to-date doesn't seem to impress them. [This in response to Diebold's claim that they were looking at old code, and the problems are all "fixed".] I frankly don't think anything is going to impress the election officials (and some of the elected officials) short of incontrovertible evidence of a DRE meltdown - and of course, we know that there could well be a failure (and may have been failures) that are unproveable thanks to the nature of software. --Jeremy P.S. One of the elected officials on the commision insisted that Felten couldn't possibly have done his demo exploit without source code, because "everyone" knows you can't do an exploit without the source. Unfortunately, the level of education that needs to be provided to someone like that is more than I can provide in a Q&A format. I tried giving as an example that around 50% of the Microsoft updates are due to flaws found by people without source, but he wouldn't buy it.... (he was using a Windows laptop, but doesn't seem to understand where the fixes come from). > -----Original Message----- > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Gary McGraw > Sent: Monday, October 09, 2006 12:19 PM > To: SC-L at securecoding.org > Cc: dwallach at cs.rice.edu; felten at princeton.edu; rubin at jhu.edu > Subject: [SC-L] darkreading: voting machines > > Hi all, > > I'm sure that many of you saw the "Ed Felten and friends > break Diebold machines" story a couple of weeks ago...maybe > in DDJ or on /.. I wrote a piece about the crack for > darkreading, which you can find here: > > http://www.darkreading.com/document.asp?doc_id=105188&WT.svl=column1_1 > > The most interesting thing from an sc-l perspective about > this column is that it emphasizes a client need we're often > forced to address---the need for a demo exploit. Sometimes > those on the receiving end of a software security > vulnerability don't believe that findings are real. > An often-repeated excuse for doing nothing is "well, that's > just a theoretical attack and it's too academic to matter." > I can't tell you how many times I've heard that refrain. > > When that happens, building an exploit is often the only > clear next step. And yet we all know how expensive and hard > exploit development is. > > In this case, Diebold consistently downplay'ed Avi Rubin's > results as "academic" or "theoretical." Ed upped the ante. > Think it'll work?? > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > book www.swsec.com > > > -------------------------------------------------------------- > -------------- > This electronic message transmission contains information > that may be confidential or privileged. The information > contained herein is intended solely for the recipient and use > by any other party is not authorized. If you are not the > intended recipient (or otherwise authorized to receive this > message by the intended recipient), any disclosure, copying, > distribution or use of the contents of the information is > prohibited. If you have received this electronic message > transmission in error, please contact the sender by reply > email and delete all copies of this message. Cigital, Inc. > accepts no responsibility for any loss or damage resulting > directly or indirectly from the use of this email or its contents. > Thank You. > -------------------------------------------------------------- > -------------- > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > From Ken at krvw.com Wed Oct 11 10:37:50 2006 From: Ken at krvw.com (Kenneth Van Wyk) Date: Wed, 11 Oct 2006 10:37:50 -0400 Subject: [SC-L] A banner year for software bugs | Tech News on ZDNet Message-ID: So here's a lovely statistic for the software community to hang its hat on: http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed Among other things, the article says, "Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed security faults in software compared with 2005. That year, in its own turn, saw a 37 percent rise over 2004." Of course, the real losers in this are the software users, who have to deal with the never ending onslaught of bugs and patches from their vendors. We've just _got_ to do better, IMHO, and automating the patch process is not the answer. Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20061011/3e8c4d85/attachment.bin From c.mccown at intel.com Wed Oct 11 12:32:00 2006 From: c.mccown at intel.com (McCown, Christian M) Date: Wed, 11 Oct 2006 09:32:00 -0700 Subject: [SC-L] A banner year for software bugs | Tech News on ZDNet Message-ID: It's probably worth mentioning that the statistics are for OTS software. What keeps me awake at night (other than the usual trivialities) is the volume and severity of flaws/bugs in software that companies have developed or customized in-house/internally. It gets more complicated when these apps are public-facing. Yikes. /cm -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Wednesday, October 11, 2006 7:38 AM To: Secure Coding Subject: [SC-L] A banner year for software bugs | Tech News on ZDNet So here's a lovely statistic for the software community to hang its hat on: http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed Among other things, the article says, "Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed security faults in software compared with 2005. That year, in its own turn, saw a 37 percent rise over 2004." Of course, the real losers in this are the software users, who have to deal with the never ending onslaught of bugs and patches from their vendors. We've just _got_ to do better, IMHO, and automating the patch process is not the answer. Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com From mshines at purdue.edu Wed Oct 11 10:51:54 2006 From: mshines at purdue.edu (Michael S Hines) Date: Wed, 11 Oct 2006 10:51:54 -0400 Subject: [SC-L] A banner year for software bugs | Tech News on ZDNet In-Reply-To: Message-ID: <200610111452.k9BEqVRk028058@mailhub130.itcs.purdue.edu> ... the patch process is not the answer.... And neither is adding new features when the old ones don't work. It's time to major on the majors, and quit messing with the minors. Give us features that work (do what they should do, and don't do what they should not do) - not just more features. Who cares if your icons have round or square corners - if someone else can take over your machine? Mike Hines mshines at purdue.edu -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Wednesday, October 11, 2006 10:38 AM To: Secure Coding Subject: [SC-L] A banner year for software bugs | Tech News on ZDNet So here's a lovely statistic for the software community to hang its hat on: http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed Among other things, the article says, "Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed security faults in software compared with 2005. That year, in its own turn, saw a 37 percent rise over 2004." Of course, the real losers in this are the software users, who have to deal with the never ending onslaught of bugs and patches from their vendors. We've just _got_ to do better, IMHO, and automating the patch process is not the answer. Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com From gem at cigital.com Wed Oct 11 16:26:52 2006 From: gem at cigital.com (Gary McGraw) Date: Wed, 11 Oct 2006 16:26:52 -0400 Subject: [SC-L] Google code search: good or bad? Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB4EC@va-mail.cigital.com> Hi all, I spoke to Dennis Fisher about the Google code searching stuff that's been floating around on the list for a few weeks (since the original Bugle posting). Here's the resulting article: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1 222898,00.html BTW, I wrote about this idea in my own article on darkreading back in August: http://www.darkreading.com/document.asp?doc_id=100643 What do you guys think about the capability? Is it good or is it bad? gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From dwheeler at ida.org Wed Oct 11 17:20:08 2006 From: dwheeler at ida.org (David A. Wheeler) Date: Wed, 11 Oct 2006 17:20:08 -0400 Subject: [SC-L] darkreading: voting machines References: Message-ID: <452D6008.9010301@ida.org> Jeremy Epstein: > Interesting point. I'm on the Virginia state commission charged with making > recommendations around voting systems, and we watched the Princeton video as > part of our most recent meeting. The reaction from the election officials > was amusing and scary: "if this is so real, why don't you hack a real > election instead of this pretend stuff in the lab". Pointing out that it > would (most likely) be a felony, and people like Rubin, Felten, and others > are trying to help security not go to jail didn't seem to impress them. > Also pointing out that the Rubin & Felten examples used out-of-date code > because vendors won't share anything up-to-date doesn't seem to impress > them. [This in response to Diebold's claim that they were looking at old > code, and the problems are all "fixed".] I'm willing to believe that the ELECTIONS are fixed. Since they lack a voter-verifiable paper trail, _no_ DRE can be trusted. Period. I used to do magic tricks, and they all work the same way - misdirect the viewer, so that what they think they see is not the same as reality. Many magic tricks depend on rigged props, where what you see is NOT the whole story. DREs are the ultimate illusion - the naive THINK they know what's doing, but in fact they have no way to know what's really going on. There's no way to even SEE the trap door under the box, as it were... DREs are a great prop for the illusion. Printing "zero" totals and other stuff looks just like a magic show to me - it has lots of pizazz, and it distracts the viewer from the fact that they have NO idea what's really going on. > I frankly don't think anything is going to impress the election officials > (and some of the elected officials) short of incontrovertible evidence of a > DRE meltdown - and of course, we know that there could well be a failure > (and may have been failures) that are unproveable thanks to the nature of > software. I'm of the opinion that elections using DREs have ALREADY been manipulated. No, I can't prove that an election HAS been manipulated, and I certainly can't point to a specific manufacturer or election. And I sincerely hope that no elections HAVE been manipulated. But there's a LOT of money riding on big elections, and a small fraction of that would be enough to tempt someone to do it. And many people STRONGLY believe in their cause/party, and might manipulate an election on the grounds that it's for the "greater good" - it need not be about money at all. It's crazy to assume that no one's done it, when it's so easy and the systems are KNOWN to be weak. The whole problem is that DRE designs make it essentially impossible to detect massive fraud, almost impossible to find the perpetrator even if you detected it, and allow a SINGLE person to control an entire election (so there's little risk of a "squeeler" as there is with other frauds). And if an unethical person knows they won't be caught, it INCREASES the probability of them doing it. Anyone who thinks that all candidates and parties are too honest to do this need to discover the newspaper and history books. Ballot-stuffing is at least as ancient as ancient Greece, and as modern as Right Now. These voting systems and their surrounding processes would not meet the criteria for an electronic one-armed bandit in Las Vegas. Yet there's more at stake. The state commissions cannot provide any justifiable evidence that votes are protected from compromise if they use DREs. And that is their job. DREs are unfit for use in elections that matter. They should be decommissioned with prejudice, and frankly, I'd like to see laws requiring vendors to take them back and give their purchasers a refund, or add voter-verified paper systems acceptable to the customer at no charge. (The paper needs to meet some standard too, so that you can use counting machines from different manufacturers to prevent collusion.) At no time was this DRE technology appropriate for use in voting, and the companies selling them would have known better had they done any examination of their real requirements. The voters were given a lemon, and they should have the right to get their money back. --- David A. Wheeler From michaelslists at gmail.com Wed Oct 11 16:49:52 2006 From: michaelslists at gmail.com (mikeiscool) Date: Thu, 12 Oct 2006 06:49:52 +1000 Subject: [SC-L] Google code search: good or bad? In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB4EC@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB4EC@va-mail.cigital.com> Message-ID: <5e01c29a0610111349k56299ddevd87a03c72a4c4198@mail.gmail.com> good or bad, it's quite old. www.koders.com has been doing it for years. considering the source is available for anyone to download anyway, and investigate themselves, i don't see the big deal. the engines just let you search a whole bunch at once, and why would any one company/product care about that? if you want to target them, you do. if you just want to find a bug in any given open source product, then one of these may be slightly useful. if the main concern is that code can accidently get online, well that problem has been around forever and will never go away. better to expose it and have it dealt with, really. all in all, no big deal. jmho. -- mic On 10/12/06, Gary McGraw wrote: > Hi all, > > I spoke to Dennis Fisher about the Google code searching stuff that's > been floating around on the list for a few weeks (since the original > Bugle posting). Here's the resulting article: > > http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1 > 222898,00.html > > BTW, I wrote about this idea in my own article on darkreading back in > August: > > http://www.darkreading.com/document.asp?doc_id=100643 > > What do you guys think about the capability? Is it good or is it bad? > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > book www.swsec.com From gem at cigital.com Wed Oct 11 16:55:42 2006 From: gem at cigital.com (Gary McGraw) Date: Wed, 11 Oct 2006 16:55:42 -0400 Subject: [SC-L] Google code search: good or bad? Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB4F6@va-mail.cigital.com> Fair enough. It's pretty darn fun to search for silly things. My favorite so far is to search for "**cker" (you fill in the blanks yourself). Surprising how many people curse in their comments. Given the importance of config files for most modern frameworks, searching for XML config foo is interesting as well. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: mikeiscool [mailto:michaelslists at gmail.com] Sent: Wednesday, October 11, 2006 4:50 PM To: Gary McGraw Cc: SC-L at securecoding.org; Neil Daswani Subject: Re: [SC-L] Google code search: good or bad? good or bad, it's quite old. www.koders.com has been doing it for years. considering the source is available for anyone to download anyway, and investigate themselves, i don't see the big deal. the engines just let you search a whole bunch at once, and why would any one company/product care about that? if you want to target them, you do. if you just want to find a bug in any given open source product, then one of these may be slightly useful. if the main concern is that code can accidently get online, well that problem has been around forever and will never go away. better to expose it and have it dealt with, really. all in all, no big deal. jmho. -- mic On 10/12/06, Gary McGraw wrote: > Hi all, > > I spoke to Dennis Fisher about the Google code searching stuff that's > been floating around on the list for a few weeks (since the original > Bugle posting). Here's the resulting article: > > http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1 > 222898,00.html > > BTW, I wrote about this idea in my own article on darkreading back in > August: > > http://www.darkreading.com/document.asp?doc_id=100643 > > What do you guys think about the capability? Is it good or is it bad? > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ge at linuxbox.org Wed Oct 11 20:50:02 2006 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 11 Oct 2006 19:50:02 -0500 (CDT) Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: Message-ID: So, how can we edit current basic programming college books to present secure code, a couple of words of the correct way of doing things, and a whole new chapter on secure coding (which may be redudndent?) How do we start? Some Whiley book for introduction to CS? Any volunteers to get this on the road? Gadi. On Wed, 11 Oct 2006, Kenneth Van Wyk wrote: > So here's a lovely statistic for the software community to hang its > hat on: > > http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed > > Among other things, the article says, "Atlanta-based ISS, which is > being acquired by IBM, predicts there will be a 41 percent increase > in confirmed security faults in software compared with 2005. That > year, in its own turn, saw a 37 percent rise over 2004." > > Of course, the real losers in this are the software users, who have > to deal with the never ending onslaught of bugs and patches from > their vendors. We've just _got_ to do better, IMHO, and automating > the patch process is not the answer. > > Cheers, > > Ken > ----- > Kenneth R. van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > > > > From michaelslists at gmail.com Wed Oct 11 21:03:25 2006 From: michaelslists at gmail.com (mikeiscool) Date: Thu, 12 Oct 2006 11:03:25 +1000 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: References: Message-ID: <5e01c29a0610111803l59bf89eam939727a12fdced19@mail.gmail.com> On 10/12/06, Gadi Evron wrote: > So, how can we edit current basic programming college books to present > secure code, a couple of words of the correct way of doing things, and a > whole new chapter on secure coding (which may be redudndent?) > > How do we start? > > Some Whiley book for introduction to CS? > > Any volunteers to get this on the road? Secure programming is good programming. Most books teach good programming. People just don't care. > Gadi. -- mic From gem at cigital.com Wed Oct 11 21:25:29 2006 From: gem at cigital.com (Gary McGraw) Date: Wed, 11 Oct 2006 21:25:29 -0400 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E790F@va-mail.cigital.com> We're working on it! The problem is not simply a book. gem -----Original Message----- From: Gadi Evron [mailto:ge at linuxbox.org] Sent: Wed Oct 11 20:58:12 2006 To: Kenneth Van Wyk Cc: Secure Coding Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] So, how can we edit current basic programming college books to present secure code, a couple of words of the correct way of doing things, and a whole new chapter on secure coding (which may be redudndent?) How do we start? Some Whiley book for introduction to CS? Any volunteers to get this on the road? Gadi. On Wed, 11 Oct 2006, Kenneth Van Wyk wrote: > So here's a lovely statistic for the software community to hang its > hat on: > > http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed > > Among other things, the article says, "Atlanta-based ISS, which is > being acquired by IBM, predicts there will be a 41 percent increase > in confirmed security faults in software compared with 2005. That > year, in its own turn, saw a 37 percent rise over 2004." > > Of course, the real losers in this are the software users, who have > to deal with the never ending onslaught of bugs and patches from > their vendors. We've just _got_ to do better, IMHO, and automating > the patch process is not the answer. > > Cheers, > > Ken > ----- > Kenneth R. van Wyk > KRvW Associates, LLC > http://www.KRvW.com > > > > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ge at linuxbox.org Wed Oct 11 21:28:52 2006 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 11 Oct 2006 20:28:52 -0500 (CDT) Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E790F@va-mail.cigital.com> Message-ID: On Wed, 11 Oct 2006, Gary McGraw wrote: > We're working on it! The problem is not simply a book. Great! What are you guys doing? What more can be done? There are quite a few of us willing to help, and I figure, starting with the books future programmers learn from is not a bad idea. This community is perfect for this job. Gadi. > > gem > > -----Original Message----- > From: Gadi Evron [mailto:ge at linuxbox.org] > Sent: Wed Oct 11 20:58:12 2006 > To: Kenneth Van Wyk > Cc: Secure Coding > Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] > > So, how can we edit current basic programming college books to present > secure code, a couple of words of the correct way of doing things, and a > whole new chapter on secure coding (which may be redudndent?) > > How do we start? > > Some Whiley book for introduction to CS? > > Any volunteers to get this on the road? > > Gadi. > > On Wed, 11 Oct 2006, Kenneth Van Wyk wrote: > > > So here's a lovely statistic for the software community to hang its > > hat on: > > > > http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed > > > > Among other things, the article says, "Atlanta-based ISS, which is > > being acquired by IBM, predicts there will be a 41 percent increase > > in confirmed security faults in software compared with 2005. That > > year, in its own turn, saw a 37 percent rise over 2004." > > > > Of course, the real losers in this are the software users, who have > > to deal with the never ending onslaught of bugs and patches from > > their vendors. We've just _got_ to do better, IMHO, and automating > > the patch process is not the answer. > > > > Cheers, > > > > Ken > > ----- > > Kenneth R. van Wyk > > KRvW Associates, LLC > > http://www.KRvW.com > > > > > > > > > > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > > > > > ---------------------------------------------------------------------------- > This electronic message transmission contains information that may be > confidential or privileged. The information contained herein is intended > solely for the recipient and use by any other party is not authorized. If > you are not the intended recipient (or otherwise authorized to receive this > message by the intended recipient), any disclosure, copying, distribution or > use of the contents of the information is prohibited. If you have received > this electronic message transmission in error, please contact the sender by > reply email and delete all copies of this message. Cigital, Inc. accepts no > responsibility for any loss or damage resulting directly or indirectly from > the use of this email or its contents. > Thank You. > ---------------------------------------------------------------------------- > From rcs at cert.org Thu Oct 12 09:20:22 2006 From: rcs at cert.org (Robert C. Seacord) Date: Thu, 12 Oct 2006 09:20:22 -0400 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: References: Message-ID: <452E4116.6020101@cert.org> Gadi, I sort of agree with mic that the problem is poor programming. My last manager liked to pick up C text books at random and point out all the vulnerabilities in the code examples that are being used to teach the next generation of programmers (how to write vulnerabilities). > This community is perfect for this job. If the community is bored right now ;^) we are looking for community help to build up our knowledge of secure coding rules and recommendations for the C and C++ programming languages: www.securecoding.cert.org I'm also teaching a course at CMU in the spring on Secure Coding in C and C++. I'm hoping to take this material and incorporate it into the course. Once I get some experience teaching the material, I could help turn it into a college text. (I've written three books already, so I'm a proven threat. 8^) Thanks, rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 From ljknews at mac.com Thu Oct 12 10:03:39 2006 From: ljknews at mac.com (ljknews) Date: Thu, 12 Oct 2006 10:03:39 -0400 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <452E4116.6020101@cert.org> References: <452E4116.6020101@cert.org> Message-ID: At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote: > I'm also teaching a course at CMU in the spring on Secure Coding in C > and C++. Is there participation on this list from the (hopefully larger number of) CMU instructors who are teaching people to use safer languages in the first place ? -- Larry Kilgallen From dwheeler at ida.org Thu Oct 12 11:44:56 2006 From: dwheeler at ida.org (David A. Wheeler) Date: Thu, 12 Oct 2006 11:44:56 -0400 Subject: [SC-L] Secure programming is NOT just good programming References: Message-ID: <452E62F8.3050209@ida.org> mikeiscool claimed: > Secure programming is good programming. > Most books teach good programming. I strongly disagree with you, on both counts. At the least, those who say they practice good programming practices, and books that say they teach good programming practices, are GROSSLY INADEQUATE for developing secure programs. First, "Secure programming is good programming": Most people and organizations who claim that they perform good programming practices do NOT perform practices necessary for security. You could argue that therefore they aren't really doing "good programming", but that doesn't help fix anything. And organizations STILL generally place features over security, and when there's a perceived conflict, security almost always loses... and they'll STILL say that they practice "good programming" practices (they just happen to correctly implement insecure programs). Here are some practices you should typically be doing if you're worried about security, and note that many are typically NOT considered "good programming" by the general community of software developers: * You need to identify your threats that you'll counter (as requirements) * Design so that the threats are countered, e.g., mutually suspicious processes, small trusted computer base (TCB), etc. * Choose programming languages where you're less likely to have security flaws, and where you can't (e.g., must use C/C++), use extra security scanning tools and warning flags to reduce the risk. * Train on the specific common SECURITY failures of that language, so you can avoid them. (E.G., gets() is verbotin.) * Have peer reviews of the code, so that others can help find problems/vulnerabilities. * Test specifically for security properties, and use fuzz testing rigged to test for them. Few of these are done, particularly the first two. I'll concede that many open source software projects do peer reviews, but you really want ALL of these practices. Next, "Most books teach good programming." Pooey, though I wish they did. I still find buffer overflows in examples inside books on C/C++. I know the first version of K&R used scanf("...%s..."..) without noting that you could NEVER use this on untrusted input; I think the second edition used gets() without commenting on its security problems. A typical PHP book is littered with examples that are XSS disasters. The "Software Engineering Body of Knowledge" is supposed to summarize all you need to know to develop big projects.. yet it says essentially NOTHING about secure programming (it presumes that all programs are stand-alone, and never connect to an Internet or use data from an Internet - a ludicrous assumption). (P.S. I understand that it's being updated, hopefully it'll correct this.) I'd agree that "check your inputs" is a good programming practice, and is also critically important to secure programming. But it's not enough, and what people think of when you say "check your inputs" is VERY different when you talk to security-minded people vs. the general public. One well-known book (I think it was "Joel on Software") has some nice suggestions, but strongly argues that you should accept data from anywhere and just run it (i.e., that you shouldn't treat data and code as something separate). It claimed that sandboxing is a waste of time, and not worthwhile, even when running code from arbitrary locations... just ask the user if it's okay or not (we know that users always say "yes"). When that author thinks "check your inputs", he's thinking "check the syntax" - not "prevent damage". This is NOT a matter of "didn't implement it right" - the program is working AS DESIGNED. These programs are SPECIALLY DESIGNED to be insecure. And this was strongly argued as a GOOD programming practice. > People just don't care. There, unfortunately, we agree. Though there's hope for the future. --- David A. Wheeler From leichter_jerrold at emc.com Thu Oct 12 15:19:07 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Thu, 12 Oct 2006 15:19:07 -0400 (EDT) Subject: [SC-L] Secure programming is NOT just good programming In-Reply-To: <452E62F8.3050209@ida.org> References: <452E62F8.3050209@ida.org> Message-ID: | Here are some practices you should typically be doing | if you're worried about security, and note that many are | typically NOT considered "good programming" | by the general community of software developers: | * You need to identify your threats that you'll counter (as requirements) | * Design so that the threats are countered, e.g., mutually | suspicious processes, small trusted computer base (TCB), etc. | * Choose programming languages where you're less likely to | have security flaws, and where you can't (e.g., must use C/C++), use extra | security scanning tools and warning flags to reduce the risk. | * Train on the specific common SECURITY failures of that | language, so you can avoid them. (E.G., gets() is verbotin.) | * Have peer reviews of the code, so that others can help find | problems/vulnerabilities. | * Test specifically for security properties, and use fuzz testing | rigged to test for them. | Few of these are done, particularly the first two. I'll concede | that many open source software projects do peer reviews, Actually, I wouldn't even concede that. Checking for security properties is not the same thing as checking for correct implementation of the intended functionality (unless your spec of the intended functionality is extraordinarly good). It takes practice to even know what to look for in a security-oriented peer review. To take one trivial example: Since there is never enough time to do a really complete review, most reviewers will naturally emphasize the paths executed in the common use cases. They will de-emphasize, and often outright ignore, the rare cases and even more so the error paths. Unfortunately, it's exactly in those rare or "can't happen" or "bad error" paths that most security bugs lie. | but you | really want ALL of these practices. | | Next, "Most books teach good programming." Pooey, though I wish they did. | I still find buffer overflows in examples inside books on C/C++. | I know the first version of K&R used scanf("...%s..."..) without noting | that you could NEVER use this on untrusted input; I think the | second edition used gets() without commenting on its security problems. | A typical PHP book is littered with examples that are XSS disasters. I agree 100% here. At best, you'll get one example of how you should "test your inputs for reasonable values". | The "Software Engineering Body of Knowledge" is supposed to | summarize all you need to know to develop big projects.. yet | it says essentially NOTHING about secure programming | (it presumes that all programs are stand-alone, and never connect | to an Internet or use data from an Internet - a ludicrous assumption). | (P.S. I understand that it's being updated, hopefully it'll correct this.) | | I'd agree that "check your inputs" is a good programming | practice, and is also critically important to secure programming. | But it's not enough, and what people think of when you say | "check your inputs" is VERY different when you talk to security-minded | people vs. the general public. | | One well-known book (I think it was "Joel on Software") has some | nice suggestions, but strongly argues that you should accept | data from anywhere and just run it (i.e., that you shouldn't | treat data and code as something separate). It claimed that sandboxing | is a waste of time, and not worthwhile, even when running code from | arbitrary locations... just ask the user if it's okay or not | (we know that users always say "yes"). When that author thinks | "check your inputs", he's thinking "check the syntax" - | not "prevent damage". This is NOT a matter of "didn't implement it | right" - the program is working AS DESIGNED. These programs | are SPECIALLY DESIGNED to be insecure. And this was strongly | argued as a GOOD programming practice. The classic example of checking inputs you find in beginner's texts is for a program that computes the area of a triangle given its three sides. The "careful" program checks that the three sides do, indeed, describe a triangle! OK - but I have yet to see a worked version of this problem that checks for overflows. And once that example is past, all the rest of the examples "focus on the issue at hand", and ignore the messy realities of data validation, errors, and so on. | > People just don't care. | | There, unfortunately, we agree. Though there's hope for the future. Trying to get people to write safe code, or check for safety properties, is not a practical solution. In the languages we have, *some* people can do it *some* of the time. But it's simply not the kind of thing that people are good at: It requires close concentration on "irrelevant" details. You can't get tired; you can't get distracted. Assuming this kind of thing simply reveals a complete misunderstanding of the way the human mind works. The only way forward is by having the *computer* do this kind of thing for us. The requirements of the task are very much like those of low-level code optimization: We leave that to the compilers today, because hardly anyone can do it well at all, much less competitively with decent code generators, except in very special circumstances. Code inspection tools are a necessary transitional step - just as Purify-like tools are an essential transitional step to find memory leaks in code that does manual storage management. But until we can figure out how to create safer *languages* - doing for security what garbage collection does for memory management - we'll always be several steps behind. -- Jerry From gem at cigital.com Thu Oct 12 16:32:46 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 12 Oct 2006 16:32:46 -0400 Subject: [SC-L] Secure programming is NOT just good programming Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E7925@va-mail.cigital.com> I suppose now is as good a time as any to say that everything david is talking about here is described in great detail in the HOW TO book that I released last february. If you're reading this list, you really should read that book. It's called "software security". Ken and I have trained thousands of developers using the book as a guide with some success. Cigital has a number of very large-scale software security initiatives underway at various customers that leverage that training. But more importantly, good programs instill and measure the kinds of best practices (called touchpoints in the book) that are certainly not part of standard good coding practice. See www.swsec.com for more. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: Leichter, Jerry [mailto:leichter_jerrold at emc.com] Sent: Thu Oct 12 16:24:35 2006 To: David A. Wheeler Cc: sc-l at securecoding.org Subject: Re: [SC-L] Secure programming is NOT just good programming | Here are some practices you should typically be doing | if you're worried about security, and note that many are | typically NOT considered "good programming" | by the general community of software developers: | * You need to identify your threats that you'll counter (as requirements) | * Design so that the threats are countered, e.g., mutually | suspicious processes, small trusted computer base (TCB), etc. | * Choose programming languages where you're less likely to | have security flaws, and where you can't (e.g., must use C/C++), use extra | security scanning tools and warning flags to reduce the risk. | * Train on the specific common SECURITY failures of that | language, so you can avoid them. (E.G., gets() is verbotin.) | * Have peer reviews of the code, so that others can help find | problems/vulnerabilities. | * Test specifically for security properties, and use fuzz testing | rigged to test for them. | Few of these are done, particularly the first two. I'll concede | that many open source software projects do peer reviews, Actually, I wouldn't even concede that. Checking for security properties is not the same thing as checking for correct implementation of the intended functionality (unless your spec of the intended functionality is extraordinarly good). It takes practice to even know what to look for in a security-oriented peer review. To take one trivial example: Since there is never enough time to do a really complete review, most reviewers will naturally emphasize the paths executed in the common use cases. They will de-emphasize, and often outright ignore, the rare cases and even more so the error paths. Unfortunately, it's exactly in those rare or "can't happen" or "bad error" paths that most security bugs lie. | but you | really want ALL of these practices. | | Next, "Most books teach good programming." Pooey, though I wish they did. | I still find buffer overflows in examples inside books on C/C++. | I know the first version of K&R used scanf("...%s..."..) without noting | that you could NEVER use this on untrusted input; I think the | second edition used gets() without commenting on its security problems. | A typical PHP book is littered with examples that are XSS disasters. I agree 100% here. At best, you'll get one example of how you should "test your inputs for reasonable values". | The "Software Engineering Body of Knowledge" is supposed to | summarize all you need to know to develop big projects.. yet | it says essentially NOTHING about secure programming | (it presumes that all programs are stand-alone, and never connect | to an Internet or use data from an Internet - a ludicrous assumption). | (P.S. I understand that it's being updated, hopefully it'll correct this.) | | I'd agree that "check your inputs" is a good programming | practice, and is also critically important to secure programming. | But it's not enough, and what people think of when you say | "check your inputs" is VERY different when you talk to security-minded | people vs. the general public. | | One well-known book (I think it was "Joel on Software") has some | nice suggestions, but strongly argues that you should accept | data from anywhere and just run it (i.e., that you shouldn't | treat data and code as something separate). It claimed that sandboxing | is a waste of time, and not worthwhile, even when running code from | arbitrary locations... just ask the user if it's okay or not | (we know that users always say "yes"). When that author thinks | "check your inputs", he's thinking "check the syntax" - | not "prevent damage". This is NOT a matter of "didn't implement it | right" - the program is working AS DESIGNED. These programs | are SPECIALLY DESIGNED to be insecure. And this was strongly | argued as a GOOD programming practice. The classic example of checking inputs you find in beginner's texts is for a program that computes the area of a triangle given its three sides. The "careful" program checks that the three sides do, indeed, describe a triangle! OK - but I have yet to see a worked version of this problem that checks for overflows. And once that example is past, all the rest of the examples "focus on the issue at hand", and ignore the messy realities of data validation, errors, and so on. | > People just don't care. | | There, unfortunately, we agree. Though there's hope for the future. Trying to get people to write safe code, or check for safety properties, is not a practical solution. In the languages we have, *some* people can do it *some* of the time. But it's simply not the kind of thing that people are good at: It requires close concentration on "irrelevant" details. You can't get tired; you can't get distracted. Assuming this kind of thing simply reveals a complete misunderstanding of the way the human mind works. The only way forward is by having the *computer* do this kind of thing for us. The requirements of the task are very much like those of low-level code optimization: We leave that to the compilers today, because hardly anyone can do it well at all, much less competitively with decent code generators, except in very special circumstances. Code inspection tools are a necessary transitional step - just as Purify-like tools are an essential transitional step to find memory leaks in code that does manual storage management. But until we can figure out how to create safer *languages* - doing for security what garbage collection does for memory management - we'll always be several steps behind. -- Jerry _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ljknews at mac.com Thu Oct 12 16:42:09 2006 From: ljknews at mac.com (ljknews) Date: Thu, 12 Oct 2006 16:42:09 -0400 Subject: [SC-L] Secure programming is NOT just good programming In-Reply-To: References: <452E62F8.3050209@ida.org> Message-ID: At 3:19 PM -0400 10/12/06, Leichter, Jerry wrote: > The only way forward is by having the *computer* do this kind of > thing for us. The requirements of the task are very much like those > of low-level code optimization: We leave that to the compilers today, > because hardly anyone can do it well at all, much less competitively > with decent code generators, except in very special circumstances. > Code inspection tools are a necessary transitional step - just as > Purify-like tools are an essential transitional step to find memory > leaks in code that does manual storage management. But until we can > figure out how to create safer *languages* - doing for security what > garbage collection does for memory management - we'll always be > several steps behind. It is not adequate to *create* safer languages - it is necessary to have developers *use* those languages. Given the emphasis on C and C++ within posts on this list, that seems a long way off. -- Larry Kilgallen From ken at krvw.com Thu Oct 12 16:59:46 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Thu, 12 Oct 2006 16:59:46 -0400 Subject: [SC-L] Secure programming is NOT just good programming In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E7925@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E7925@va-mail.cigital.com> Message-ID: <87B47C12-572A-4363-8496-C62A6D79E682@krvw.com> On Oct 12, 2006, at 4:32 PM, Gary McGraw wrote: > I suppose now is as good a time as any to say that everything david > is talking about here is described in great detail in the HOW TO > book that I released last february. If you're reading this list, > you really should read that book. It's called "software security". > > Ken and I have trained thousands of developers using the book as a > guide with some success. Cigital has a number of very large-scale > software security initiatives underway at various customers that > leverage that training. But more importantly, good programs > instill and measure the kinds of best practices (called touchpoints > in the book) that are certainly not part of standard good coding > practice. Presuming you meant "now part of..." and not "not part of..." In any case, another great source of information on the touchpoint processes in Gary's book is the DHS-sponsored Build Security In portal at http://BuildSecurityIn.us-cert.gov. It's still a work in progress, but there are a bunch of in-depth articles explaining all of Gary's touchpoint activities and such. Plus, several new articles will be appearing there over the next few months, so keep checking in for updates. The site is free and open to the public. (Full disclosure: as one of the BSI authors, I'm certainly not unbiased, but I still believe it's a valuable resource for those who are interested in learning more about the touchpoints Gary cited.) Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20061012/03ac81d7/attachment-0001.bin From leichter_jerrold at emc.com Thu Oct 12 17:15:26 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Thu, 12 Oct 2006 17:15:26 -0400 (EDT) Subject: [SC-L] Secure programming is NOT just good programming In-Reply-To: References: <452E62F8.3050209@ida.org> Message-ID: | > The only way forward is by having the *computer* do this kind of | > thing for us. The requirements of the task are very much like those | > of low-level code optimization: We leave that to the compilers today, | > because hardly anyone can do it well at all, much less competitively | > with decent code generators, except in very special circumstances. | > Code inspection tools are a necessary transitional step - just as | > Purify-like tools are an essential transitional step to find memory | > leaks in code that does manual storage management. But until we can | > figure out how to create safer *languages* - doing for security what | > garbage collection does for memory management - we'll always be | > several steps behind. | | It is not adequate to *create* safer languages - it is necessary to | have developers *use* those languages. Given the emphasis on C and | C++ within posts on this list, that seems a long way off. Fifteen years ago, the idea that a huge portion of new software would be developed in garbage-collected languages with safe memory semantics would have seemed a far-off dream. But in fact we are there today, with Java and C#, not to mention even higher-level from Python to Ruby. (Of course, then you can go to PHP. We know how secure that's turned out to be... though that's not really a fair attack: The attacks against PHP are "new style" - directory traversals, XSS - and nothing out there provides any inherent protection against them either.) Yes, there is still *tons* of C and C++ code out there, and more is still being developed. But there are many places where you have to justify using C++ rather than Java. (There are good reasons, because neither Java no C# are really quite there yet for many applications.) In any case, language is to a degree a misdirection on my part. What matters is not just the language, but the libraries and development methodologies and the entire development environment. Just as security properties are *system* properties of the full system, "good for development of secure systems" is a system property of the entire development methodology/mechanism/environment. C/C++ plus static analysis plus Purify over test runs with good code coverage plus automated "fuzz" generation/testing would probably be close to as good as you can get today - not that any such integrated system exists anywhere I know of. Replacing some of the C/C++ libraries with inherently safer versions could only help. It's not that training in secure coding practices isn't important. We're starting from such a low level today that this kind of low-lying fruit must be picked. I'm looking out beyond that. I think security awareness, on its own, will only get us so far - and it's not nearly far enough. -- Jerry From michaelslists at gmail.com Thu Oct 12 19:13:48 2006 From: michaelslists at gmail.com (mikeiscool) Date: Fri, 13 Oct 2006 09:13:48 +1000 Subject: [SC-L] Secure programming is NOT just good programming In-Reply-To: <452E62F8.3050209@ida.org> References: <452E62F8.3050209@ida.org> Message-ID: <5e01c29a0610121613s15438d1dq624a2339e1ef9806@mail.gmail.com> On 10/13/06, David A. Wheeler wrote: > mikeiscool claimed: > > Secure programming is good programming. > > Most books teach good programming. > > I strongly disagree with you, on both counts. As is your right :) > At the least, those who say they practice good programming > practices, and books that say they teach good programming > practices, are GROSSLY INADEQUATE for developing secure programs. Sure. > First, "Secure programming is good programming": > Most people and organizations who claim that they perform > good programming practices do NOT perform practices > necessary for security. You could argue that therefore they > aren't really doing "good programming", but that doesn't > help fix anything. That's not an argument against it. I believe it will help, anyway, if you can say to the public: "this program is written badly" instead of "this program is written unsecurely". Almost everyone doesn't want to hear the second version. If they ask why, well you can explain. But keep it simple. > And organizations STILL generally > place features over security, and when there's a perceived > conflict, security almost always loses... and they'll STILL > say that they practice "good programming" practices (they just > happen to correctly implement insecure programs). You can design an insecure program that is coded well, and hence only insecure in the ways you wish. You are mixing secure/good programming with secure/good design. > Here are some practices you should typically be doing > if you're worried about security, and note that many are > typically NOT considered "good programming" > by the general community of software developers: > * You need to identify your threats that you'll counter (as requirements) > * Design so that the threats are countered, e.g., mutually > suspicious processes, small trusted computer base (TCB), etc. > * Choose programming languages where you're less likely to > have security flaws, and where you can't (e.g., must use C/C++), use extra > security scanning tools and warning flags to reduce the risk. > * Train on the specific common SECURITY failures of that > language, so you can avoid them. (E.G., gets() is verbotin.) > * Have peer reviews of the code, so that others can help find > problems/vulnerabilities. > * Test specifically for security properties, and use fuzz testing > rigged to test for them. > Few of these are done, particularly the first two. I'll concede > that many open source software projects do peer reviews, but you > really want ALL of these practices. Yep. > Next, "Most books teach good programming." Pooey, though I wish they did. Okay that was wishful thinking. > I still find buffer overflows in examples inside books on C/C++. > I know the first version of K&R used scanf("...%s..."..) without noting > that you could NEVER use this on untrusted input; I think the > second edition used gets() without commenting on its security problems. > A typical PHP book is littered with examples that are XSS disasters. Fair enough. > The "Software Engineering Body of Knowledge" is supposed to > summarize all you need to know to develop big projects.. yet > it says essentially NOTHING about secure programming > (it presumes that all programs are stand-alone, and never connect > to an Internet or use data from an Internet - a ludicrous assumption). > (P.S. I understand that it's being updated, hopefully it'll correct this.) > > I'd agree that "check your inputs" is a good programming > practice, and is also critically important to secure programming. > But it's not enough, and what people think of when you say > "check your inputs" is VERY different when you talk to security-minded > people vs. the general public. Yep. > One well-known book (I think it was "Joel on Software") has some > nice suggestions, but strongly argues that you should accept > data from anywhere and just run it (i.e., that you shouldn't > treat data and code as something separate). It claimed that sandboxing > is a waste of time, and not worthwhile, even when running code from > arbitrary locations... just ask the user if it's okay or not > (we know that users always say "yes"). When that author thinks > "check your inputs", he's thinking "check the syntax" - > not "prevent damage". This is NOT a matter of "didn't implement it > right" - the program is working AS DESIGNED. These programs > are SPECIALLY DESIGNED to be insecure. And this was strongly > argued as a GOOD programming practice. Which is clearly wrong. > > People just don't care. > > There, unfortunately, we agree. Though there's hope for the future. > > --- David A. Wheeler -- mic From cew at ACM.ORG Thu Oct 12 21:14:26 2006 From: cew at ACM.ORG (Craig E. Ward) Date: Thu, 12 Oct 2006 18:14:26 -0700 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: References: <452E4116.6020101@cert.org> Message-ID: At 10:03 AM -0400 10/12/06, ljknews wrote: >At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote: > >> I'm also teaching a course at CMU in the spring on Secure Coding in C >> and C++. > >Is there participation on this list from the (hopefully larger number of) >CMU instructors who are teaching people to use safer languages in the first >place ? >-- >Larry Kilgallen I don't think saying "use safer languages" is a good way to say it. It would help conditions significantly if greater care were taken to match the choice of programming language to the problem to be solved or application to be created. If a language like C is most appropriate, then use it, just be sure to take the extra steps needed to develop it securely. The problem is so much the programming languages as it is the way they are used. Craig -- Internet: cew at ACM.ORG "If a program has not been specified, it cannot be incorrect; it can only be surprising." (Young, Boebert, and Kain) From weld at vulnwatch.org Fri Oct 13 00:03:50 2006 From: weld at vulnwatch.org (Chris Wysopal) Date: Thu, 12 Oct 2006 23:03:50 -0500 (EST) Subject: [SC-L] darkreading: voting machines In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6FEBA3@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB6FEBA3@va-mail.cigital.com> Message-ID: On Mon, 9 Oct 2006, Gary McGraw wrote: > The most interesting thing from an sc-l perspective about this column is > that it emphasizes a client need we're often forced to address---the > need for a demo exploit. Sometimes those on the receiving end of a > software security vulnerability don't believe that findings are real. > An often-repeated excuse for doing nothing is "well, that's just a > theoretical attack and it's too academic to matter." I can't tell you > how many times I've heard that refrain. In 1998 we put a slogan on the L0pht.com web page. "That vulnerability is theoretical." -Microsoft L0pht - making the theoretical practical since 1992. Microsoft doesn't say that line any more. I guess a few worms can change your tune. It seems that you need to get bitten a few times before you automatically put on the bug spray before heading down to the swamp. -Chris From weld at vulnwatch.org Fri Oct 13 00:24:22 2006 From: weld at vulnwatch.org (Chris Wysopal) Date: Thu, 12 Oct 2006 23:24:22 -0500 (EST) Subject: [SC-L] darkreading: voting machines In-Reply-To: References: Message-ID: I think there is an easy solution to this. It is called a 3rd party audit. This is done all the time in the financial community. Software vendors fork over their latest product version and sometimes source code and a credible 3rd party looks for holes. It is sometimes paid for by the customer and sometimes the customer makes it a requirement of purchase so it is paid for by the vendor. We did many of these at @stake. Why do banks do this? Some say it is because they don't like to go to jail or be fined for not following the nebulous "reasonable care" provisions of the regulations they are required to follow. It is more likely they don't want to tarnish their trusted brand image. A voting commission has neither of these motivations. No one gets fined or fired or put in jail for fielding a system that ends up being used for voter fraud. There is no trusted image to protect. The "pretend stuff in the lab" comment is especially discouraging because what Rubin and Felten are doing in the lab is EXACTLY what Diebold should be doing in their testing lab. A product that has security requirements is not fit to be fielded until security testing has been performed. -Chris -= The Art of Software Security Testing: Identifying Software Security -= Flaws by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede -= Dustin, Available Nov 27, 2006 On Tue, 10 Oct 2006, Jeremy Epstein wrote: > Gary, > > Interesting point. I'm on the Virginia state commission charged with making > recommendations around voting systems, and we watched the Princeton video as > part of our most recent meeting. The reaction from the election officials > was amusing and scary: "if this is so real, why don't you hack a real > election instead of this pretend stuff in the lab". Pointing out that it > would (most likely) be a felony, and people like Rubin, Felten, and others > are trying to help security not go to jail didn't seem to impress them. > Also pointing out that the Rubin & Felten examples used out-of-date code > because vendors won't share anything up-to-date doesn't seem to impress > them. [This in response to Diebold's claim that they were looking at old > code, and the problems are all "fixed".] > > I frankly don't think anything is going to impress the election officials > (and some of the elected officials) short of incontrovertible evidence of a > DRE meltdown - and of course, we know that there could well be a failure > (and may have been failures) that are unproveable thanks to the nature of > software. > > --Jeremy > > P.S. One of the elected officials on the commision insisted that Felten > couldn't possibly have done his demo exploit without source code, because > "everyone" knows you can't do an exploit without the source. Unfortunately, > the level of education that needs to be provided to someone like that is > more than I can provide in a Q&A format. I tried giving as an example that > around 50% of the Microsoft updates are due to flaws found by people without > source, but he wouldn't buy it.... (he was using a Windows laptop, but > doesn't seem to understand where the fixes come from). > > > -----Original Message----- > > From: sc-l-bounces at securecoding.org > > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Gary McGraw > > Sent: Monday, October 09, 2006 12:19 PM > > To: SC-L at securecoding.org > > Cc: dwallach at cs.rice.edu; felten at princeton.edu; rubin at jhu.edu > > Subject: [SC-L] darkreading: voting machines > > > > Hi all, > > > > I'm sure that many of you saw the "Ed Felten and friends > > break Diebold machines" story a couple of weeks ago...maybe > > in DDJ or on /.. I wrote a piece about the crack for > > darkreading, which you can find here: > > > > http://www.darkreading.com/document.asp?doc_id=105188&WT.svl=column1_1 > > > > The most interesting thing from an sc-l perspective about > > this column is that it emphasizes a client need we're often > > forced to address---the need for a demo exploit. Sometimes > > those on the receiving end of a software security > > vulnerability don't believe that findings are real. > > An often-repeated excuse for doing nothing is "well, that's > > just a theoretical attack and it's too academic to matter." > > I can't tell you how many times I've heard that refrain. > > > > When that happens, building an exploit is often the only > > clear next step. And yet we all know how expensive and hard > > exploit development is. > > > > In this case, Diebold consistently downplay'ed Avi Rubin's > > results as "academic" or "theoretical." Ed upped the ante. > > Think it'll work?? > > > > gem > > > > company www.cigital.com > > podcast www.cigital.com/silverbullet > > book www.swsec.com > > > > > > -------------------------------------------------------------- > > -------------- > > This electronic message transmission contains information > > that may be confidential or privileged. The information > > contained herein is intended solely for the recipient and use > > by any other party is not authorized. If you are not the > > intended recipient (or otherwise authorized to receive this > > message by the intended recipient), any disclosure, copying, > > distribution or use of the contents of the information is > > prohibited. If you have received this electronic message > > transmission in error, please contact the sender by reply > > email and delete all copies of this message. Cigital, Inc. > > accepts no responsibility for any loss or damage resulting > > directly or indirectly from the use of this email or its contents. > > Thank You. > > -------------------------------------------------------------- > > -------------- > > > > _______________________________________________ > > Secure Coding mailing list (SC-L) > > SC-L at securecoding.org > > List information, subscriptions, etc - > > http://krvw.com/mailman/listinfo/sc-l > > List charter available at - > > http://www.securecoding.org/list/charter.php > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From michaelslists at gmail.com Fri Oct 13 07:02:23 2006 From: michaelslists at gmail.com (mikeiscool) Date: Fri, 13 Oct 2006 21:02:23 +1000 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: References: <452E4116.6020101@cert.org> Message-ID: <5e01c29a0610130402y7e6ae0b0ufb197d9481a1f960@mail.gmail.com> On 10/13/06, Craig E. Ward wrote: > At 10:03 AM -0400 10/12/06, ljknews wrote: > >At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote: > > > >> I'm also teaching a course at CMU in the spring on Secure Coding in C > >> and C++. > > > >Is there participation on this list from the (hopefully larger number of) > >CMU instructors who are teaching people to use safer languages in the first > >place ? > >-- > >Larry Kilgallen > > > I don't think saying "use safer languages" is a good way to say it. > It would help conditions significantly if greater care were taken to > match the choice of programming language to the problem to be solved > or application to be created. If a language like C is most > appropriate, then use it, just be sure to take the extra steps needed > to develop it securely. > > The problem is so much the programming languages as it is the way > they are used. Well, programming languages can go a long way to helping solve the problem, and it can be reasonably grey as to where to use what. Should I use php or ror? or python? or c#? I'd say there is a very appropriate and open space for nice "secure" languages to live and develop. > Craig -- mic From james.walden at gmail.com Fri Oct 13 12:11:43 2006 From: james.walden at gmail.com (James Walden) Date: Fri, 13 Oct 2006 12:11:43 -0400 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: References: <452E4116.6020101@cert.org> Message-ID: <21c655860610130911m1fb19856t2f54c417cf2dcfc9@mail.gmail.com> On 10/12/06, Craig E. Ward wrote: > I don't think saying "use safer languages" is a good way to say it. > It would help conditions significantly if greater care were taken to > match the choice of programming language to the problem to be solved > or application to be created. If a language like C is most > appropriate, then use it, just be sure to take the extra steps needed > to develop it securely. I agree that the programming language should be chosen to match the problem, though it's worth pointing out that security is typically part of the problem to be solved. There are safer systems programming languages than C, such as D and Cyclone. If you've considered the alternatives and you really have to use C because it's the only thing that will do, then yes, use it and be sure to use it securely and verify that fact with static analysis tools and code reviews. James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061013/d5fe3658/attachment.html From cew at ACM.ORG Fri Oct 13 20:32:59 2006 From: cew at ACM.ORG (Craig E. Ward) Date: Fri, 13 Oct 2006 17:32:59 -0700 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <5e01c29a0610130402y7e6ae0b0ufb197d9481a1f960@mail.gmail.com> References: <452E4116.6020101@cert.org> <5e01c29a0610130402y7e6ae0b0ufb197d9481a1f960@mail.gmail.com> Message-ID: At 9:02 PM +1000 10/13/06, mikeiscool wrote: >On 10/13/06, Craig E. Ward wrote: >>At 10:03 AM -0400 10/12/06, ljknews wrote: >>>At 9:20 AM -0400 10/12/06, Robert C. Seacord wrote: >>> >>>> I'm also teaching a course at CMU in the spring on Secure Coding in C >>>> and C++. >>> >>>Is there participation on this list from the (hopefully larger number of) >>>CMU instructors who are teaching people to use safer languages in the first >>>place ? >>>-- >>>Larry Kilgallen >> >> >>I don't think saying "use safer languages" is a good way to say it. >>It would help conditions significantly if greater care were taken to >>match the choice of programming language to the problem to be solved >>or application to be created. If a language like C is most >>appropriate, then use it, just be sure to take the extra steps needed >>to develop it securely. >> >>The problem is so much the programming languages as it is the way >>they are used. > >Well, programming languages can go a long way to helping solve the >problem, and it can be reasonably grey as to where to use what. Should >I use php or ror? or python? or c#? I'd say there is a very >appropriate and open space for nice "secure" languages to live and >develop. I think that's what I was trying to say. The last sentence of my note has an error. I meant to write "The problem is not so much the programming languages as it is the way they are used." Sorry for the bad proof reading. Also, in the IEEE Software July/August 2006 issue in the "Tools of the Trade" department, Diomidis Spinellis discusses several factors to consider when selecting a programming language for a particular project. Those plus security make for some reasonable criteria to use. Craig -- Internet: cew at ACM.ORG "If a program has not been specified, it cannot be incorrect; it can only be surprising." (Young, Boebert, and Kain) From Holger.Peine at iese.fraunhofer.de Mon Oct 16 06:42:04 2006 From: Holger.Peine at iese.fraunhofer.de (Holger.Peine at iese.fraunhofer.de) Date: Mon, 16 Oct 2006 12:42:04 +0200 Subject: [SC-L] Need a few slides/data on surging importance of security and source code security Message-ID: <687F148231CEBF449E6206E3FA7AAC3F20C191@hermes.iese.fhg.de> I am sure that quite a few of you already have done or know who has done this non-technical, "mundane" job: I need a few slides with data (e.g. numbers, or maybe historic examples) to convince a management-level audience of a manufacturer of networked appliances who has only a dim view of security of two things: - security is a problem for anybody developing software running on networked hardware, and it is a rapidly growing problem with a clear economic impact - a large part of vulnerabilities stems from bad coding practices, and there are companies that actively and successfully combat this Pointers to relevant web pages would be nearly as nice as finished Powerpoint slides. (Aside: You shouldn't view my request like that of a student asking for someone to steal his homework from: Everyone in our community needs such data in some form or other at some time, and we should all contribute to making everyone in the community look as good as possible in this respect in, to advance our common cause of more secure software. I have contributed to the community, too.) Thanks for your input, Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1899 (shared) PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 From ljknews at mac.com Tue Oct 17 12:43:49 2006 From: ljknews at mac.com (ljknews) Date: Tue, 17 Oct 2006 12:43:49 -0400 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <21c655860610130911m1fb19856t2f54c417cf2dcfc9@mail.gmail.com> References: <452E4116.6020101@cert.org> <21c655860610130911m1fb19856t2f54c417cf2dcfc9@mail.gmail.com> Message-ID: At 12:11 PM -0400 10/13/06, James Walden wrote: > you really have to use C because it's the only thing that will do, That seems extremely improbable. -- Larry Kilgallen From rcs at cert.org Tue Oct 17 13:51:57 2006 From: rcs at cert.org (Robert C. Seacord) Date: Tue, 17 Oct 2006 13:51:57 -0400 Subject: [SC-L] Need a few slides/data on surging importance of security and source code security In-Reply-To: <687F148231CEBF449E6206E3FA7AAC3F20C191@hermes.iese.fhg.de> References: <687F148231CEBF449E6206E3FA7AAC3F20C191@hermes.iese.fhg.de> Message-ID: <4535183D.5010509@cert.org> Holger, There are a bunch of slide sets on the CERT web site at: http://www.cert.org/nav/present.html The one labeled "Home Computer and Internet User Security (ppt)" might be close to what you need. I have some slide sets up there as well, but my stuff is too detailed for a management audience. rCs > I am sure that quite a few of you already have done or know > who has done this non-technical, "mundane" job: I need a few > slides with data (e.g. numbers, or maybe historic examples) to > convince a management-level audience of a manufacturer of networked > appliances who has only a dim view of security of two things: > > - security is a problem for anybody developing software running > on networked hardware, and it is a rapidly growing problem with > a clear economic impact > > - a large part of vulnerabilities stems from bad coding practices, > and there are companies that actively and successfully combat this > > Pointers to relevant web pages would be nearly as nice as finished > Powerpoint slides. > > (Aside: You shouldn't view my request like that of a student asking for > someone to steal his homework from: Everyone in our community needs > such data in some form or other at some time, and we should all > contribute > to making everyone in the community look as good as possible in this > respect in, to advance our common cause of more secure software. I have > contributed to the community, too.) > > Thanks for your input, > Holger Peine > -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 From gbuday at gmail.com Wed Oct 18 03:48:30 2006 From: gbuday at gmail.com (Gergely Buday) Date: Wed, 18 Oct 2006 09:48:30 +0200 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: References: <452E4116.6020101@cert.org> Message-ID: <90d975d30610180048v3ca371fcmea2541120956d629@mail.gmail.com> Larry Kilgallen wrote: > Is there participation on this list from the (hopefully larger number of) > CMU instructors who are teaching people to use safer languages in the first > place ? May anybody not from CMU enter the discussion about safer languages? ;-) I'm in favor of SML, as it has a number of implementations (some of them comparable to C in speed) and a formal definition ("well-typed programs do not go wrong") + a standard library. But I do see it's hard to push it in industry. Managers like "industry best practice" so that they need not take risk. Or, better say, they take the risks everybody else takes just probably are not aware of this. >From the human resources point of view it's not that easy to find experienced sml programmers as there are very few companies who employ such creatures. Vicious circle, you know. Regarding the programming environment and libraries: it's just not a research act to develop such things for sml anymore, so academics will not pursue it. I've heard of an NSF infrastructure grant to develop eclipse plugin for sml, though. Industry has not catched upon yet, nor the OSS community. And, just as an aside: I've heard a story that some cs celebrity (Dijkstra?) once coined some conditions for a programming language to be successful. The last clause was "IBM should love it". Yep, we've seen this with Java. Anybody from IBM? - Gergely From Holger.Peine at iese.fraunhofer.de Wed Oct 18 07:57:35 2006 From: Holger.Peine at iese.fraunhofer.de (Holger.Peine at iese.fraunhofer.de) Date: Wed, 18 Oct 2006 13:57:35 +0200 Subject: [SC-L] [WEB SECURITY] Need a few slides/data on surging importance of security and source code security Message-ID: <687F148231CEBF449E6206E3FA7AAC3F20C224@hermes.iese.fhg.de> Thanks to all who replied to my request; I attach the three slides that I finally produced for your perusal. Kind regards, Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1899 (shared) PGP key via http://pgp.mit.edu ; fingerprint is 1BFA 30CB E3ED BA99 E7AE 2BBB C126 A592 48EA F9F8 -------------- next part -------------- A non-text attachment was scrubbed... Name: data-arguing-for-software-security_2006.ppt Type: application/vnd.ms-powerpoint Size: 89600 bytes Desc: data-arguing-for-software-security_2006.ppt Url : http://krvw.com/pipermail/sc-l/attachments/20061018/a2942d87/attachment-0001.ppt From paco at cigital.com Thu Oct 19 15:49:41 2006 From: paco at cigital.com (Paco Hope) Date: Thu, 19 Oct 2006 15:49:41 -0400 Subject: [SC-L] Need a few slides/data on surging importance of security and source code security In-Reply-To: Message-ID: For reasons that are not worth getting into, my two cents didn't make it to the list. I've now invested 4 cents in getting this to everyone. :) On 10/16/06 6:42 AM, "Holger.Peine at iese.fraunhofer.de" wrote: > I am sure that quite a few of you already have done or know who has done this > non-technical, "mundane" job: I need a few slides with data (e.g. numbers, or > maybe historic examples) to convince a management-level audience Attached is a timeline I created from publically available data at http://www.attrition.org/. It depicts credit card account number compromises. It tells you who had the data, when it was compromised, and how many accounts were lost. It is somewhat related to your need, although it does not speak to the source code issue. The one thing to note is that this timeline does not show the different ways credit card accounts were compromised. Some of these were "hacks" where a web site or online system was compromised. Some were theft of a device (like a laptop) and some were lost backup tapes and similar failures. I think the picture is pretty compelling and shows just how many accounts have been compromised (that we know about) and how often it happens. Regards, Paco -- Paco Hope, CISSP Technical Manager, Cigital, Inc http://www.cigital.com/ ? +1.703.585.7868 Software Confidence. Achieved. ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061019/62c10861/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: CreditCardCompromises.jpg Type: application/octet-stream Size: 322664 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20061019/62c10861/attachment-0001.obj From crispin at novell.com Tue Oct 24 15:30:44 2006 From: crispin at novell.com (Crispin Cowan) Date: Tue, 24 Oct 2006 12:30:44 -0700 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <90d975d30610180048v3ca371fcmea2541120956d629@mail.gmail.com> References: <452E4116.6020101@cert.org> <90d975d30610180048v3ca371fcmea2541120956d629@mail.gmail.com> Message-ID: <453E69E4.80300@novell.com> Gergely Buday wrote: > Larry Kilgallen wrote: > >> Is there participation on this list from the (hopefully larger number of) >> CMU instructors who are teaching people to use safer languages in the first >> place ? >> > May anybody not from CMU enter the discussion about safer languages? ;-) > > I'm in favor of SML, as it has a number of implementations (some of > them comparable to C in speed) and a formal definition ("well-typed > programs do not go wrong") + a standard library. > SML is a nice & clean type safe language, and I don't mean to criticize it. However, if the goal is to be ale to use industry-popular languages that are safe, it seems to me that we have entered a bright new phase of history. Python, Ruby, Java, and C# are all broadly popular in industry, and are all type safe. Java and C# are statically type safe. So why not use them? For me, the enemy in the room is C++. It gives you the safety of C with the performance of SmallTalk. There is no excuse at all to be writing anything in C++ yet vastly too many applications are written in C++ anyway. Instead of trying to coax developers to switch from C++ to something "weird" like SML, lets encourage them to switch to Java or C#, which are closer to their experience. Sure, there are likely to be ways in which SML is better than C# or Java. However, in security, the perfect is all to often the enemy of the good-enough. The big community hears security people talk about the high security approach that security geeks really want, consider the costs, and go back to doing things the old way, and ignore the security people. If security people instead pitch something that is feasible and makes the situation better, instead of asking for the moon, we will make more progress. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From gem at cigital.com Wed Oct 25 11:23:19 2006 From: gem at cigital.com (Gary McGraw) Date: Wed, 25 Oct 2006 11:23:19 -0400 Subject: [SC-L] Silver Bullet #7: John Stewart Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB665@va-mail.cigital.com> Hi all, We just released the 7th Silver Bullet Security Podcast today. This one features John Stewart, the CSO of Cisco. As has become a custom, we briefly discuss software security in this interview, this time with a focus on what Cisco is doing. http://www.cigital.com/silverbullet/show-007/ Happy listening! gem company www.cigital.com book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ge at linuxbox.org Sat Oct 28 01:41:59 2006 From: ge at linuxbox.org (Gadi Evron) Date: Sat, 28 Oct 2006 00:41:59 -0500 (CDT) Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: <453E69E4.80300@novell.com> Message-ID: On Tue, 24 Oct 2006, Crispin Cowan wrote: > Sure, there are likely to be ways in which SML is better than C# or > Java. However, in security, the perfect is all to often the enemy of the > good-enough. The big community hears security people talk about the high > security approach that security geeks really want, consider the costs, > and go back to doing things the old way, and ignore the security people. > If security people instead pitch something that is feasible and makes > the situation better, instead of asking for the moon, we will make more > progress. > > Crispin (not directed at you, Crispin) So, "dump C", "Use SML", "What secure coding classes are you doing?" and "we are already doing it!!" are the responses I got when I started this thread. Can someone mention again why re-writing the main often-used and probably less than 3 mostly-used basic programming books is a bad idea? All of us will still have a job in 5 years if we do this, even in 25. I promise. Gadi. From crispin at novell.com Sat Oct 28 04:07:23 2006 From: crispin at novell.com (Crispin Cowan) Date: Sat, 28 Oct 2006 01:07:23 -0700 Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: References: Message-ID: <45430FBB.8080108@novell.com> Gadi Evron wrote: > So, "dump C", "Use SML", "What secure coding classes are you doing?" and > "we are already doing it!!" are the responses I got when I started this > thread. > What did you expect from whining about the generally poor quality of software? :) > Can someone mention again why re-writing the main often-used and probably > less than 3 mostly-used basic programming books is a bad idea? > Uh ... 'cause I question the assertion that there are 3 mostly-used basic programming books. I suspect it is more like 78 mostly used books. More importantly, if there are 3 mostly used books, then there are 78 more behind them vying for those 3 slots, and they all have the same problems. If you write a new book, then you just join the pool of 78, and you have the impact of a drop in the bucket. Worse, we are talking about correctness here. Correctness is hard, and correctness on a large scale is harder. I doubt that even a concerted effort at a "correct" book on intro to programming would manage to actually be correct any time before the 3rd edition, 10 years from now. Seeking perfect correctness as an approach to security is a fool's errand. Security is designing systems that can tolerate imperfect software. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From ge at linuxbox.org Sun Oct 29 04:07:37 2006 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 29 Oct 2006 03:07:37 -0600 (CST) Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: <4543BDFF.3020204@novell.com> Message-ID: On Sat, 28 Oct 2006, Crispin Cowan wrote: > Gadi Evron wrote: > > Nothing is ever easy, but we have to start somewhere. I don't see why this > > is a bad idea. Yes, it takes time. Yes, it will have a much bigger impact. > > > It is not a bad idea. But it clearly is not sufficient. Why are you Now we're talking. Not sufficient I am game with. Nothing ever is, it is one more thing to do. > assuming that it is not already being tried? The problem is that it is I am assuming most higher education institutions in the world do not have it done. > being tried with the usual degree of effectiveness, i.e. unevenly. > Saying "lets try it" is redundant, because that is already going on, > just not enough. To make it more, one would have to convince the people > who are currently not doing it, or doing it badly, to do better, and > they (by definition) are not listening. Okay, than let's make some progress: 1. Where and who is currently involved with doing this? 2. What are they doing? 3. Can we use their experience to make it a larger success? 4. How do we begin doing something large-scale? Gadi. > > Crispin > > -- > Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ > Director of Software Engineering, Novell http://novell.com > Hack: adroit engineering solution to an unanticipated problem > Hacker: one who is adroit at pounding round pegs into square holes > From dcrocker at eschertech.com Sat Oct 28 05:47:28 2006 From: dcrocker at eschertech.com (David Crocker) Date: Sat, 28 Oct 2006 10:47:28 +0100 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <453E69E4.80300@novell.com> Message-ID: <01de01c6fa76$1512db00$cb00000a@escheradmin> Crispin Cowan wrote: >> For me, the enemy in the room is C++. It gives you the safety of C with the performance of SmallTalk. There is no excuse at all to be writing anything in C++ yet vastly too many applications are written in C++ anyway. Instead of trying to coax developers to switch from C++ to something "weird" like SML, lets encourage them to switch to Java or C#, which are closer to their experience. << Unfortunately, there are at least two situations in which C++ is a more suitable alternative to Java and C#: - Where performance is critical. Run time of C# code (using the faster .NET 2.0 runtime) can be as much as double the run time of a C++ version of the same algorithm. Try telling a large company that it must double the size of its compute farms so you can switch to a "better" programming language! - In hard real-time applications where garbage collection pauses cannot be tolerated. However, I suspect that most security-critical programs do not fall into either of these categories, so C# or Java would indeed be a better choice than C++ for those programs. David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com From ge at linuxbox.org Sat Oct 28 08:17:29 2006 From: ge at linuxbox.org (Gadi Evron) Date: Sat, 28 Oct 2006 07:17:29 -0500 (CDT) Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: <45430FBB.8080108@novell.com> Message-ID: On Sat, 28 Oct 2006, Crispin Cowan wrote: > Gadi Evron wrote: > > So, "dump C", "Use SML", "What secure coding classes are you doing?" and > > "we are already doing it!!" are the responses I got when I started this > > thread. > > > What did you expect from whining about the generally poor quality of > software? :) > > > Can someone mention again why re-writing the main often-used and probably > > less than 3 mostly-used basic programming books is a bad idea? > > > Uh ... 'cause I question the assertion that there are 3 mostly-used > basic programming books. I suspect it is more like 78 mostly used books. > More importantly, if there are 3 mostly used books, then there are 78 > more behind them vying for those 3 slots, and they all have the same > problems. If you write a new book, then you just join the pool of 78, > and you have the impact of a drop in the bucket. > > Worse, we are talking about correctness here. Correctness is hard, and > correctness on a large scale is harder. I doubt that even a concerted > effort at a "correct" book on intro to programming would manage to > actually be correct any time before the 3rd edition, 10 years from now. > > Seeking perfect correctness as an approach to security is a fool's > errand. Security is designing systems that can tolerate imperfect software. For argument sake, let's assume there are 100. How about campaigning for a secure coding chapter to be added to these semester, erm, world-wide? Nothing is ever easy, but we have to start somewhere. I don't see why this is a bad idea. Yes, it takes time. Yes, it will have a much bigger impact. Gadi. > > Crispin > > -- > Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ > Director of Software Engineering, Novell http://novell.com > Hack: adroit engineering solution to an unanticipated problem > Hacker: one who is adroit at pounding round pegs into square holes > From rcs at cert.org Sat Oct 28 09:43:58 2006 From: rcs at cert.org (Robert C. Seacord) Date: Sat, 28 Oct 2006 09:43:58 -0400 Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: <45430FBB.8080108@novell.com> References: <45430FBB.8080108@novell.com> Message-ID: <45435E9E.805@cert.org> Crispin, I think you may have over spoken below: > Seeking perfect correctness as an approach to security is a fool's > errand. Security is designing systems that can tolerate imperfect software. I could go along with "achieving perfect correctness as an approach to security is a fool's belief" but I believe the desire to achieve correctness is a prerequisite for security. More specifically, I have found that systematic schemes for providing software security (such as memory protection, canaries, etc.) are generally ineffective once a coding error (such as a buffer overflow) allows an attacker to penetrate the peripheral defense of code correctness. Given the current state of software security, I don't think any security "best" practice can abandoned and that defense-in-depth is a practical necessity. Also, back on the book topic, I recently heard of an older but successful book that did nothing but take examples from other books and show in detail how they were incorrect. Perhaps such a "supplemental" text could be developed for commonly used text books. rCs From crispin at novell.com Sat Oct 28 16:30:55 2006 From: crispin at novell.com (Crispin Cowan) Date: Sat, 28 Oct 2006 13:30:55 -0700 Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: References: Message-ID: <4543BDFF.3020204@novell.com> Gadi Evron wrote: > For argument sake, let's assume there are 100. > > How about campaigning for a secure coding chapter to be added to these > semester, erm, world-wide? > > Nothing is ever easy, but we have to start somewhere. I don't see why this > is a bad idea. Yes, it takes time. Yes, it will have a much bigger impact. > It is not a bad idea. But it clearly is not sufficient. Why are you assuming that it is not already being tried? The problem is that it is being tried with the usual degree of effectiveness, i.e. unevenly. Saying "lets try it" is redundant, because that is already going on, just not enough. To make it more, one would have to convince the people who are currently not doing it, or doing it badly, to do better, and they (by definition) are not listening. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From crispin at novell.com Sat Oct 28 16:37:01 2006 From: crispin at novell.com (Crispin Cowan) Date: Sat, 28 Oct 2006 13:37:01 -0700 Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: <45435E9E.805@cert.org> References: <45430FBB.8080108@novell.com> <45435E9E.805@cert.org> Message-ID: <4543BF6D.7000800@novell.com> Robert C. Seacord wrote: >> Seeking perfect correctness as an approach to security is a fool's >> errand. Security is designing systems that can tolerate imperfect software. >> > I could go along with "achieving perfect correctness as an approach to > security is a fool's belief" but I believe the desire to achieve > correctness is a prerequisite for security. > > More specifically, I have found that systematic schemes for providing > software security (such as memory protection, canaries, etc.) are > generally ineffective once a coding error (such as a buffer overflow) > allows an attacker to penetrate the peripheral defense of code > correctness. Given the current state of software security, I don't > think any security "best" practice can abandoned and that > defense-in-depth is a practical necessity. > I don't think we disagree. When I said that seeking correctness is a fool's errand, I meant (more precisely) that *depending on achieving* correctness is a fool's errand. You must always assume the presence of imperfect software, and then design in defense in depth to tolerate that. Using other software engineering techniques (secure coding, the occasional topic of this mailing list :) certainly helps, but cannot be the whole approach to security. > Also, back on the book topic, I recently heard of an older but > successful book that did nothing but take examples from other books and > show in detail how they were incorrect. Perhaps such a "supplemental" > text could be developed for commonly used text books. > I like it! Bugtraq for books :) My engineers are quite fond of The *Daily WTF* a web site that lampoons bad code. Crispin From dcrocker at eschertech.com Sun Oct 29 15:57:43 2006 From: dcrocker at eschertech.com (David Crocker) Date: Sun, 29 Oct 2006 20:57:43 -0000 Subject: [SC-L] Proving the security properties of transaction protocols - 10 years on Message-ID: <007b01c6fb9c$e1bda550$cb00000a@escheradmin> Members of this list might be interested in an article in this month's IEEE Computer Journal about the use of automatic and semi-automatic theorem proving to prove the security of a transaction protocol. The article - which is called First Steps in the Verified Software Grand Challenge - concerns the transaction protocol that was used by the Mondex electronic purse, which was developed and formally verified (by hand) around ten years ago. Several teams have recently attempted to apply modern tools to the problem. In the process, several of the teams working on the project found that the original hand-developed proof was incomplete, but could be patched. More details can be found at http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/co/&toc=co mp/mags/co/2006/10/rxtoc.xml&DOI=10.1109/MC.2006.340#abstract . Non-subscribers can download the article for $19. My own company provided one of the teams working on this problem, and we found it is quite a challenge to prove the protocol correct by fully-automatic means. Proofs that software is free from buffer overflows for all possible inputs are almost trivial by comparison. Regards David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com From rcs at cert.org Sun Oct 29 18:37:06 2006 From: rcs at cert.org (Robert C. Seacord) Date: Sun, 29 Oct 2006 18:37:06 -0500 Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: References: Message-ID: <45453B22.50401@cert.org> Gadi, I feel like I've been here before, but I'll give it another shot anyway. > Okay, than let's make some progress: > 1. Where and who is currently involved with doing this? > 2. What are they doing? > 3. Can we use their experience to make it a larger success? > 4. How do we begin doing something large-scale? The Secure Coding Initiative at CERT has a web site at www.securecoding.cert.org. The purpose of this site is to collect secure coding recommendations and rules for various programming languages. Our initial focus has been C and C++, but we are willing and interested in expanding this effort to other programming languages provided that we can find someone to manage the efforts. The C and C++ material on the site will be used as supplemental material to the Addison-Wesley book "Secure Coding in C and C++" in a "Secure Programming" course I am teaching this Spring at CMU (so it is being used to teach, as well as being a commercial and government resource). I am also working with other instructors at other educational institutions to develop secure coding curriculum. We have had significant community effort in the development of these secure coding standard practices so far, but we can use all the help we can get. If you would like to get involved, go the sight, sign up, and start reviewing the material. If you are qualified and would like to edit the material directly, send me email and I will grant you edit permissions. I think having a body of knowledge that identifies insecure coding practices and provides secure alternatives is a good first start, and not as easy as it sounds. --------- I also had another thought about improving the quality of code examples in texts. I know my publisher (Addison-Wesley), and I'm sure others, are very concerned about quality. I could ask my editor if they would be willing to make sure that someone with a security background reviewed any new programming texts. If we can come up with a list of subject matter experts willing to review new texts, I'm guessing they would be very happy to have our feedback. rCs From ge at linuxbox.org Mon Oct 30 02:23:34 2006 From: ge at linuxbox.org (Gadi Evron) Date: Mon, 30 Oct 2006 01:23:34 -0600 (CST) Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: <45453B22.50401@cert.org> Message-ID: On Sun, 29 Oct 2006, Robert C. Seacord wrote: > Gadi, > > I feel like I've been here before, but I'll give it another shot anyway. > > > Okay, than let's make some progress: > > 1. Where and who is currently involved with doing this? > > 2. What are they doing? > > 3. Can we use their experience to make it a larger success? > > 4. How do we begin doing something large-scale? > > The Secure Coding Initiative at CERT has a web site at > www.securecoding.cert.org. The purpose of this site is to collect > secure coding recommendations and rules for various programming > languages. Our initial focus has been C and C++, but we are willing and > interested in expanding this effort to other programming languages > provided that we can find someone to manage the efforts. > > The C and C++ material on the site will be used as supplemental material > to the Addison-Wesley book "Secure Coding in C and C++" in a "Secure > Programming" course I am teaching this Spring at CMU (so it is being > used to teach, as well as being a commercial and government resource). > I am also working with other instructors at other educational > institutions to develop secure coding curriculum. We misunderstand each other. I am not speaking of a secure coding book, I am speaking of "Introduction to Computer Science" and "The C programming Language". If we can use what you have already worked on to supplament these courses, then all for the better! > > We have had significant community effort in the development of these > secure coding standard practices so far, but we can use all the help we > can get. If you would like to get involved, go the sight, sign up, and > start reviewing the material. If you are qualified and would like to > edit the material directly, send me email and I will grant you edit > permissions. I doubt I am that much of a good coder anymore. > > I think having a body of knowledge that identifies insecure coding > practices and provides secure alternatives is a good first start, and > not as easy as it sounds. Agreed! Nice work on all that! > > --------- > > I also had another thought about improving the quality of code examples > in texts. I know my publisher (Addison-Wesley), and I'm sure others, > are very concerned about quality. I could ask my editor if they would > be willing to make sure that someone with a security background reviewed > any new programming texts. If we can come up with a list of subject > matter experts willing to review new texts, I'm guessing they would be > very happy to have our feedback. That sounds like a very good idea! I am sure many would agree to get some extra cash for reviewing, thing is, that doesn't pay very well. > > rCs > > From gunnar at arctecgroup.net Mon Oct 30 15:46:03 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Mon, 30 Oct 2006 14:46:03 -0600 Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: <45430FBB.8080108@novell.com> Message-ID: > Seeking perfect correctness as an approach to security is a fool's > errand. Security is designing systems that can tolerate imperfect software. > Exactly. On "Curb Your Enthusiasm" this happened recently. Larry David was frantically looking for a DVD case, but could not find it. LD: "I don't know what happened. I have a system. I put the DVD in the player, and I put the case on top of the player. But now it is gone." Friend: "That's not a system. A system is - you buy a bunch of empty DVD cases and put them next to the player." -gp From gem at cigital.com Tue Oct 31 10:18:06 2006 From: gem at cigital.com (Gary McGraw) Date: Tue, 31 Oct 2006 10:18:06 -0500 Subject: [SC-L] Build a better death star Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB740@va-mail.cigital.com> Hi all, This article describes one way of hooking your existing badness-ometer (that is, your black box security testing tool) into a better system for actually fixing software. http://www.adtmag.com/article.aspx?id=19498 Or, as I put it down there somewhere...a way to build a better death star. Yeesh. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From bencorneau at adelphia.net Tue Oct 31 21:08:11 2006 From: bencorneau at adelphia.net (Ben Corneau) Date: Tue, 31 Oct 2006 21:08:11 -0500 Subject: [SC-L] Why Shouldn't I use C++? Message-ID: <20061101020855.CEA28824.mta13.adelphia.net@computer> >From time to time on this list, the recommendation is made to never user C++ when given a choice (most recently by Crispin Cowan in the "re-writing college books" thread). This is a recommendation I do not understand. Now, I'm not an expert C++ programmer or Java or C# programmer and as you may have guessed based on the question, I'm not an expert on secure coding either. I'm also not disagreeing with the recommendation; I would just like a better understanding. I understand that C++ allows unsafe operations, like buffer overflows. However, if you are a halfway decent C++ programmer buffer overflows can easily be avoided, true? If you use the STL containers and follow basic good programming practices of C++ instead of using C-Arrays and pointer arithmetic then the unsafe C features are no longer an issue? C and C++ are very different. Using C++ like C is arguable unsafe, but when it's used as it was intended can't C++ too be considered for secure programming? Ben Corneau From rcs at cert.org Wed Nov 1 05:15:30 2006 From: rcs at cert.org (Robert C. Seacord) Date: Wed, 01 Nov 2006 05:15:30 -0500 Subject: [SC-L] Why Shouldn't I use C++? In-Reply-To: <20061101020855.CEA28824.mta13.adelphia.net@computer> References: <20061101020855.CEA28824.mta13.adelphia.net@computer> Message-ID: <454873C2.3030304@cert.org> Ben, I would not go so far as to say never use C++. It is probably the most powerful and expressive commercially successful programming language available today and there are often good reasons to use the language. Secure programming in C++ is possible, but C++ itself is exceptionally complex, has many idiosyncrasies, and as a result it is very easy to make mistakes in the language. Because of these factors, many C++ experts recommend an idiomatic approach to C++ where basically you reuse snippets of code that do something akin to what you are after. The message here, of course, is that you are likely to mess up if you write some "new code" which has not been thoroughly considered by a panel of experts for many years. 8^) > If you use the STL containers and follow basic good > programming practices of C++ instead of using C-Arrays and pointer > arithmetic then the unsafe C features are no longer an issue? See https://www.securecoding.cert.org/confluence/display/cplusplus/13.+STL+%28STL%29 for common security flaws involving the STL See https://www.securecoding.cert.org/confluence/display/cplusplus/10.+Basic+string+class+%28BSC%29 for common security flaws involving basic_string (which also functions as an STL sequence container) Integer related security problems are basically the same for both C and C++. > C and C++ are very different. Using C++ like C is arguable unsafe, but when > it's used as it was intended can't C++ too be considered for secure > programming? I'll agree with you that using C++ in an idiomatic fashion is safer than using it like C. One of the things you will note through the www.securecoding.cert.org web site is that many of the problems for C programming language also exist for C++, but the solutions are different because C++ offers better/different options. But you need to know to use these, you have to be aware of the new problems that C++ brings, and you often need to use C features to interact with existing libraries. Hope this (partial) explanation helps somewhat. rCs From ljknews at mac.com Wed Nov 1 06:35:37 2006 From: ljknews at mac.com (ljknews) Date: Wed, 1 Nov 2006 06:35:37 -0500 Subject: [SC-L] Why Shouldn't I use C++? In-Reply-To: <20061101020855.CEA28824.mta13.adelphia.net@computer> References: <20061101020855.CEA28824.mta13.adelphia.net@computer> Message-ID: At 9:08 PM -0500 10/31/06, Ben Corneau wrote: > C and C++ are very different. Using C++ like C is arguable unsafe, but when > it's used as it was intended can't C++ too be considered for secure > programming? What assurance does upper management have that C++ was used "as it was intended" rather than "like C" ? -- Larry Kilgallen From peter.amey at praxis-his.com Wed Nov 1 07:02:27 2006 From: peter.amey at praxis-his.com (Peter Amey) Date: Wed, 1 Nov 2006 12:02:27 -0000 Subject: [SC-L] Why Shouldn't I use C++? Message-ID: <4BF0455B353E524FBEA15C3A490F7DFE6B9995@EVS01.praxis.local> > -----Original Message----- > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] On Behalf Of Robert C. Seacord > Sent: 01 November 2006 10:16 > To: Ben Corneau > Cc: SC-L at securecoding.org > Subject: Re: [SC-L] Why Shouldn't I use C++? > > Ben, > > I would not go so far as to say never use C++. It is > probably the most powerful and expressive commercially > successful programming language available today ... ... other than Ada, which has all the OO capability of C++, language level support for multi-threaded programs and suffers from none of the problems that exercise this discussion list so regularly. regards Peter From gem at cigital.com Wed Nov 1 07:14:38 2006 From: gem at cigital.com (Gary McGraw) Date: Wed, 1 Nov 2006 07:14:38 -0500 Subject: [SC-L] Why Shouldn't I use C++? Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E7B46@va-mail.cigital.com> The biggest problem with C++ is that, like C, it is not type safe. The memory model is a disasterous sea of bits. Plus it is an arcane, hard to understand language prone to misunderstandings. If you can at all avoid C++, do so. Use Java, C#, or some other type safe alternative. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: Ben Corneau [mailto:bencorneau at adelphia.net] Sent: Tue Oct 31 22:08:08 2006 To: SC-L at securecoding.org Subject: [SC-L] Why Shouldn't I use C++? >From time to time on this list, the recommendation is made to never user C++ when given a choice (most recently by Crispin Cowan in the "re-writing college books" thread). This is a recommendation I do not understand. Now, I'm not an expert C++ programmer or Java or C# programmer and as you may have guessed based on the question, I'm not an expert on secure coding either. I'm also not disagreeing with the recommendation; I would just like a better understanding. I understand that C++ allows unsafe operations, like buffer overflows. However, if you are a halfway decent C++ programmer buffer overflows can easily be avoided, true? If you use the STL containers and follow basic good programming practices of C++ instead of using C-Arrays and pointer arithmetic then the unsafe C features are no longer an issue? C and C++ are very different. Using C++ like C is arguable unsafe, but when it's used as it was intended can't C++ too be considered for secure programming? Ben Corneau _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From leichter_jerrold at emc.com Wed Nov 1 10:32:29 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Wed, 1 Nov 2006 10:32:29 -0500 (EST) Subject: [SC-L] Why Shouldn't I use C++? In-Reply-To: <20061101020855.CEA28824.mta13.adelphia.net@computer> References: <20061101020855.CEA28824.mta13.adelphia.net@computer> Message-ID: | From time to time on this list, the recommendation is made to never | user C++ when given a choice (most recently by Crispin Cowan in the | "re-writing college books" thread). This is a recommendation I do not | understand. Now, I'm not an expert C++ programmer or Java or C# | programmer and as you may have guessed based on the question, I'm not | an expert on secure coding either. I'm also not disagreeing with the | recommendation; I would just like a better understanding. | | I understand that C++ allows unsafe operations, like buffer overflows. | However, if you are a halfway decent C++ programmer buffer overflows | can easily be avoided, true? If you use the STL containers and follow | basic good programming practices of C++ instead of using C-Arrays and | pointer arithmetic then the unsafe C features are no longer an issue? | | C and C++ are very different. Using C++ like C is arguable unsafe, but | when it's used as it was intended can't C++ too be considered for | secure programming? You could, in principle, produce a set of classes that defined a "safe" C++ environment. Basically, you'd get rid of all uses of actual pointers, and all actual arrays. Objects would be manipulated only through "smart pointers" which could only be modified in limited ways. In particular, there would be no way to do arithmetic on such pointers (or maybe the smart pointers would be "fat", containing bounds information, so that arithmetic could be allowed but checked), arbitrarily cast them, etc. Arrays would be replaced by objects with [] operators that checked bounds. The STL would be an unlikely member of such a world: It models iterators on pointers, and they inherit many of the latter's lack of safety. (There are "checked" versions of the STL which might help provide the beginnings of a "safe C++" environment.) You'd have to wrap existing API's to be able to access them safely. All the standard OS API's (Unix and Windows), everything in the C library, most other libraries you are going to find out there - these are heavily pointer-based. Strings are often passed as char*'s. Note that you can't even write down a non-pointer-based C++ string constant! But wait, there's more! For example, we've seen attacks based on integer overflow. C++ doesn't let you detect that. If you really want your integer arithmetic to be safe, you can't use any of the native integer types. You need to define wrapper types that do something safe in case of an overflow. (To be fair, even many "safe" languages, Java among them, don't detect integer overflow either.) By the time you were done, you would in effect have defined a whole new language and set of libraries to go with it. Programming in that language would require significant discipline: You would not be allowed to use most common C++ data types, library functions, idioms, and so on. You'd probably want to use some kind of a tool to check for conformance, since I doubt even well-intentioned human beings would be able to do so. It happens that C++ has extension facilities that are powerful enough to let you do most, perhaps all, of this, subject to programmer discipline. But is there really an advantage, when all is said and done? -- Jerry [Who uses C++ extensively, and does his best to make his abstractions "safe"] | Ben Corneau From crispin at novell.com Thu Nov 2 06:17:31 2006 From: crispin at novell.com (Crispin Cowan) Date: Thu, 02 Nov 2006 03:17:31 -0800 Subject: [SC-L] Why Shouldn't I use C++? In-Reply-To: <20061101020855.CEA28824.mta13.adelphia.net@computer> References: <20061101020855.CEA28824.mta13.adelphia.net@computer> Message-ID: <4549D3CB.80607@novell.com> Ben Corneau wrote: > From time to time on this list, the recommendation is made to never user C++ > when given a choice (most recently by Crispin Cowan in the "re-writing > college books" thread). This is a recommendation I do not understand. Now, > I'm not an expert C++ programmer or Java or C# programmer and as you may > have guessed based on the question, I'm not an expert on secure coding > either. I'm also not disagreeing with the recommendation; I would just like > a better understanding. > > I understand that C++ allows unsafe operations, like buffer overflows. > However, if you are a halfway decent C++ programmer buffer overflows can > easily be avoided, true? If you use the STL containers and follow basic good > programming practices of C++ instead of using C-Arrays and pointer > arithmetic then the unsafe C features are no longer an issue? > > C and C++ are very different. Using C++ like C is arguable unsafe, but when > it's used as it was intended can't C++ too be considered for secure > programming? > No, it cannot. C++ is no more safe than C. C++ still supports many undefined operations, which is what makes a language unsafe. No way can C++ be considered a secure programming language. If you need a lean, small language for doing embedded or kernel stuff, then use C; you cannot afford the bloat of C++, so it is not appropriate. If you need a powerful, abstract language for building complex applications, then use C# or Java (or ML, or Haskell). They provide all of the abstraction and programming convenience of C++, and they also provide type safety. This means that there are no undefined operations, which is what makes them secure programming languages. There is no excuse for *choosing* C++, ever. Always avoid it. The only excuse for *using* C++ is that some doofus before you chose it and you have to live with the legacy code :) So why does C++ exist? Because technology has moved. 25 years ago, when C++ was invented, there was not a great supply of well developed type safe object oriented programming languages. So C++ seemed like an incremental improvement over C when it was introduced in the early 1980s. It did provide an improvement over C for developing large applications, where development costs due to complexity were the big problem, and bloat could be afforded. But that lunch has now been eaten by the type safe OOP languages of Java and C#. They are strictly better than C++ at complex applications, so there really is no excuse for using C++ to write new application code. And there never was an excuse for using C++ to write kernel or embedded code. You cannot afford the bloat of C++ there, and if your kernel is so complex that you need OOP to be able to program it, then your kernel design is broken anyway. I suppose there should be an "IMHO" in here somewhere in a rant like this. Feel free to insert it anywhere you like :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From crispin at novell.com Thu Nov 2 23:46:25 2006 From: crispin at novell.com (Crispin Cowan) Date: Thu, 02 Nov 2006 20:46:25 -0800 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <01de01c6fa76$1512db00$cb00000a@escheradmin> References: <01de01c6fa76$1512db00$cb00000a@escheradmin> Message-ID: <454AC9A1.4090804@novell.com> David Crocker wrote: > Unfortunately, there are at least two situations in which C++ is a more suitable > alternative to Java and C#: > > - Where performance is critical. Run time of C# code (using the faster .NET 2.0 > runtime) can be as much as double the run time of a C++ version of the same > algorithm. Try telling a large company that it must double the size of its > compute farms so you can switch to a "better" programming language! > > - In hard real-time applications where garbage collection pauses cannot be > tolerated. > Except that in both of those cases, C++ is not appropriate either. That is a case for C. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From ken at krvw.com Fri Nov 3 11:09:00 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Fri, 3 Nov 2006 11:09:00 -0500 Subject: [SC-L] Apple Places Encrypted Binaries in Mac OS X Message-ID: Here's a somewhat interesting link to an eweek article that discusses Apple's use of encryption to protect some of its OS X binaries: http://www.eweek.com/article2/0,1895,2050875,00.asp Of course, encrypting binaries isn't anything new, but it's interesting (IMHO) to see how it's being used in a real OS. The article cites speculation as to whether Apple uses encryption for anti-piracy or anti-reverse-engineering. Another interesting side topic (though not mentioned in this article) is code obfuscation, which is being increasingly used for both purposes as well. Course, some coders have been inadvertently doing code obfuscation for years. ;-\ Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20061103/554ba3bc/attachment.bin From gem at cigital.com Fri Nov 3 12:02:45 2006 From: gem at cigital.com (Gary McGraw) Date: Fri, 3 Nov 2006 12:02:45 -0500 Subject: [SC-L] On exploits, hubris, and software security Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB7CF@va-mail.cigital.com> Hi all, We all know that there is nothing more powerful for causing software security change than a flashy exploit demonstration. Once again, this has come to the fore in the actions of an IU student who took a well known boarding pass vulnerability and wrote a script to make it real. Just after that, a Congressman called for his arrest and the FBI/TSA showed up at his house with a search warrant and took away his machines. My latest darkreading article is about the situation: http://www.darkreading.com/document.asp?doc_id=109717&WT.svl=tease3_2 The main thing I wonder is, what do you think? When you have a hot demonstration of an exploit, how do you responsibly release it? What role do such demonstrations play in moving software security forward? gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From leichter_jerrold at emc.com Fri Nov 3 12:44:17 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Fri, 3 Nov 2006 12:44:17 -0500 (EST) Subject: [SC-L] Apple Places Encrypted Binaries in Mac OS X In-Reply-To: References: Message-ID: | Here's a somewhat interesting link to an eweek article that discusses | Apple's use of encryption to protect some of its OS X binaries: | http://www.eweek.com/article2/0,1895,2050875,00.asp | | Of course, encrypting binaries isn't anything new, but it's | interesting (IMHO) to see how it's being used in a real OS. The | article cites speculation as to whether Apple uses encryption for | anti-piracy or anti-reverse-engineering. Actually, it's pretty clear why they are doing it, if you look at the pieces they encrypt. The Finder and Dock have no particularly valuable intellectual property in them, but they are fundamental to the GUI. Encrypting them means that a version of OS X that's been modified to boot on non-Apple hardware won't have a GUI, thus limiting its attractiveness to non-hackers. To really get the result to be widely used, someone would have to write a replacement for these components that looked "enough like the original". And of course, since they built a general-purpose mechanism, nothing prevents Apple encrypting other components later. Rosetta (the binary translator for PowerPC programs) isn't an essential program. Apple may simply consider it valuable, but I think it's more likely that they may be preparing the way for the next step: Encrypting applications they deliver as "native". Since the encryption isn't supported on PowerPC, running those applications under Rosetta would provide a quick way to get around encryption for the native versions of applications. It is worth pointing out that while Darwin, the underlying OS, is open source, no part of the GUI code, or Rosetta, or any of Apple's applications, have ever been open source. -- Jerry From secureCoding2dave at davearonson.com Fri Nov 3 12:30:18 2006 From: secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson) Date: Fri, 03 Nov 2006 17:30:18 +0000 Subject: [SC-L] On exploits, hubris, and software security Message-ID: Gary McGraw [mailto:gem at cigital.com] writes: > The main thing I wonder is, what do you think? When you have a hot > demonstration of an exploit, how do you responsibly release it? This isn't so much about that, in the usual sense. This was, as you say, a well-known vulnerability, one screamingly obvious to anybody who bothered to think about how to get around the No-Fly List. Bruce Schneier wrote about it on his blog long ago, as did many others. > What role do such demonstrations play in moving software security forward? It could help dramatically. Not so much because of the demo itself, which will of course be ignored by the Powers that Be, but the publicity around it. That might possibly eventually make enough of a dent in the public consciousness, to wake them up to the fact that what the PTBs have been doing is almost all just security THEATER. However, it depends how much the media gives background. Unfortunately, even a brief blurb like "this flaw in the No-Fly List concept has been well known for several years" is unlikely to be aired or printed, since it takes valuable time/space away from the latest scandals of skanky "socialites" and other such much more important news. Without this little bit of trivia, the sheeple will just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag. -Dave -- Dave Aronson "Specialization is for insects." -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ From BlueBoar at thievco.com Fri Nov 3 12:50:10 2006 From: BlueBoar at thievco.com (Blue Boar) Date: Fri, 03 Nov 2006 09:50:10 -0800 Subject: [SC-L] On exploits, hubris, and software security In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB7CF@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB7CF@va-mail.cigital.com> Message-ID: <454B8152.9080106@thievco.com> Gary McGraw wrote: > The main thing I wonder is, what do you think? When you have a hot > demonstration of an exploit, how do you responsibly release it? What > role do such demonstrations play in moving software security forward? To pick one extreme, I believe there are times when intentionally blindsiding a vendor is appropriate: http://ryanlrussell.blogspot.com/2006/11/you-want-mac-wireless-bugs.html BB From gem at cigital.com Fri Nov 3 13:20:25 2006 From: gem at cigital.com (Gary McGraw) Date: Fri, 3 Nov 2006 13:20:25 -0500 Subject: [SC-L] On exploits, hubris, and software security Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB7E6@va-mail.cigital.com> Ed Felten and I found out early on (back in 1996) that you can use the press as a lever to get companies to do the right thing. We learned this when releasing the very first Java Security hole. We found out that Sun paid much more attention once USA Today picked up the story from comp.risks. Later, we could disclose the problems responsibly, keeping a short leash on Microsoft, Netscape, and Sun without ever resorting to FULL disclosure. Our goal was to get the problems fixed with no nonsense. The companies also allowed the press to be responsibly involved. We discussed all of the problems we found in our books "Java Security" and "Securing Java", but without ever releasing code for the exploits. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: Blue Boar [mailto:BlueBoar at thievco.com] Sent: Friday, November 03, 2006 12:50 PM To: Gary McGraw Cc: SC-L at securecoding.org Subject: Re: [SC-L] On exploits, hubris, and software security Gary McGraw wrote: > The main thing I wonder is, what do you think? When you have a hot > demonstration of an exploit, how do you responsibly release it? What > role do such demonstrations play in moving software security forward? To pick one extreme, I believe there are times when intentionally blindsiding a vendor is appropriate: http://ryanlrussell.blogspot.com/2006/11/you-want-mac-wireless-bugs.html BB ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From BlueBoar at thievco.com Fri Nov 3 14:38:13 2006 From: BlueBoar at thievco.com (Blue Boar) Date: Fri, 03 Nov 2006 11:38:13 -0800 Subject: [SC-L] On exploits, hubris, and software security In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB7E6@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB7E6@va-mail.cigital.com> Message-ID: <454B9AA5.7040508@thievco.com> Gary McGraw wrote: > Later, we could disclose the problems responsibly, keeping a short leash > on Microsoft, Netscape, and Sun without ever resorting to FULL > disclosure. Our goal was to get the problems fixed with no nonsense. > The companies also allowed the press to be responsibly involved. Are you familiar with the backstory on this one? While I acknowledge there is controversy on who is telling the truth, here's the 60-second summary, according to how I believe it happened. (And how I believe it happened is important, because other researchers also believe this, and are acting accordingly.): -Researchers show video demo at Black Hat of an attack against a wireless driver for a third-party NIC on a MacBook. They poke fun at Mac users. They claim it works against the driver for the built-in wireless, too. (They also claim it works against Windows drivers, *nix drivers, etc.. but no one cares for purposes of the controversy.) -Reporter reports it, uses sensational headline, backs up their story about the built-in card driver being vulnerable, too. Says researchers claim Apple "leaned" on them to remove the video demo of the built-in card exploit. -Researchers claim they told Apple. Apple denies it to reporters. Apple issues press releases denying it. Apple PR person goes on record as claiming Apple was not given one shred of evidence. Employer of one of the researchers appears to be keeping both researchers from saying anything to defend themselves. -Apple releases patch for the vulnerability (so says one of the researchers) and Apple claims credit for finding it. So, if you believe the researchers' side of the story, the press WAS involved, Apple denied it, threw around legal threats to gag the researchers, and then stole the credit. Ergo, the next set of researchers (who tend to believe the first set of researchers) say screw Apple, and release details in such a way that there can be no denial of what they found. Researchers will tend to take the word of other researchers over the vendors, and some researchers already have a tendency to just publish if they get flack from the vendor anyway. The actual hard truth of the situation isn't critical, the researchers will behave according to their perception of what happened. While I am extremely interested in the hard truth for this situation, we don't have it yet, we might never. I don't particularly want to debate the actual truth here, and I'm pretty sure Gary doesn't want us to, either. If you want to read a very good counterpoint from someone who believes more of Apple's side of the story, Dave Schroeder posed a detailed response on my blog entry that I referenced earlier. If you want to debate me on it in particular, please feel free to do so there. Again, the important bit is how Apple appears to behave, to people like the researchers. I have the same bias, and if I were any good at finding kernel vulnerabilities, I'd be treating Apple the same way about now. BB (Apologies for the length. I've already been debating this for a few days, and Gary DID invoke the Full Disclosure debate.) From leichter_jerrold at emc.com Fri Nov 3 19:28:15 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Fri, 3 Nov 2006 19:28:15 -0500 (EST) Subject: [SC-L] Apple Places Encrypted Binaries in Mac OS X In-Reply-To: References: Message-ID: BTW, an interesting fact has been pointed out by Amit Singh, author of a book describing Mac OS X internals: The first generation of x86-based Mac's - or at least some of them - contained a TPM chip (specifically, the Infineon SKB 9635 TT 1.2. However, Apple never used the chip - in fact, they didn't even provide a driver for it. It certainly was not used in generating the encrypted binaries. Proof? The most recent revision of the Macbook Pro does *not* contain a TPM chip. So in fact Apple is not using the TPM to "certify" a machine as being real Apple hardware. Presumably one can hack out the decryption key - it's in the software somewhere.... -- Jerry From dcrocker at eschertech.com Sat Nov 4 06:57:55 2006 From: dcrocker at eschertech.com (David Crocker) Date: Sat, 4 Nov 2006 11:57:55 -0000 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <454AC9A1.4090804@novell.com> Message-ID: <009301c70008$782be730$cb00000a@escheradmin> Crispin, It is most certainly true that C++ can be appropriate in those cases. C++ programs can perform just as well as C programs, while also being much better structured. Of course, it will be necessary to avoid performing frequent allocation and deallocation of heap memory in the C++ program - but the same is true of C programs. Poorly-performing programs can be written in either language. David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com -----Original Message----- From: Crispin Cowan [mailto:crispin at novell.com] Sent: 03 November 2006 04:46 To: David Crocker Cc: 'Secure Coding' Subject: Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] David Crocker wrote: > Unfortunately, there are at least two situations in which C++ is a > more suitable alternative to Java and C#: > > - Where performance is critical. Run time of C# code (using the faster > .NET 2.0 > runtime) can be as much as double the run time of a C++ version of the same > algorithm. Try telling a large company that it must double the size of its > compute farms so you can switch to a "better" programming language! > > - In hard real-time applications where garbage collection pauses > cannot be tolerated. > Except that in both of those cases, C++ is not appropriate either. That is a case for C. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From mark at markgraff.com Sat Nov 4 17:48:19 2006 From: mark at markgraff.com (Mark Graff) Date: Sat, 4 Nov 2006 14:48:19 -0800 Subject: [SC-L] SC-L Digest, Vol 2, Issue 183 References: Message-ID: <004d01c70063$53697150$0401a8c0@TallTrees> Gary McGraw said: > Ed Felten and I found out early on (back in 1996) that you can use the > press as a lever to get companies to do the right thing. We learned > this when releasing the very first Java Security hole. We found out > that Sun paid much more attention once USA Today picked up the story > from comp.risks. > > Later, we could disclose the problems responsibly... I told my part of this tale in "Secure Coding" (O'Reiily, 2003--with KRvw, of course). I was Sun's corporate-wide "Security Coordinator", responsible for fixing, or getting fixed, all security bugs or flaws in our products. I had analyzed, without source code, the Java jail approach and had identified what I thought was a potential problem. I reached out internally and had a series of meetings with the main designer, the main architect, and the person who was in charge of security for Java. I told them each that my experience and intuition indicated that there would be a serious security bug, "right there", and volunteered to round up a group of volunteer external experts (I was well plugged into FIRST at the time) to help analyze potential problems. All this was before any security bugs had been found in Java. And as busy as I was keeping up with bugs fixes, disclosures, and exploits inh UIX/Solaris, I was determined to act proactively and help perfect what I saw as a great step forward in security. The three Java experts gave me the cold shoulder. I persisted. They told me to go away, and expressed with force and conviction that there were not--could not be--any security bugs in Java. About 10 weeks later, I was at a national-security conference in Houston. While I was walking up to give my address on the Java Security Model--literally, while I was taking to the stage--an acquaintance there said, "Hard day for Sun security types, I guess" He then showed me the USA Today headline Gary referred to in his post. It turned out that Gary and Ed had independently discovered and (unsuccessfully) reported the self-same bug I had hypothesized about. It was fixed a few short weeks later. Hubris is not endemic to a single company, or individual. And the inability to see our own mistakes (sometimes, even when they are pointed out to us) is something I don't believe we software types can even claim as particular to our occupation. It is, as luminaries like Peter Neumann and James Reason have amply demonstrated, a failure common to that combination of orderly and creative thinking we call engineering. Similarly, for reasons Ken and I discuss in Chapter 1 of "Secure Coding", the corporate animal really will, all too often, turn the Reality Distortion Field on full-force rather than deal with a pre-headline problem. I often ask myself which set of dangerous behavior--corporate blindness, or preemptive disclosure--is more likely to trigger the first security-bug-caused death. I don't know. Can we turn the ship of software development before we hit that rock? I doubt it. One hopes. -mg- From michaelslists at gmail.com Sat Nov 4 21:19:11 2006 From: michaelslists at gmail.com (mikeiscool) Date: Sun, 5 Nov 2006 13:19:11 +1100 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <01de01c6fa76$1512db00$cb00000a@escheradmin> References: <453E69E4.80300@novell.com> <01de01c6fa76$1512db00$cb00000a@escheradmin> Message-ID: <5e01c29a0611041819u468ba6f0s24e6d92739f29485@mail.gmail.com> On 10/28/06, David Crocker wrote: > Crispin Cowan wrote: > > >> > For me, the enemy in the room is C++. It gives you the safety of C with the > performance of SmallTalk. There is no excuse at all to be writing anything in > C++ yet vastly too many applications are written in C++ anyway. Instead of > trying to coax developers to switch from C++ to something "weird" like SML, lets > encourage them to switch to Java or C#, which are closer to their experience. > << > > Unfortunately, there are at least two situations in which C++ is a more suitable > alternative to Java and C#: > > - Where performance is critical. Run time of C# code (using the faster .NET 2.0 > runtime) can be as much as double the run time of a C++ version of the same > algorithm. Try telling a large company that it must double the size of its > compute farms so you can switch to a "better" programming language! Don't go there, sister. Come up with some reasonable tests before making a statement like that. "Assembly code can be as much as a million times faster then the run time of a C++ version of the same algorithm." Bit useless, isn't it? Lets not forget that writing faster/more optimised code in c++ will be more complex and hence allow room for more errors then letting the c#/java runtime optimiser do the dirty work for us. > However, I suspect that most security-critical programs do not fall into either > of these categories, What? Cryptography rings a bell ... > so C# or Java would indeed be a better choice than C++ for > those programs. > > David Crocker, Escher Technologies Ltd. > Consultancy, contracting and tools for dependable software development > www.eschertech.com -- mic From dcrocker at eschertech.com Sun Nov 5 07:17:01 2006 From: dcrocker at eschertech.com (David Crocker) Date: Sun, 5 Nov 2006 12:17:01 -0000 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <5e01c29a0611041819u468ba6f0s24e6d92739f29485@mail.gmail.com> Message-ID: <00f001c700d4$67dcf870$cb00000a@escheradmin> mikeiscool wrote: >> Don't go there, sister. Come up with some reasonable tests before making a statement like that. "Assembly code can be as much as a million times faster then the run time of a C++ version of the same algorithm." Bit useless, isn't it? << I would not have made the statement I did had the tests not been done and provided very clear results. I am not at liberty to go into details of the tests I have been involved with, however if you Google for e.g. "C++ C# performance", you will see that other people are getting similar results. >> Lets not forget that writing faster/more optimised code in c++ will be more complex and hence allow room for more errors then letting the c#/java runtime optimiser do the dirty work for us. << C++ offers much more room for errors than C# or Java, and not just in memory management. If you re-read my comment, you will realise that I was not promoting C++ as being a better language than C#, just pointing out that there are some situations in which the replacement of C++ by C# is not yet feasible, such as where a performance reduction of around 30% to 50% cannot be accepted. It is to be hoped that as JIT compiler technology continues to improve, the performance gap will be further reduced. David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com -----Original Message----- From: mikeiscool [mailto:michaelslists at gmail.com] Sent: 05 November 2006 02:19 To: David Crocker Cc: Secure Coding Subject: Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] On 10/28/06, David Crocker wrote: > Crispin Cowan wrote: > > >> > For me, the enemy in the room is C++. It gives you the safety of C > with the performance of SmallTalk. There is no excuse at all to be > writing anything in > C++ yet vastly too many applications are written in C++ anyway. > C++ Instead of > trying to coax developers to switch from C++ to something "weird" like > SML, lets encourage them to switch to Java or C#, which are closer to > their experience. << > > Unfortunately, there are at least two situations in which C++ is a > more suitable alternative to Java and C#: > > - Where performance is critical. Run time of C# code (using the faster > .NET 2.0 > runtime) can be as much as double the run time of a C++ version of the same > algorithm. Try telling a large company that it must double the size of its > compute farms so you can switch to a "better" programming language! Don't go there, sister. Come up with some reasonable tests before making a statement like that. "Assembly code can be as much as a million times faster then the run time of a C++ version of the same algorithm." Bit useless, isn't it? Lets not forget that writing faster/more optimised code in c++ will be more complex and hence allow room for more errors then letting the c#/java runtime optimiser do the dirty work for us. > However, I suspect that most security-critical programs do not fall > into either of these categories, What? Cryptography rings a bell ... > so C# or Java would indeed be a better choice than C++ for those > programs. > > David Crocker, Escher Technologies Ltd. > Consultancy, contracting and tools for dependable software development > www.eschertech.com -- mic From leichter_jerrold at emc.com Sun Nov 5 12:05:40 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Sun, 5 Nov 2006 12:05:40 -0500 (EST) Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: <45435E9E.805@cert.org> References: <45430FBB.8080108@novell.com> <45435E9E.805@cert.org> Message-ID: Much as I agree with many of the sentiments expressed in this discussion, there's a certain air of unreality to it. While software has it's own set of problems, it's not the first engineered artifact with security implications in the history of the world. Bridges and buildings regularly collapsed. (In the Egyptian desert, you can still see a pyramid that was built too aggressively - every designer wanted to build higher and steeper than his predecessor - and collapsed before it was finished.) Steam boilers exploded. Steel linings on wooden railroad tracks stripped of, flew through the floors of passing cars, and killed people. Electrical systems regularly caused fires. How do we keep such traditional artifacts safe? It's not by writing introductory texts with details of safety margins, how to analyze the strength of materials, how to include a crowbar in a power supply. What you *may* get in an introductory course is the notion that there are standards, that when it comes time for you to actually design stuff you'll have to know and follow them, and that if you don't you're likely to end up at best unemployed and possibly in jail when your "creativity" kills someone. In software, we have only the beginnings of such standards. We teach and encourage an attitude in which every last bit of the software is a valid place to exercise your creativity, for better or (for most people, most of the time) worse. With no established standards, we have no way to push back on managers and marketing guys and such who insist that something must be shipped by the end of the week, handle 100 clients at a time, have no more tha 1 second response time, and run on some old 486 with 2 MB of memory. I don't want to get into the morass of licensing. It's a fact that licensing is heavily intertwined with standard-setting in many older fields, but not in all of them, and there's no obvious inherent reason why it has to be. The efforts to write down "best practices" at CERT are very important, but also very preliminary. As it stands, what we have to offer are analogous to best practices for using saws and hammers and such - not best practices for determining floor loadings, appropriate beam strengths, safe fire evacuation routes. Every little bit helps, but a look at history shows us just how little we really have to offer as yet. -- Jerry From michaelslists at gmail.com Sun Nov 5 17:09:26 2006 From: michaelslists at gmail.com (mikeiscool) Date: Mon, 6 Nov 2006 09:09:26 +1100 Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet] In-Reply-To: <00f001c700d4$67dcf870$cb00000a@escheradmin> References: <5e01c29a0611041819u468ba6f0s24e6d92739f29485@mail.gmail.com> <00f001c700d4$67dcf870$cb00000a@escheradmin> Message-ID: <5e01c29a0611051409o451140dyf6fe9f8843f40ed8@mail.gmail.com> On 11/5/06, David Crocker wrote: > mikeiscool wrote: > > >> > Don't go there, sister. Come up with some reasonable tests before making a > statement like that. "Assembly code can be as much as a million times faster > then the run time of a C++ version of the same algorithm." Bit useless, isn't > it? > << > > I would not have made the statement I did had the tests not been done and > provided very clear results. I am not at liberty to go into details of the tests > I have been involved with, however if you Google for e.g. "C++ C# performance", > you will see that other people are getting similar results. Right, so again your statement is useless without numbers and tests we can perform ourselves. You made the statement, so you either have to prove it or let it slide. -- mic From ge at linuxbox.org Sun Nov 5 17:53:56 2006 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 5 Nov 2006 16:53:56 -0600 (CST) Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: Message-ID: On Sun, 5 Nov 2006, Leichter, Jerry wrote: > Much as I agree with many of the sentiments expressed in this discussion, > there's a certain air of unreality to it. While software has it's own > set of problems, it's not the first engineered artifact with security > implications in the history of the world. Bridges and buildings > regularly collapsed. (In the Egyptian desert, you can still see a > pyramid that was built too aggressively - every designer wanted to > build higher and steeper than his predecessor - and collapsed before > it was finished.) Steam boilers exploded. Steel linings on wooden > railroad tracks stripped of, flew through the floors of passing cars, > and killed people. Electrical systems regularly caused fires. > > How do we keep such traditional artifacts safe? It's not by writing > introductory texts with details of safety margins, how to analyze the > strength of materials, how to include a crowbar in a power supply. > What you *may* get in an introductory course is the notion that there > are standards, that when it comes time for you to actually design > stuff you'll have to know and follow them, and that if you don't you're > likely to end up at best unemployed and possibly in jail when your > "creativity" kills someone. > > In software, we have only the beginnings of such standards. We > teach and encourage an attitude in which every last bit of the > software is a valid place to exercise your creativity, for better > or (for most people, most of the time) worse. With no established > standards, we have no way to push back on managers and marketing > guys and such who insist that something must be shipped by the > end of the week, handle 100 clients at a time, have no more tha > 1 second response time, and run on some old 486 with 2 MB of memory. > > I don't want to get into the morass of licensing. It's a fact that > licensing is heavily intertwined with standard-setting in many > older fields, but not in all of them, and there's no obvious inherent > reason why it has to be. > > The efforts to write down "best practices" at CERT are very important, > but also very preliminary. As it stands, what we have to offer > are analogous to best practices for using saws and hammers and > such - not best practices for determining floor loadings, appropriate > beam strengths, safe fire evacuation routes. > > Every little bit helps, but a look at history shows us just how > little we really have to offer as yet. Well said, and quite right. A few pointers though. A bridge is a single-purpose device. A watch is a simple purpose computer, as was the Enigma machine, if we can call it such. Multi-purpose computers or programmable computers are where our problems start. Anyone can DO and create. One simply has to sit in front of a keyboard and screen and make it happen.. As such, even if built well, the computer is programmable, and thus at risk. Gadi. > -- Jerry > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From sasa at pheniscidae.tvnetwork.hu Sun Nov 5 17:59:26 2006 From: sasa at pheniscidae.tvnetwork.hu (SZALAY Attila) Date: Sun, 05 Nov 2006 23:59:26 +0100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <00f001c700d4$67dcf870$cb00000a@escheradmin> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> Message-ID: <1162767566.2289.15.camel@sasa.home> Hi All! I read this thread and I little be afraid. I'm just ahead of a complete rewriting of my program. The previous code was written in pure C (with an OOP looks-like somewhere). This program should run on Linux, freebsd and windows platform. This program is a GUI, so it has a graphical interface too but do a lot of computing and xml handling. I know C the most, so C++ is the least step I have to do. But I'm uncertain now that this is enough. When I have looked around for OO alternatives the C# was dropped, because I couldn't find a cross-platform graphical tools and Java was dropped because it's speed and the possibilities of debugging problems. Is there any other alternatives or I left something or the C++ is the only alternative for me? From ppowenski at yahoo.com Mon Nov 6 04:09:21 2006 From: ppowenski at yahoo.com (Paul Powenski) Date: Mon, 6 Nov 2006 01:09:21 -0800 (PST) Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: Message-ID: <20061106090921.97163.qmail@web54003.mail.yahoo.com> Most of the incidents in your first paragraph were improved with the establishment of laws, regulation bodies, and external testing with a stamp of approval. The Underwriters labaroratory was established to ensure that a product was sales worthy to the public due to manufacturers focusing on sales and not much on safety. Having a clearing house/body/organization which inspects an application for business worthiness, critical machinery functions, consumer entertainment or consumer sensitive use (personal planner, financial package) might persuade vendors to use security enabled tools and software building tools stricktly based upon how difficult it is to acheive a worthiness approval. For instance if an application is developed in C,C++,C# then an appropriate set of audits and testing must be performed to acheive a certification. Since these would be more comprehensive than other languages the vendor would have to decide which is easier the extra expense of the extensive audits and testing vs. using a approved language that does not required a greater degree of testing. This would provide software tools vendors the incentive to create more security enabled tools to align themselves with the requirements of the body delivering the accredication for use. The software industry is no different than most other industries. There are devices with little risk a garage door opener, a radio might have more user risk depending upon how you look at it, and then there are very dangerous applicances Irons, Microwaves, Snow Blowers. For software a game, word processor, personal finance planner, for a business a financial package. "Leichter, Jerry" wrote: Much as I agree with many of the sentiments expressed in this discussion, there's a certain air of unreality to it. While software has it's own set of problems, it's not the first engineered artifact with security implications in the history of the world. Bridges and buildings regularly collapsed. (In the Egyptian desert, you can still see a pyramid that was built too aggressively - every designer wanted to build higher and steeper than his predecessor - and collapsed before it was finished.) Steam boilers exploded. Steel linings on wooden railroad tracks stripped of, flew through the floors of passing cars, and killed people. Electrical systems regularly caused fires. How do we keep such traditional artifacts safe? It's not by writing introductory texts with details of safety margins, how to analyze the strength of materials, how to include a crowbar in a power supply. What you *may* get in an introductory course is the notion that there are standards, that when it comes time for you to actually design stuff you'll have to know and follow them, and that if you don't you're likely to end up at best unemployed and possibly in jail when your "creativity" kills someone. In software, we have only the beginnings of such standards. We teach and encourage an attitude in which every last bit of the software is a valid place to exercise your creativity, for better or (for most people, most of the time) worse. With no established standards, we have no way to push back on managers and marketing guys and such who insist that something must be shipped by the end of the week, handle 100 clients at a time, have no more tha 1 second response time, and run on some old 486 with 2 MB of memory. I don't want to get into the morass of licensing. It's a fact that licensing is heavily intertwined with standard-setting in many older fields, but not in all of them, and there's no obvious inherent reason why it has to be. The efforts to write down "best practices" at CERT are very important, but also very preliminary. As it stands, what we have to offer are analogous to best practices for using saws and hammers and such - not best practices for determining floor loadings, appropriate beam strengths, safe fire evacuation routes. Every little bit helps, but a look at history shows us just how little we really have to offer as yet. -- Jerry _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php --------------------------------- Check out the New Yahoo! Mail - Fire up a more powerful email and get things done faster. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061106/bdec9a2d/attachment.html From michaelslists at gmail.com Mon Nov 6 07:23:06 2006 From: michaelslists at gmail.com (mikeiscool) Date: Mon, 6 Nov 2006 23:23:06 +1100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <1162767566.2289.15.camel@sasa.home> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> Message-ID: <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> On 11/6/06, SZALAY Attila wrote: > Hi All! > > I read this thread and I little be afraid. I'm just ahead of a complete > rewriting of my program. The previous code was written in pure C (with > an OOP looks-like somewhere). > > This program should run on Linux, freebsd and windows platform. This > program is a GUI, so it has a graphical interface too but do a lot of > computing and xml handling. > > I know C the most, so C++ is the least step I have to do. But I'm > uncertain now that this is enough. When I have looked around for OO > alternatives the C# was dropped, because I couldn't find a > cross-platform graphical tools and Java was dropped because it's speed > and the possibilities of debugging problems. Hold the phone ... What debugging problems? What _specific_ speed issues? I'd be really surprised if your project couldn't be resolved with java; what specific problems are you facing? What tests have you run/consider to show that java's supposed "speed issues" will give you trouble? If it's just xml processing I'd say efficient data structures are what you care about, so java can help you there. > Is there any other alternatives or I left something or the C++ is the > only alternative for me? Certainly not. If all else fails you can write memory-intensive stuff in a dll and import it into one java or c#. It'll still be some lower-level coding (in c++ or c or asm) but at least it'll be isolated. You'll need to explain your program more ... -- mic From psteichen at gmail.com Mon Nov 6 07:33:30 2006 From: psteichen at gmail.com (psteichen) Date: Mon, 6 Nov 2006 13:33:30 +0100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <1162767566.2289.15.camel@sasa.home> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> Message-ID: for cross-platform C# there is the mono project which do a great jpb of porting the .NET framework to the Linux world, check it out at : http://www.mono-project.com/ further perl or python (which are more or less cross-platform) might also be used for your rewrite project, all depends one your specific needs... On 11/5/06, SZALAY Attila wrote: > > Hi All! > > I read this thread and I little be afraid. I'm just ahead of a complete > rewriting of my program. The previous code was written in pure C (with > an OOP looks-like somewhere). > > This program should run on Linux, freebsd and windows platform. This > program is a GUI, so it has a graphical interface too but do a lot of > computing and xml handling. > > I know C the most, so C++ is the least step I have to do. But I'm > uncertain now that this is enough. When I have looked around for OO > alternatives the C# was dropped, because I couldn't find a > cross-platform graphical tools and Java was dropped because it's speed > and the possibilities of debugging problems. > > Is there any other alternatives or I left something or the C++ is the > only alternative for me? > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061106/32742427/attachment-0001.html From leichter_jerrold at emc.com Mon Nov 6 08:22:32 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Mon, 6 Nov 2006 08:22:32 -0500 (EST) Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: <20061106090921.97163.qmail@web54003.mail.yahoo.com> References: <20061106090921.97163.qmail@web54003.mail.yahoo.com> Message-ID: | Most of the incidents in your first paragraph were improved with the | establishment of laws, regulation bodies, and external testing with a | stamp of approval. The Underwriters labaroratory was established to | ensure that a product was sales worthy to the public due to | manufacturers focusing on sales and not much on safety. | | Having a clearing house/body/organization which inspects an | application for business worthiness, critical machinery functions, | consumer entertainment or consumer sensitive use (personal planner, | financial package) might persuade vendors to use security enabled | tools and software building tools stricktly based upon how difficult | it is to acheive a worthiness approval. For instance if an application | is developed in C,C++,C# then an appropriate set of audits and testing | must be performed to acheive a certification. Since these would be | more comprehensive than other languages the vendor would have to | decide which is easier the extra expense of the extensive audits and | testing vs. using a approved language that does not required a greater | degree of testing. This would provide software tools vendors the | incentive to create more security enabled tools to align themselves | with the requirements of the body delivering the accredication for | use. | | The software industry is no different than most other | industries. There are devices with little risk a garage door opener, a | radio might have more user risk depending upon how you look at it, and | then there are very dangerous applicances Irons, Microwaves, Snow | Blowers. For software a game, word processor, personal finance | planner, for a business a financial package. I agree with what you say .... until the very last paragraph. The different in the software industry is that we don't really know yet what the right standards should be - and it's not even clear to me that there is any concerted effort to find out. Yes, it's possible to build highly reliable software for things like aircraft control. It's (a) extremely expensive to do - the techniques we have today are so expensive as to rule out all but obviously life-critical uses of software; (b) only give you assurance in certain directions. In particular, aircraft control software doesn't have to be exposed to active, intelligent attackers on the Internet. All elements of the software development community - developers themselves, software makers, makers of products based on software, even most software purchasers and users - have a vested interest in resisting such laws, regulations, and external bodies. It crimps their style, adds to their costs, and has no obvious benefits. The same, of course, was true of most other kinds of engineered product development at some point in their life. However, it's much easier for everyone to see that there is something wrong when a boiler blows up because the maker saved money by using steel that's too brittle than it is to see that a bug in handling URL's allowed a cross-site scripting attack that allowed critical information to be stolen. This leads to much less pressure on the software industry to fix things. Things are changing, but we're running into another problem: Even very simple attempts at regulation quickly run into lack of the basic science and engineering knowledge necessary. Industry standards on boilers could refer to standard tables of steel strengths. An industry standard to prevent cross-site scripting attacks could refer to ... what, exactly? And, again, there is the important distinction that boiler failures are due to "lawful" physical processes, while cross-site scripting prevention failures are due to intelligent attacks. Perhaps for that kind of thing we need to look not at industry standards but at military experience.... -- Jerry From Kevin.Wall at qwest.com Mon Nov 6 09:02:38 2006 From: Kevin.Wall at qwest.com (Wall, Kevin) Date: Mon, 6 Nov 2006 08:02:38 -0600 Subject: [SC-L] re-writing college books - erm.. ahm... References: Message-ID: In response to a post by Jerry Leichter, Gadi Evron wrote... > A bridge is a single-purpose device. A watch is a simple > purpose computer, as was the Enigma machine, if we can call > it such. > > Multi-purpose computers or programmable computers are where > our problems start. Anyone can DO and create. One simply has > to sit in front of a keyboard and screen and make it happen. Let us keep in mind that in the name of profits (and ignoring our prophets, see .sig, below), as an industry, we have strived to lower the entry level of programming by introducing "diseases" (I'll probably catch some flack for that) such as Visual Basic, etc. so that managers who have never had even the simplest introduction to computer science can now develop their own software, complete with security vulnerabilities. This only exacerbates the situation. To add to that, often you get some manager or marketing type who slaps together a "working" prototype of something they or a customer is asking for by using a spreadsheet, an Access "database", and some VB glue that works for maybe 100 records and then s/he thinks that a small development team should be able to tweak that prototype to turn it into an enterprise-wide, Internet-facing application that can handle millions of records, handle a transaction volume that is 3 or 4 orders of magnitude larger than the prototype handles, and slap it all together in a couple of weeks. Developers have to cut corners somewhere, and since security issues are not paramount, that's often what gets overlooked. As an industry, I think that we've, in part, done this to ourselves. When I started in this industry 27 years ago, at least real software engineering techniques were _attempted_. There were requirements gathered, specifications written and reviewed, designs written, reviewed, and applied, and an extensive testing period after coding was more or less complete. But that used to take 15-20 people about 1 to 2 years. Now we've compressed that down to 90 days or so, so something had to give (besides our sanity ;-). What I see today is a few "analysts" go talk to marketing or other stakeholders and they write up some "user stories" (not even real "use cases"; what I'm referring to but more like a sentence or two describing some basic, sunny-day-only usage scenario collected into a spreadsheet). From there, the application development teams jump directly into coding/testing, magically expecting the design to somehow just "emerge" or expecting to be able to "refactor it" later (if there ever is a "later"). (Can you tell I think that extreme programming--at least as practiced here--has been a horrible failure, especially from a security POV? :) I ask you, just where would civil or mechanical engineering be today if they had encouraged the average construction worker to develop their own bridge or designed their own buildings rather than relying on architects and engineers to do this? That's just one reason why things are as bad as they are. Today, I don't even see professional software developers develop software using good software engineering principles. ("It takes too long" or "It's too expensive" are the usual comments.) Or where would we be if the city council expected to build a new 80-story skyscraper, starting from inception, in only 6 months? It's no wonder that we so often here that remark that says "If [building] architects built buildings the way that software developers build software, the first woodpecker that came by would destroy civilization." Maybe what we need is to require that as part of the software development education, we need to partly indoctrinate them into other "real" engineering disciplines and hope that some of it rubs off. Because, IMO what we are doing now is failing miserably. BTW, if you've not yet read the Dijkstra article referenced below, I highly recommend it. It's quite dated, but it's a gem for .sig quotes. -kevin Std disclaimer: Everything I've written above reflects solely my own opinion and not the opinion of any of my employers, past or present. --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From mouse at Rodents.Montreal.QC.CA Mon Nov 6 10:47:56 2006 From: mouse at Rodents.Montreal.QC.CA (der Mouse) Date: Mon, 6 Nov 2006 10:47:56 -0500 (EST) Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <1162767566.2289.15.camel@sasa.home> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> Message-ID: <200611061553.KAA17083@Sparkle.Rodents.Montreal.QC.CA> > I read this thread and I little be afraid. I'm just ahead of a > complete rewriting of my program. The previous code was written in > pure C (with an OOP looks-like somewhere). Perhaps I'm missing something. Why do you have to abandon C? You mention C++, C#, and Java, but no other languages; is there some reason you have to use a language that tries to be object-oriented? Also, you have said nothing about what the tradeoffs involved are. Since this is sc-l, I assume security is involved; what does this code need to be secure against? It could very well be that C is the right language for you to use. Yes, it has problems, but so do all other languages; it's just a question of finding the language whose problems are least problematic for you and your application, and it sounds to me as though some of the most important problems for you have nothing to do with the languages' capabilities per se. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From ljknews at mac.com Mon Nov 6 11:57:56 2006 From: ljknews at mac.com (ljknews) Date: Mon, 6 Nov 2006 11:57:56 -0500 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <200611061553.KAA17083@Sparkle.Rodents.Montreal.QC.CA> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <200611061553.KAA17083@Sparkle.Rodents.Montreal.QC.CA> Message-ID: At 10:47 AM -0500 11/6/06, der Mouse wrote: >> I read this thread and I little be afraid. I'm just ahead of a >> complete rewriting of my program. The previous code was written in >> pure C (with an OOP looks-like somewhere). > > Perhaps I'm missing something. Why do you have to abandon C? You > mention C++, C#, and Java, but no other languages; is there some reason > you have to use a language that tries to be object-oriented? Is there some reason you have to use a language that "looks like" C ? -- Larry Kilgallen From peter.werner at gmail.com Mon Nov 6 18:19:40 2006 From: peter.werner at gmail.com (pete werner) Date: Tue, 7 Nov 2006 10:19:40 +1100 Subject: [SC-L] re-writing college books - erm.. ahm... In-Reply-To: References: Message-ID: <6378f48a0611061519q44deb0c3iba43b122c575d953@mail.gmail.com> On 11/7/06, Wall, Kevin wrote: > > Developers have to cut corners somewhere, and since security issues > are not paramount, that's often what gets overlooked. > this is the biggest issue i think. it gets overlooked because management dont value it. partly because its expensive to do, and theres no real qualitative or quantitative measures of success. you cant go to your management and say "i spent 20% of my time working on security issues, it cost us $x but it will save our customers $y, and security was improved by 15%" or if you can, you're bullshitting, but will probably get a nice bonus :) i think a college level textbook would have limited benefit. there is plenty of information out there at the moment for those who are interested, both on the net and in book form. i suppose its nice to have a single point of reference though. however, most graduates aren't really good practical programmers. they know stuff like what a for loop is and how recursion works, which is great, but they learn the ins and outs of developing when they get their first real job. so they get their first job, and basically learn from the people they're working with. the people they're working with and learning from are busy, and working under time and budget constraints. they're just not going to focus on security, even if they had the knowledge to do it effectively, because other things are more important to the companies management. most managers (and developers too i guess) do care about security, but only in the way people care about global warming. they know global warming is bad, but oh gee what are we going to do, oh today i remembered to turn off my desk lamp when i left the office. great. same with security, you dont have to be a genius to work out security holes are bad, but oh gee what are you actually going to do about it? if organisations dont really care about software security, a security concious developer faces an uphill battle. if two devs are working on some code, one does it slower but more securely, the other does it quicker but less securely, who's going to look better, in a typical organisation? your fresh grad is going to learn quick enough what companies want from them. as time goes by, they become the ones breaking in the new developers, so the cycle continues. a book isnt going to help this, it probably wont hurt, but i dont think the lack of available literature is a big problem. a good organisation will focus on what its customers want. untill the customers start kicking up a storm about vulnerabilities, there's little impetus for management to devote resources to security. i think this is one of the things microsoft has done well, over the last few years they have started taking security seriously, and i can only assume its because their customers starting complaining. they still have a lot of security issues (an insuperable amount imo), but it shows that for companies to start taking software security seriously, it has to be something the customer wants. From jjchryan at gwu.edu Mon Nov 6 22:42:29 2006 From: jjchryan at gwu.edu (Julie J.C.H. Ryan) Date: Mon, 6 Nov 2006 22:42:29 -0500 Subject: [SC-L] Fwd: re-writing college books - erm.. ahm... References: <63c483720611061314h1a035f18wcd007dae2547da5@mail.gmail.com> Message-ID: <5ED0BA83-2324-4C47-8A46-60180144BA32@gwu.edu> Folks, I've been forwarding select messages from this listserv to my nephews, who are undergrads in CS at some fairly reknown universities, which shall remain nameless cause it would embarrass the heck out of them to have the following sentiment aired...... Begin forwarded message: > > ya, as per one of your previous emails, we are still taught to use > only printf and random stuff like that. printf was even incorporated > into java 1.5 because "it was so good." But right now I think we are > really just learning base algorithms and ideas rather than security > practices. Hell, I talked to my student advisor and apparently I can't > even take security courses till I'm working on a masters degree. > From ge at linuxbox.org Tue Nov 7 08:01:13 2006 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 7 Nov 2006 07:01:13 -0600 (CST) Subject: [SC-L] Fwd: re-writing college books - erm.. ahm... In-Reply-To: <5ED0BA83-2324-4C47-8A46-60180144BA32@gwu.edu> Message-ID: On Mon, 6 Nov 2006, Julie J.C.H. Ryan wrote: > Folks, I've been forwarding select messages from this listserv to my > nephews, who are undergrads in CS at some fairly reknown > universities, which shall remain nameless cause it would embarrass > the heck out of them to have the following sentiment aired...... > > Begin forwarded message: > > > > > ya, as per one of your previous emails, we are still taught to use > > only printf and random stuff like that. printf was even incorporated > > into java 1.5 because "it was so good." But right now I think we are > > really just learning base algorithms and ideas rather than security > > practices. Hell, I talked to my student advisor and apparently I can't > > even take security courses till I'm working on a masters degree. Well, I never recieved any replies here on what's already being done.. so now, I am asking for ideas on how we can approach schools. What's needed, in order for basic CS classes to have a security orientation? Gadi. From robin at kallisti.net.nz Tue Nov 7 08:27:03 2006 From: robin at kallisti.net.nz (Robin Sheat) Date: Wed, 8 Nov 2006 02:27:03 +1300 Subject: [SC-L] Fwd: re-writing college books - erm.. ahm... In-Reply-To: <5ED0BA83-2324-4C47-8A46-60180144BA32@gwu.edu> References: <63c483720611061314h1a035f18wcd007dae2547da5@mail.gmail.com> <5ED0BA83-2324-4C47-8A46-60180144BA32@gwu.edu> Message-ID: <200611080227.20429.robin@kallisti.net.nz> On Tuesday 07 November 2006 16:42, Julie J.C.H. Ryan wrote: > Folks, I've been forwarding select messages from this listserv to my > nephews, who are undergrads in CS at some fairly reknown I did a CS degree quite recently. There was simply _no_ mention of security, with the exception of passing mentions in the software engineering paper. In my 4th year (first year of postgrad), I did a paper on network security that was run by the information science department[0] for my own edification. A good paper, although it didn't cover software development security at all (and didn't intend to, either). A large amount of the programming done there is in safer languages, however. I was in the last year doing Pascal, now it's Java. They are taught C later more to give students exposure to something a bit 'closer to the metal', where less of the donkey work is taken care of. After that, it tends to develop more into specific languages as suits what people are doing (haskell, prolog, LISP, etc). It is important to note that there is no goal of teaching students to go off and be safe programmers. Computer science is seen to a reasonable extent to be a theoretical persuit. Algorithms are covered, GC methods, heuristical searchs, and so on. That many students from this tend to go off and become programmers is almost seen the same as if they went off and became plumbers, just much more common. They are, of course, expected to hang around and become academics ;) You could reasonably argue (and I'm inclined to believe it myself) that not teaching secure practices to computer science students is a problem, but I think that the underlying issue is more that security is more of a vocational thing, the same as if they were to teach, say, programming with EJB. (Note: I consider many branches of security research to fit fairly comfortably into computer science, but I don't think that things like 'avoiding buffer overflow vulnerabilities' do, the usefulness of the knowledge aside) None of this is to say that it shouldn't be taught, just to provide my opinions on why it's not taught. Given a large number of CS students _do_ go off and develop real-world software, security should be given some time. Aside: I don't think there's anything wrong with printf in Java, it is helpful, and AFAIK it's not prone to the same format string vulnerabilities as C is. [0] at my uni, information science is the more business/application-oriented computer-related department, computer science is much more like applied mathematics/biology/cognitive psychology, depending on what exactly you're doing. -- Robin JabberID: Hostes alienigeni me abduxerunt. Qui annus est? PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20061108/53dd0592/attachment.bin From bishop at cs.ucdavis.edu Tue Nov 7 12:56:42 2006 From: bishop at cs.ucdavis.edu (Matt Bishop) Date: Tue, 7 Nov 2006 09:56:42 -0800 Subject: [SC-L] Fwd: re-writing college books - erm.. ahm... In-Reply-To: References: Message-ID: Folks, A comment based on an idea we tried here. > Well, I never recieved any replies here on what's already being > done.. so > now, I am asking for ideas on how we can approach schools. What's > needed, > in order for basic CS classes to have a security orientation? Ideally, I agree with the sentiment but would quarrel with the wording :-). On a practical level, I think this is very unlikely to happen. For example, one problem is those classes are already overloaded with how to program *plus* language stuff. You can only do so much in 10 or 15 weeks (depending on whether you're on the quarter or semester system). An alternative to focusing on the introductory classes is to provide support for programming throughout the curriculum. But the big problem is overloaded classes--we try to teach too much material now. Telling an algorithms instructor she also needs to teach some security will fail on at least two counts: (1) "How do I teach the required course material *plus* security?" (2) "How do I learn enough about security to know what to teach and how to teach it? And where do I find the time to learn this?" So I don't think adding more material to existing classes will work. So let's take a page from English departments and/or law schools. Both have writing clinics--they are separate from classes, and provide reviews of written papers before those papers are turned in. The ones I'm familiar with do *not* address content, but they *do* address mechanics (grammar, punctuation, etc.) and expression--does the writing make sense, is it well organized, and so forth. Why not establish something similar for programming? You could work this in a number of ways. The one we've tried here was to require the students to write the program and then meet with someone working in the clinic. The clinician went through the program with the student, pointed out potential problems and bad programming practices, and (when appropriate) security issues. No grading occurred, but the student could rewrite the program to fix the problems pointed out (and others that the student found--the clinician did not try to find all the problems, just enough to show the student what types of problems were there). We did some very informal testing, and the results were promising. If anyone's interested, we did a write-up of it; see: http://nob.cs.ucdavis.edu/~bishop/papers/2006-cisse-2/ I need to emphasize the results are informal because we weren't educational metricians. Our next step (assuming we can get the funding) will be to devise formal metrics and do some more rigorous measurements to see how well the clinic works. The interesting point about the clinic is that it appeared to be effective at both introductory and upper division levels, provided the students used it. It also would provide reinforcement throughout the student's undergraduate education, and give the student more of a chance to absorb good programming practices than do one or two classes that focus on those aspects of programming. Just a thought .... Matt ================================== Matt Bishop Department of Computer Science University of California at Davis One Shields Ave. Davis, CA 95616-8562 United States of America phone: +1 530 752 8060 fax: +1 530 752 4767 web: http://seclab.cs.ucdavis.edu/~bishop From james.walden at gmail.com Tue Nov 7 13:08:37 2006 From: james.walden at gmail.com (James Walden) Date: Tue, 7 Nov 2006 13:08:37 -0500 Subject: [SC-L] Fwd: re-writing college books - erm.. ahm... In-Reply-To: References: <5ED0BA83-2324-4C47-8A46-60180144BA32@gwu.edu> Message-ID: <21c655860611071008x9860fc7l3fd138f8b7d12130@mail.gmail.com> On 11/7/06, Gadi Evron wrote: > > Well, I never recieved any replies here on what's already being done.. so > now, I am asking for ideas on how we can approach schools. What's needed, > in order for basic CS classes to have a security orientation? Most CS professors have little awareness about security in general or secure programming techniques in specific, so I think awareness is the place we need to start. I've been giving workshops in secure programming and software security targeted at CS educators since 2005 and will be giving workshops in both areas in March at the largest annual gathering of CS educators, the ACM SIGCSE Conference ( http://www.cs.potsdam.edu/sigcse07/index.html). Software security awareness is growing these days. I've seen software security and/or secure programming classes appear at a couple dozen security focused CS departments in the last couple of years, including my own. I teach relevant software security topics in my classes, and I know professors at a few universities who are working on a variety of approaches to introducing secure programming into CS1 and CS2. I'm currently surveying a variety of introductory CS textbooks in C, C++, and Java to look for security errors in their examples. If you know of any such errors, I'd appreciate getting an e-mail from you with the information about the error. I plan to use the data as part of a paper on teaching secure programming in early CS classes and will acknowledge any contributions in the paper. James Walden Assistant Professor, NKU http://www.nku.edu/~waldenj1/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061107/dd3b7583/attachment.html From ge at linuxbox.org Tue Nov 7 13:40:33 2006 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 7 Nov 2006 12:40:33 -0600 (CST) Subject: [SC-L] Fwd: re-writing college books - erm.. ahm... In-Reply-To: <200611080227.20429.robin@kallisti.net.nz> Message-ID: On Wed, 8 Nov 2006, Robin Sheat wrote: > > It is important to note that there is no goal of teaching students to go off > and be safe programmers. Computer science is seen to a reasonable extent to > be a theoretical persuit. Algorithms are covered, GC methods, heuristical > searchs, and so on. That many students from this tend to go off and become > programmers is almost seen the same as if they went off and became plumbers, > just much more common. They are, of course, expected to hang around and > become academics ;) CS degree brings you to the academic world, and makes a scietist of you. Many go that route to become, coders. You don't teach programming at an EDU. As they are supposed to be scientists, I see no reason why this training can't be done with correct programming in mind. Teaching people how to code wrongly just to teach them later how it sid one correctly and slower, is a silly idea. It's not a bad idea as a conentrated specialized course, it is a silly idea as far as the actual original teaching goes, that is equivalent to patches rather than no vulnerabilities. Gadi. From ge at linuxbox.org Tue Nov 7 13:45:54 2006 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 7 Nov 2006 12:45:54 -0600 (CST) Subject: [SC-L] Fwd: re-writing college books - erm.. ahm... In-Reply-To: Message-ID: On Tue, 7 Nov 2006, Matt Bishop wrote: > Folks, > > A comment based on an idea we tried here. > > > Well, I never recieved any replies here on what's already being > > done.. so > > now, I am asking for ideas on how we can approach schools. What's > > needed, > > in order for basic CS classes to have a security orientation? > > Ideally, I agree with the sentiment but would quarrel with the > wording :-). On a practical level, I think this is very unlikely to > happen. For example, one problem is those classes are already > overloaded with how to program *plus* language stuff. You can only do > so much in 10 or 15 weeks (depending on whether you're on the quarter > or semester system). > > An alternative to focusing on the introductory classes is to provide > support for programming throughout the curriculum. But the big > problem is overloaded classes--we try to teach too much material now. > Telling an algorithms instructor she also needs to teach some > security will fail on at least two counts: (1) "How do I teach the > required course material *plus* security?" (2) "How do I learn enough > about security to know what to teach and how to teach it? And where > do I find the time to learn this?" So I don't think adding more > material to existing classes will work. > > So let's take a page from English departments and/or law schools. > Both have writing clinics--they are separate from classes, and > provide reviews of written papers before those papers are turned in. > The ones I'm familiar with do *not* address content, but they *do* > address mechanics (grammar, punctuation, etc.) and expression--does > the writing make sense, is it well organized, and so forth. Why not > establish something similar for programming? > > You could work this in a number of ways. The one we've tried here was > to require the students to write the program and then meet with > someone working in the clinic. The clinician went through the program > with the student, pointed out potential problems and bad programming > practices, and (when appropriate) security issues. No grading > occurred, but the student could rewrite the program to fix the > problems pointed out (and others that the student found--the > clinician did not try to find all the problems, just enough to show > the student what types of problems were there). > > We did some very informal testing, and the results were promising. If > anyone's interested, we did a write-up of it; see: > > http://nob.cs.ucdavis.edu/~bishop/papers/2006-cisse-2/ > > I need to emphasize the results are informal because we weren't > educational metricians. Our next step (assuming we can get the > funding) will be to devise formal metrics and do some more rigorous > measurements to see how well the clinic works. > > The interesting point about the clinic is that it appeared to be > effective at both introductory and upper division levels, provided > the students used it. It also would provide reinforcement throughout > the student's undergraduate education, and give the student more of a > chance to absorb good programming practices than do one or two > classes that focus on those aspects of programming. > > Just a thought .... I am not sure I understand all you wrote yet. So I may ask you more later. Let me ask you this, the basic courses such as C (pascal, c++, whatever) are used to teach other things along the line. Won't changing that course be a great start? Further, if not much can be changed with time constraints, what would it "cost, for example, to teach people to check their input, or set boundaries? With references to more material. Gadi. > > Matt > > ================================== > Matt Bishop > Department of Computer Science > University of California at Davis > One Shields Ave. > Davis, CA 95616-8562 > United States of America > > phone: +1 530 752 8060 > fax: +1 530 752 4767 > web: http://seclab.cs.ucdavis.edu/~bishop > > > From Greg.Beeley at LightSys.org Tue Nov 7 18:47:44 2006 From: Greg.Beeley at LightSys.org (Greg Beeley) Date: Tue, 07 Nov 2006 15:47:44 -0800 Subject: [SC-L] Fwd: re-writing college books - erm.. ahm... In-Reply-To: References: Message-ID: <45511B20.2000501@LightSys.org> Hi all, I've been watching this discussion with interest, as I've taught a undergrad-level course a couple of times that focuses on infosec with a concentration in software security. Yes, _Secure Coding_ was one of the books we used :) A few observations from my experience so far: - Sure, we can teach "don't overflow the buffer" in lower division undergrad courses, but many students won't understand the reasons why this results in an exploitable condition, since those reasons require understanding concepts that are not normally taught until the upper division of undergrad CS. - I think we need to not only give the students the right *tools* to code securely, but also the right *mindset*. It is harder to teach the "mindset" in the earlier courses. - As for a specialized course on software security, it can be tricky working it into the undergrad CS curriculum. When I've taught this material, I could not assume (for instance) a certain degree of student knowledge about computer architecture and the way the call stack works. I had to explain that stuff just to be able to explain how a buffer overflow works, for instance. - We can teach, "be more secure, use Java/C#/etc instead of C", and that is good, but remember that these students are going out into the real workforce and will use the language(s) chosen by their employers (or already in place on an existing product line). I do believe that students still need to know how to use C/C++ responsibly. Otherwise, they may very well be ill-prepared for the real world :) - As for vocational vs. academic, I think there's a lot of room for software security in each. At the academic level, you spend more time explaining the underlying concepts. For example, teaching why having a call stack share data and program flow control constructs tends to cause trouble (when no enforcement of the bounds of data and control is performed). Vocational teaching is much more hands-on and tools oriented. At the academic level, you want your students to be able to take the knowledge and apply it in new and creative ways, not just learn a tool or a technique. - Many universities want to teach in the academic world the kind of knowledge that will give their students a definite edge when they go into private industry. If potential employers (or graduate programs, etc.) look favorably on some "software security" experience, we will probably see more of it taught and/or integrated into existing coursework. - I found Corewars to be an interesting tool for starting to exercise that "defensive coding" muscle. It gets students used to assuming that their program will be abused and misused, among other things :) Greg. ---------------------------------------------------------------- Greg Beeley, President & Co-Founder Greg.Beeley at LightSys.org LightSys Technology Services, Inc. http://www.LightSys.org/ ---------------------------------------------------------------- From sasa at pheniscidae.tvnetwork.hu Wed Nov 8 07:46:37 2006 From: sasa at pheniscidae.tvnetwork.hu (SZALAY Attila) Date: Wed, 08 Nov 2006 13:46:37 +0100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> Message-ID: <1162989998.5096.19.camel@localhost> Hi All! On Mon, 2006-11-06 at 23:23 +1100, mikeiscool wrote: > > Hold the phone ... What debugging problems? What _specific_ speed > issues? I'd be really surprised if your project couldn't be resolved > with java; what specific problems are you facing? What tests have you > run/consider to show that java's supposed "speed issues" will give you > trouble? If it's just xml processing I'd say efficient data structures > are what you care about, so java can help you there. 1. Debug When the program do something nasty or unwanted thing then in C I could do a lot of thing to find what happened. For example I could make the program dropping a core and analyze it at home. This needed because the program used some places where I cannot go into. And there were bugs in program which is definitely a race condition what is hard to reproduce. So it's not enough to write the steps to reproduce the bug. And I'm not sure that I can get the complete state of the program (and just the program) so I can detect where is the problem, even when the problem is in the compiler. I think it's more harder in java language. 2. Speed Yes, it's maybe an outdated information but for example if there are a java plugin in my web browser (not javascript, java, for example the terminal plugin in some management page of AMD64 servers) or the ``famous'' Hungarian social web page iWIW, which was programmed in JAVA and was slow like Hell. And in this program there are some functions, which is in the corner of usage about speed. (Sometimes in the other side :( ), So any speed degradation is a PIA. From sasa at pheniscidae.tvnetwork.hu Wed Nov 8 10:59:04 2006 From: sasa at pheniscidae.tvnetwork.hu (SZALAY Attila) Date: Wed, 08 Nov 2006 16:59:04 +0100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <200611061553.KAA17083@Sparkle.Rodents.Montreal.QC.CA> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <200611061553.KAA17083@Sparkle.Rodents.Montreal.QC.CA> Message-ID: <1163001544.5096.46.camel@localhost> On Mon, 2006-11-06 at 10:47 -0500, der Mouse wrote: > > Perhaps I'm missing something. Why do you have to abandon C? You > mention C++, C#, and Java, but no other languages; is there some reason > you have to use a language that tries to be object-oriented? To be object-oriented. The truth is, that it's not my own project. And there are programmers with more knowledge and ones with less. And the previous program (more than 200k lines of code) is not maintainable because the hidden link between ``objects'' and a lot of other thing. And I think, that I can more easily control the architect of the code. > Also, you have said nothing about what the tradeoffs involved are. > Since this is sc-l, I assume security is involved; what does this code > need to be secure against? This code is part of a security application. And (I think) it's not acceptable from a security application to contains security flaws. :) (And not, I'm write here not because of security tradeoffs but because there were the thread that nobody should use C++. (Because there are C# and Java) and I were a little bit frightened that I chose wrong. (There were other candidates and C# and Java was in, but we chose C++ instead of this. And if this choices are equivalent in every other aspects, then I want to choose the safest one. So because of this I asked that C++ is really could be abandoned (for me) or not.) From michaelslists at gmail.com Wed Nov 8 18:20:03 2006 From: michaelslists at gmail.com (mikeiscool) Date: Thu, 9 Nov 2006 10:20:03 +1100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <1162989998.5096.19.camel@localhost> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> Message-ID: <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> On 11/8/06, SZALAY Attila wrote: > Hi All! > > On Mon, 2006-11-06 at 23:23 +1100, mikeiscool wrote: > > > > Hold the phone ... What debugging problems? What _specific_ speed > > issues? I'd be really surprised if your project couldn't be resolved > > with java; what specific problems are you facing? What tests have you > > run/consider to show that java's supposed "speed issues" will give you > > trouble? If it's just xml processing I'd say efficient data structures > > are what you care about, so java can help you there. > > 1. Debug > > When the program do something nasty or unwanted thing then in C I could > do a lot of thing to find what happened. > > For example I could make the program dropping a core and analyze it at > home. This needed because the program used some places where I cannot go > into. And there were bugs in program which is definitely a race > condition what is hard to reproduce. So it's not enough to write the > steps to reproduce the bug. > > And I'm not sure that I can get the complete state of the program (and > just the program) so I can detect where is the problem, even when the > problem is in the compiler. I think it's more harder in java language. You can definately get appropriate information via the stack trace with java's exception handling. It's strange to see you say debugging is _eaiser_ in c, typically people find it far easier in a managed language :) > 2. Speed > > Yes, it's maybe an outdated information but for example if there are a > java plugin in my web browser (not javascript, java, for example the > terminal plugin in some management page of AMD64 servers) or the > ``famous'' Hungarian social web page iWIW, which was programmed in JAVA > and was slow like Hell. That's a java applet; please don't judge Java the language based on applets; they are a really bad representation. Serverside java will be very effective and useful; what sort of client are you writing? Is it a website or a desktop app? Even if it's a desktop app, perhaps look to azureus to see a good, well running app written in java for the desktop. There are others. -- mic From sasa at pheniscidae.tvnetwork.hu Thu Nov 9 06:20:00 2006 From: sasa at pheniscidae.tvnetwork.hu (SZALAY Attila) Date: Thu, 09 Nov 2006 12:20:00 +0100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> Message-ID: <1163071200.5136.22.camel@localhost> Hi All, On Thu, 2006-11-09 at 10:20 +1100, mikeiscool wrote: > > You can definately get appropriate information via the stack trace > with java's exception handling. It's strange to see you say debugging > is _eaiser_ in c, typically people find it far easier in a managed > language :) People are different. :)) I personally want to know what happens and I don't believe anything waht I can't see. In C I can see the assembly code what (I hope) is a deterministic thing. An interpreter is to big (to me) to think about it as a deterministic thing. And yes, with ``normal'' bugs a managed language could give me more possibility to find the place of the problem. But I want to hope, that we don't commit normal bugs. :) And with mysterious bugs, when you cannot reproduce it in a test system, just the costumer some hundred miles away, I think that the stability of the compiled code (and the core file what may created) is give more more chance to find the right place. > That's a java applet; please don't judge Java the language based on > applets; they are a really bad representation. Serverside java will be > very effective and useful; what sort of client are you writing? Is it > a website or a desktop app? Even if it's a desktop app, perhaps look > to azureus to see a good, well running app written in java for the > desktop. There are others. This is a desktop application in a client-server model. I will look after azureus. From ljknews at mac.com Thu Nov 9 08:47:52 2006 From: ljknews at mac.com (ljknews) Date: Thu, 9 Nov 2006 08:47:52 -0500 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <1163071200.5136.22.camel@localhost> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> Message-ID: At 12:20 PM +0100 11/9/06, SZALAY Attila wrote: > And with mysterious bugs, when you cannot reproduce it in a test system, > just the costumer some hundred miles away, I think that the stability of > the compiled code (and the core file what may created) is give more more > chance to find the right place. I think you are mixing the issue of Java vs. C* with the issue of interpreters vs compiled languages. I heard a talk by the Sun Vice President of Technology (or some such) some years ago extolling the virtues of Java. He emphasized that he was talking about the _language_ not the bytecode interpreter. Sun felt (at the time) they got much better results with Java compiled to machine code that with C* compiled to machine code. Personally I don't care for any C*-style languages (including Java) or byte-code-intepretation of languages I _do_ like, but I think it is important that the discussion points separate the byte-code-engine issues from those of the language itself. -- Larry Kilgallen From sasa at pheniscidae.tvnetwork.hu Thu Nov 9 10:18:27 2006 From: sasa at pheniscidae.tvnetwork.hu (SZALAY Attila) Date: Thu, 09 Nov 2006 16:18:27 +0100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> Message-ID: <1163085507.5136.36.camel@localhost> Hi Al, On Thu, 2006-11-09 at 08:47 -0500, ljknews wrote: > > I think you are mixing the issue of Java vs. C* with the issue of > interpreters vs compiled languages. Yes, you are totally right. Sorry. But I have not seen java or c# compiler. From ljknews at mac.com Thu Nov 9 10:18:49 2006 From: ljknews at mac.com (ljknews) Date: Thu, 9 Nov 2006 10:18:49 -0500 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <1163085507.5136.36.camel@localhost> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> <1163085507.5136.36.camel@localhost> Message-ID: At 4:18 PM +0100 11/9/06, SZALAY Attila wrote: > Hi Al, > > On Thu, 2006-11-09 at 08:47 -0500, ljknews wrote: >> >> I think you are mixing the issue of Java vs. C* with the issue of >> interpreters vs compiled languages. > > Yes, you are totally right. Sorry. > > But I have not seen java or c# compiler. That will depend on what machine your use - I gather Sun has a Java compiler at least for internal use. But it is important to keep the issues distinct so that when such a compiler does come along you can know the reason for your prior decision. I know that for one of the non-C languages I use there is a bytecode version available, but I have no interest in that due to some of the issues you have mentioned (and others). -- Larry Kilgallen From ge at linuxbox.org Thu Nov 9 11:57:14 2006 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 9 Nov 2006 10:57:14 -0600 (CST) Subject: [SC-L] it's Y2K, no, it's 32 bit unix time, no, it's slashdot! Message-ID: [X-posted to the funsec mailing list] http://slashdot.org/articles/06/11/09/1534204.shtml "2^24 comments ought to be enough for anyone" -- CmdrTaco Slashdot Posting Bug Infuriates Haggard Admins Posted by CmdrTaco on Thursday November 09, @10:45AM from the this-is-never-good dept. Slashdot.org Last night we crossed over 16,777,216 comments in the database. The wise amongst you might note that this number is 2^24, or in MySQLese an unsigned mediumint. Unfortunately, like 5 years ago we changed our primary keys in the comment table to unsigned int (32 bits, or 4.1 billion) but neglected to change the index that handles parents. We're awesome! Fixing is a simple ALTER TABLE statement... but on a table that is 16 million rows long, our system will take 3+ hours to do it, during which time there can be no posting. So today, we're disabling threading and will enable it again later tonight. Sorry for the inconvenience. We shall flog ourselves appropriately. From crispin at novell.com Thu Nov 9 17:48:39 2006 From: crispin at novell.com (Crispin Cowan) Date: Thu, 09 Nov 2006 14:48:39 -0800 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> <1163085507.5136.36.camel@localhost> Message-ID: <4553B047.403@novell.com> ljknews wrote: > At 4:18 PM +0100 11/9/06, SZALAY Attila wrote: > >> Hi Al, >> >> On Thu, 2006-11-09 at 08:47 -0500, ljknews wrote: >> >>> I think you are mixing the issue of Java vs. C* with the issue of >>> interpreters vs compiled languages. >>> I agree with LJ: language issues aside, I detest bytecode interpreters. Prior to Java, resorting to compiling to byte code (e.g. P-code back in the Pascal days) was considered a lame kludge because the language developers couldn't be bothered to write a real compiler. The innovation of Java was to describe this as a feature instead of a bug :) >> Yes, you are totally right. Sorry. >> >> But I have not seen java or c# compiler. >> For Java, look at JGC . "It can compile Java source code to Java bytecode (class files) or directly to native machine code, and Java bytecode to native machine code." For C#, the Mono compiler says that it has "an advanced native optimizing compiler is available for x86, SPARC, s390 and PowerPC available in both an ahead-of-time (AOT) compilation mode to reduce startup time and take advantage of all available optimizations and a Just-in-Time (JIT) compilation mode." However, having native code generation is different from having good support in GDB for you generated code :) Without GDB support, the debugger will treat your binaries like they were written in hand assembly, and not be able to relate core dumps to high level constructs like variables and lines of source code. Current status: * For Java: From the JGC FAQ , "gdb 5.0 includes support for debugging gcj-compiled Java programs. For more information please read Java Debugging with gdb ." * For C#: There is a Mono Debugger , but it is not complete. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From michaelslists at gmail.com Thu Nov 9 18:53:02 2006 From: michaelslists at gmail.com (mikeiscool) Date: Fri, 10 Nov 2006 10:53:02 +1100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <1163071200.5136.22.camel@localhost> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> Message-ID: <5e01c29a0611091553w74a5d3b7gdbbe71aa22737cc9@mail.gmail.com> On 11/9/06, SZALAY Attila wrote: > Hi All, > > On Thu, 2006-11-09 at 10:20 +1100, mikeiscool wrote: > > > > You can definately get appropriate information via the stack trace > > with java's exception handling. It's strange to see you say debugging > > is _eaiser_ in c, typically people find it far easier in a managed > > language :) > > People are different. :)) > > I personally want to know what happens and I don't believe anything waht > I can't see. In C I can see the assembly code what (I hope) is a > deterministic thing. An interpreter is to big (to me) to think about it > as a deterministic thing. And yes, with ``normal'' bugs a managed > language could give me more possibility to find the place of the > problem. But I want to hope, that we don't commit normal bugs. :) So basically you are expecting the only thing to go wrong on your program is to be bugs in the VM? Be it java or c#? I find that really strange. Sure, there have been bugs in the JVM/C# VM but just the same there have been bugs in windows that will affect your c programs. I really don't see that being a feasible/likely enough scenario to not use one of these languages. > And with mysterious bugs, when you cannot reproduce it in a test system, > just the costumer some hundred miles away, I think that the stability of > the compiled code (and the core file what may created) is give more more > chance to find the right place. Right exactly, and the fact that you have a stable VM instead of a strange-patched-level of windows/linux os gives you a stable platform. -- mic From Ken at krvw.com Fri Nov 10 15:31:59 2006 From: Ken at krvw.com (Kenneth Van Wyk) Date: Fri, 10 Nov 2006 15:31:59 -0500 Subject: [SC-L] Top 10 Ajax Security Holes and Driving Factors Message-ID: <9FA109D2-408E-44AC-8359-CD916E1D674E@krvw.com> FYI, a friend forwarded me a link to this interesting article by Shreeraj Shah on Ajax holes, http://www.net-security.org/article.php? id=956 Since much has been written here on SC-L about relatively safe programming languages recently, I thought it might be interesting to look at the other end of the spectrum. ;-) Yes, I know Ajax is wildly popular these days. 10,000 lemmings can't be wrong, certainly! Cheers, Ken ----- Kenneth R. van Wyk Moderator, SC-L KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20061110/d46f8c57/attachment.bin From leichter_jerrold at emc.com Fri Nov 10 18:12:54 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Fri, 10 Nov 2006 18:12:54 -0500 (EST) Subject: [SC-L] Top 10 Ajax Security Holes and Driving Factors In-Reply-To: <9FA109D2-408E-44AC-8359-CD916E1D674E@krvw.com> References: <9FA109D2-408E-44AC-8359-CD916E1D674E@krvw.com> Message-ID: | FYI, a friend forwarded me a link to this interesting article by | Shreeraj Shah on Ajax holes, | http://www.net-security.org/article.php?id=956 | | Since much has been written here on SC-L about relatively safe | programming languages recently, I thought it might be interesting to | look at the other end of the spectrum. ;-) Yes, I know Ajax is wildly | popular these days. 10,000 lemmings can't be wrong, certainly! The problem isn't "safe" vs. "unsafe" languages, as such. That confuses levels of abstraction. Not so many years ago, we defined "safe" as "can't affect what other people are doing on the machine". Hardware isolation of process memory spaces solved that - at least once OS's began using it. (There are still Windows 98 boxes out there...) That was safety at the machine code level: You could assume that your piece of machine code would correctly implement the semantics given in the manuals, even though others were running their own (possibly malicious) machine code on the same machine. Safe languages take the same notion up to the next higher level of abstraction: You can assume that your piece of source language text will, when compiled and run, implement the semantics given in the manuals, even in the presence of malicious code within your own program. The problem is that these are no longer very good safety properties. The first is simply not strong enough: It's fine for an isolated program, but simply irrelevant when multiple programs share access to files, network connections, and so on. Other programs may not be able to stomp on your memory, but when you can no longer trust your own code as it comes of the disk because some virus got into it, you're out of luck. The second of these closes many loopholes, but the world is no longer bounded by your machine: It's the whole Internet. A look at bug lists shows that three kinds of problems represent most of the reported issues (though they may not be the most important by measures other than simple issue counts): Ability to access files outside of a supposedly bounded area; SQL injection; cross-site scripting. What do these have in common? In all cases, the cause of the bug is that the programmer is dealing with strings as the fundamental datatype. He misses ways to encode "../" because of various games, or he misses ways to "escape" from the quoting that's supposed to isolate code from data. The accesses to the strings themselves are completely safe. The problem is, these are not just strings: These are complex objects with very complex implicit semantics. They are being programmed in machine language - not even assembler. If you move up a level of abstraction and realize that today, the issue isn't how to write a code to manipulate strings in the memory of one machine, it's how to write a distributed program that runs across a bunch of machines loosely coupled to each other on the Internet, you'll see that you need an entirely different notion of a "safety property". In some cases, the right primitives are completely clear. The "incorrect file path sanitization issue" was solved 30 years ago on a variety of DEC OS's, which provided functions to pick apart and reconstruct file specifications. You almost never dealt with a file spec as a string - oh, you kept it around as a string, but you never did string operations on it. To do this, file specs on DEC OS's had a specified syntax, from which the full semantics could be read. We lost this with the Unix vision file specs should be uniform - just a list of elements with no internal structure, separated by slashes. Because of this simplification, there was no need to provide library routines to manipulate the things - the basic string routines would do just fine. This became such an article of faith among programmers that newer languages - which often have much more powerful string manipulation primitives - saw no reason not to let programmers keep treating file specs as strings. And so the holes continue to be programmed in. (BTW, in the product I work on, we defined a single function that ... picks apart and glues back together file specifications. Programmers are specifically told *not* to try to manipulate specs as strings - they should use the provided function. Now, we only have to get it right once. (Of course, if we get it wrong, *all* of our code is exposed. But that's a tradeoff - I'd much rather audit one reasonably small function that who knows how many lines of code scattered here and there.) In other cases, the general form of a solution is clear, but no one has gotten the details right. SQL injection is a non-issue if you build statements with SQL parameters. But that's a pain to write, because the abstractions are so poor. It's so much easier to just generate the SQL query by pasting strings together - and in scripting languages, so proud of their ability to express string substitutions elegantly, it's often the only tool you have. If we're going to program the meta-computer that is the Web, we need appropriate abstractions, and appropriate safe ways to express them. But we're so far behind the curve that we are *still* arguing about yesterday's solved problems, safety down at the individual program level. -- Jerry From dcrocker at eschertech.com Sat Nov 11 09:50:58 2006 From: dcrocker at eschertech.com (David Crocker) Date: Sat, 11 Nov 2006 14:50:58 -0000 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books] In-Reply-To: <1163071200.5136.22.camel@localhost> Message-ID: <046401c705a0$ccf84f40$cb00000a@escheradmin> Hi Attila, I wouldn't worry about not being able to see the assembly code while debugging. In practice, there is less need for debugging Java or C# code than with C++. For example, in C++, out-of-bounds array writes and incorrect type conversions can give rise to bugs that are hard to find, because the effect may be felt some time after the cause (e.g. the out-of-bounds array write corrupts some data). In Java or C#, the runtime system catches this sort of bug immediately. My company uses a code generator that can generate either C++ or Java. Although the production version of the products we ship are built using C++ code, for development and initial testing we generally use the Java code because bugs are caught much earlier. The performance improvement you can get from using C++ rather than Java or C# is significant only if the program uses really huge amounts of CPU time, in which case you might be able to make a case that the hardware cost saving outweighs the higher cost and time to develop in C++ rather than Java or C#. Otherwise, for application-level programming, Java or C# would generally be a more productive choice. Regards David Crocker, Escher Technologies Ltd. Consultancy, contracting and tools for dependable software development www.eschertech.com -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of SZALAY Attila Sent: 09 November 2006 11:20 To: fake at mailinator.com Cc: Secure Coding Subject: Re: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books] Hi All, On Thu, 2006-11-09 at 10:20 +1100, mikeiscool wrote: > > You can definately get appropriate information via the stack trace > with java's exception handling. It's strange to see you say debugging > is _eaiser_ in c, typically people find it far easier in a managed > language :) People are different. :)) I personally want to know what happens and I don't believe anything waht I can't see. In C I can see the assembly code what (I hope) is a deterministic thing. An interpreter is to big (to me) to think about it as a deterministic thing. And yes, with ``normal'' bugs a managed language could give me more possibility to find the place of the problem. But I want to hope, that we don't commit normal bugs. :) And with mysterious bugs, when you cannot reproduce it in a test system, just the costumer some hundred miles away, I think that the stability of the compiled code (and the core file what may created) is give more more chance to find the right place. > That's a java applet; please don't judge Java the language based on > applets; they are a really bad representation. Serverside java will be > very effective and useful; what sort of client are you writing? Is it > a website or a desktop app? Even if it's a desktop app, perhaps look > to azureus to see a good, well running app written in java for the > desktop. There are others. This is a desktop application in a client-server model. I will look after azureus. _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php From al.eridani at gmail.com Sat Nov 11 19:39:39 2006 From: al.eridani at gmail.com (Al Eridani) Date: Sat, 11 Nov 2006 16:39:39 -0800 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <4553B047.403@novell.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> <1163085507.5136.36.camel@localhost> <4553B047.403@novell.com> Message-ID: On 11/9/06, Crispin Cowan wrote: > Prior to Java, resorting to compiling to byte code (e.g. P-code back in > the Pascal days) was considered a lame kludge because the language > developers couldn't be bothered to write a real compiler. "Post-Java, resorting to compiling to machine code is considered a lame kludge because the language developers cannot be bothered to write a real optimizer." From rcs at cert.org Sun Nov 12 13:15:08 2006 From: rcs at cert.org (Robert C. Seacord) Date: Sun, 12 Nov 2006 13:15:08 -0500 Subject: [SC-L] Integral Security article/library In-Reply-To: References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> <1163085507.5136.36.camel@localhost> <4553B047.403@novell.com> Message-ID: <455764AC.6090107@cert.org> I forgot to post notice to this list about an article published by Dr. Dobb's Journal on November 3rd that I wrote. It is available on-line at http://www.ddj.com/dept/security/193501774. If you attempt to download the secure integer library that we developed at CERT (http://www.cert.org/secure-coding/IntegerLib.zip), please use Mozilla for the download. There are reports that downloading with IE causes the file to be corrupted, for reasons I don't currently understand. rCs From crispin at novell.com Sun Nov 12 14:10:06 2006 From: crispin at novell.com (Crispin Cowan) Date: Sun, 12 Nov 2006 11:10:06 -0800 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> <1163085507.5136.36.camel@localhost> <4553B047.403@novell.com> Message-ID: <4557718E.8080309@novell.com> Al Eridani wrote: > On 11/9/06, Crispin Cowan wrote: > >> Prior to Java, resorting to compiling to byte code (e.g. P-code back in >> the Pascal days) was considered a lame kludge because the language >> developers couldn't be bothered to write a real compiler. >> > "Post-Java, resorting to compiling to machine code is considered a lame > kludge because the language developers cannot be bothered to write a > real optimizer." > I don't see what a bytecode intermediate stage has to do with "real optimizer". Very sophisticated optimizers have existed for native code generators for a very long time. Bytecode interpreter performance blows goats, so I'm going to assume you are referring to JIT. The first order effect of JIT is slow startup time, but that's not an advantage either. So you must be claiming that dynamic profiling (using runtime behavior to optimize code) is a major advantage. It had better be, because the time constraints of doing your optimization at JIT time restrict the amount of optimization you can do vs. with a native code generator that gets to run off-line for as long as it needs to. But yes, dynamic profiling can be an advantage. However, its use is not restricted to bytecode systems. VMware, the Transmeta CPU, and DEC's FX86 (virtual machine emulation to run x86 code on Alpha CPUs) use dynamic translation to optimize performance. It works, in that those systems all do gain performance from dynamic profiling, but note also the reputation that they all have for speed: poor. And then there's "write once, run anywhere." Yeah ... right. I've run Java applets, and Javascript applets, and the latter are vastly superior for performance, and worse, all too often the Java applets are not "run anywhere", they only run on very specific JVM implementations. There's the nice property that bytecode can be type safe. I really like that. But the bytecode checker is slow; do people really run it habitually? More important; is type safety a valuable property for *untrusted code* that you are going to have to sandbox anyway? So I give up; what is it that's so great about bytecode? It looks a *lot* like the Emperor is not wearing clothes to me. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From michaelslists at gmail.com Sun Nov 12 20:07:42 2006 From: michaelslists at gmail.com (mikeiscool) Date: Mon, 13 Nov 2006 12:07:42 +1100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <4557718E.8080309@novell.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> <1163085507.5136.36.camel@localhost> <4553B047.403@novell.com> <4557718E.8080309@novell.com> Message-ID: <5e01c29a0611121707t72aab150s9f0f6fc57cf08f9f@mail.gmail.com> > And then there's "write once, run anywhere." Yeah ... right. I've run > Java applets, and Javascript applets, and the latter are vastly superior > for performance, and worse, all too often the Java applets are not "run > anywhere", they only run on very specific JVM implementations. You really can't judge java based on java applets; they are a really poor front, for reasons I assume you are aware. > There's the nice property that bytecode can be type safe. I really like > that. But the bytecode checker is slow; do people really run it > habitually? More important; is type safety a valuable property for > *untrusted code* that you are going to have to sandbox anyway? I believe major application servers run with -verify, which is appropriate and useful for them. > So I give up; what is it that's so great about bytecode? It looks a > *lot* like the Emperor is not wearing clothes to me. I think you just want to see him that way ;) > Crispin -- mic From everhart at gce.com Sun Nov 12 21:54:32 2006 From: everhart at gce.com (Glenn and Mary Everhart) Date: Sun, 12 Nov 2006 21:54:32 -0500 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <4557718E.8080309@novell.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1162767566.2289.15.camel@sasa.home> <5e01c29a0611060423q793a994bg337e3f9d1d1042f@mail.gmail.com> <1162989998.5096.19.camel@localhost> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> <1163085507.5136.36.camel@localhost> <4553B047.403@novell.com> <4557718E.8080309@novell.com> Message-ID: <4557DE68.9030408@gce.com> Crispin Cowan wrote: > Al Eridani wrote: >> On 11/9/06, Crispin Cowan wrote: >> >>> Prior to Java, resorting to compiling to byte code (e.g. P-code back in >>> the Pascal days) was considered a lame kludge because the language >>> developers couldn't be bothered to write a real compiler. >>> >> "Post-Java, resorting to compiling to machine code is considered a lame >> kludge because the language developers cannot be bothered to write a >> real optimizer." >> > I don't see what a bytecode intermediate stage has to do with "real > optimizer". Very sophisticated optimizers have existed for native code > generators for a very long time. > > Bytecode interpreter performance blows goats, so I'm going to assume you > are referring to JIT. The first order effect of JIT is slow startup > time, but that's not an advantage either. So you must be claiming that > dynamic profiling (using runtime behavior to optimize code) is a major > advantage. It had better be, because the time constraints of doing your > optimization at JIT time restrict the amount of optimization you can do > vs. with a native code generator that gets to run off-line for as long > as it needs to. > > But yes, dynamic profiling can be an advantage. However, its use is not > restricted to bytecode systems. VMware, the Transmeta CPU, and DEC's > FX86 (virtual machine emulation to run x86 code on Alpha CPUs) use > dynamic translation to optimize performance. It works, in that those > systems all do gain performance from dynamic profiling, but note also > the reputation that they all have for speed: poor. > > And then there's "write once, run anywhere." Yeah ... right. I've run > Java applets, and Javascript applets, and the latter are vastly superior > for performance, and worse, all too often the Java applets are not "run > anywhere", they only run on very specific JVM implementations. > > There's the nice property that bytecode can be type safe. I really like > that. But the bytecode checker is slow; do people really run it > habitually? More important; is type safety a valuable property for > *untrusted code* that you are going to have to sandbox anyway? > > So I give up; what is it that's so great about bytecode? It looks a > *lot* like the Emperor is not wearing clothes to me. > > Crispin > Considering that on VMS, due to the use everywhere of a single calling standard and a linker that can understand things, you can link any language with any other language and get things to run. A single app with some pieces in Fortran, C, Pascal, BASIC, and assembly language, all in one program, is perfectly feasible. I have worked with such. Everything's compiled, everything compiles to optimised machine code, and there is no interpreter needed. So why does anyone consider that multilingual development requires some kind of interpretive runtime? The old P-system was current a LONG time ago now, always did have speed problems (and took down some pretty decent apps with that ship in its day because they couldn't run as fast as native code ones). If there is some construct that NEEDS to be interpreted to gain something, it can be justified on that basis. Using interpretive runtimes just to link languages, or just to achieve portability when source code portability runs pretty well thanks, seems wasteful to me. Anybody know why .net uses a runtime of the sort it does? Glenn Everhart From michaelslists at gmail.com Mon Nov 13 06:31:50 2006 From: michaelslists at gmail.com (mikeiscool) Date: Mon, 13 Nov 2006 22:31:50 +1100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <4557DE68.9030408@gce.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> <1163085507.5136.36.camel@localhost> <4553B047.403@novell.com> <4557718E.8080309@novell.com> <4557DE68.9030408@gce.com> Message-ID: <5e01c29a0611130331n56f00542me53ab14e62424f69@mail.gmail.com> On 11/13/06, Glenn and Mary Everhart wrote: > Crispin Cowan wrote: > > Al Eridani wrote: > >> On 11/9/06, Crispin Cowan wrote: > >> > >>> Prior to Java, resorting to compiling to byte code (e.g. P-code back in > >>> the Pascal days) was considered a lame kludge because the language > >>> developers couldn't be bothered to write a real compiler. > >>> > >> "Post-Java, resorting to compiling to machine code is considered a lame > >> kludge because the language developers cannot be bothered to write a > >> real optimizer." > >> > > I don't see what a bytecode intermediate stage has to do with "real > > optimizer". Very sophisticated optimizers have existed for native code > > generators for a very long time. > > > > Bytecode interpreter performance blows goats, so I'm going to assume you > > are referring to JIT. The first order effect of JIT is slow startup > > time, but that's not an advantage either. So you must be claiming that > > dynamic profiling (using runtime behavior to optimize code) is a major > > advantage. It had better be, because the time constraints of doing your > > optimization at JIT time restrict the amount of optimization you can do > > vs. with a native code generator that gets to run off-line for as long > > as it needs to. > > > > But yes, dynamic profiling can be an advantage. However, its use is not > > restricted to bytecode systems. VMware, the Transmeta CPU, and DEC's > > FX86 (virtual machine emulation to run x86 code on Alpha CPUs) use > > dynamic translation to optimize performance. It works, in that those > > systems all do gain performance from dynamic profiling, but note also > > the reputation that they all have for speed: poor. > > > > And then there's "write once, run anywhere." Yeah ... right. I've run > > Java applets, and Javascript applets, and the latter are vastly superior > > for performance, and worse, all too often the Java applets are not "run > > anywhere", they only run on very specific JVM implementations. > > > > There's the nice property that bytecode can be type safe. I really like > > that. But the bytecode checker is slow; do people really run it > > habitually? More important; is type safety a valuable property for > > *untrusted code* that you are going to have to sandbox anyway? > > > > So I give up; what is it that's so great about bytecode? It looks a > > *lot* like the Emperor is not wearing clothes to me. > > > > Crispin > > > Considering that on VMS, due to the use everywhere of a single calling > standard and a linker that can understand things, you can link any language > with any other language and get things to run. A single app with some pieces > in Fortran, C, Pascal, BASIC, and assembly language, all in one program, is > perfectly feasible. I have worked with such. Everything's compiled, everything > compiles to optimised machine code, and there is no interpreter needed. > > So why does anyone consider that multilingual development requires some kind > of interpretive runtime? The old P-system was current a LONG time ago now, > always did have speed problems (and took down some pretty decent apps with that > ship in its day because they couldn't run as fast as native code ones). > > If there is some construct that NEEDS to be interpreted to gain something, it > can be justified on that basis. Using interpretive runtimes just to link > languages, or just to achieve portability when source code portability runs > pretty well thanks, seems wasteful to me. You think source code portability is good enough such that runtime portability isn't really needed? > Anybody know why .net uses a runtime of the sort it does? Because .net is microsofts clone of Java, so they copied everything. > Glenn Everhart -- mic From ljknews at mac.com Mon Nov 13 08:54:13 2006 From: ljknews at mac.com (ljknews) Date: Mon, 13 Nov 2006 08:54:13 -0500 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <5e01c29a0611130331n56f00542me53ab14e62424f69@mail.gmail.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <5e01c29a0611081520j4f62e34fs11d0c7c2e435be6d@mail.gmail.com> <1163071200.5136.22.camel@localhost> <1163085507.5136.36.camel@localhost> <4553B047.403@novell.com> <4557718E.8080309@novell.com> <4557DE68.9030408@gce.com> <5e01c29a0611130331n56f00542me53ab14e62424f69@mail.gmail.com> Message-ID: At 10:31 PM +1100 11/13/06, mikeiscool wrote: > On 11/13/06, Glenn and Mary Everhart wrote: >> If there is some construct that NEEDS to be interpreted to gain something, it >> can be justified on that basis. Using interpretive runtimes just to link >> languages, or just to achieve portability when source code portability runs >> pretty well thanks, seems wasteful to me. > > You think source code portability is good enough such that runtime > portability isn't really needed? Anything beyond source code portability tempts the customer into use on a platform where the developer has not tested. -- Larry Kilgallen From dwheeler at ida.org Mon Nov 13 10:54:43 2006 From: dwheeler at ida.org (David A. Wheeler) Date: Mon, 13 Nov 2006 10:54:43 -0500 Subject: [SC-L] p-code was created for PLATFORM PORTABILITY References: Message-ID: <45589543.6060905@ida.org> On 11/9/06, Crispin Cowan wrote: >>Prior to Java, resorting to compiling to byte code (e.g. P-code back in >>the Pascal days) was considered a lame kludge because the language >>developers couldn't be bothered to write a real compiler. I believe that is completely and totally false. If you want to claim p-code itself was lame, fine. But let's keep the history accurate. The UCSD p-system was created in the late 1970's SPECIFICALLY for PORTABILITY of executable code: You could ship p-code to any machine, and it would run. It was the 70s/80s way of getting "Write once, run anywhere". It was sold that way, too; I remember ads pressing hard the notion that you could compile your code once, and it'd run on many different systems. At the time there LOTS of different and incompatible programming platforms: Think 8080, Z80, 6502, 6800, DEC PDP-11, etc. It had NOTHING to do with not being willing to write a "real" compiler; the effort spent to create the Pascal compiler (for example) probably far exceeded the effort spent to implement the competing BASIC interpreters of the day. Sure, you could achieve the same result as bytecode by shipping source code for a portable language, and then have every machine recompile it. But: * Many 8-bit computers of the time could RUN programs that would take dozens of hours to recompile from scratch, with constant disk-flipping to get different programs. Users couldn't be expected to go through the agony of compiling just to run a program. The Apple ][, a common UCSD platform, often had 64KiB RAM and 1MHz clock rate (with many instructions taking 2-3 cycles), with 140K floppies. * Many compiler developers wanted to sell compilers separately, not give them away. They were willing to give away the runtime, though. * People could redevelop JUST the runtime - not a new compiler - and run programs. That made it MUCH easier to support new platforms. * Many developers did not want to release source code to users. More info: * http://en.wikipedia.org/wiki/UCSD_p-System * http://www.threedee.com/jcm/psystem/index.html There's nothing wrong with the bytecode concept, e.g., Java class files or .NET's equivalent. If you want easy portability of executables, it's STILL a reasonable approach. "Real" compilers tend to work the same way anyway; they often have a front-end that generates one or more intermediate forms that are easily viewed as a bytecode format, and then compile the intermediate form(s) into a final form. Whether or not having a standalone intermediate form is useful depends on your goals. --- David A. Wheeler From bugtraq at cgisecurity.net Mon Nov 13 13:22:30 2006 From: bugtraq at cgisecurity.net (bugtraq at cgisecurity.net) Date: Mon, 13 Nov 2006 13:22:30 -0500 (EST) Subject: [SC-L] Challenges faced by automated web application security assessment tools Message-ID: <20061113182230.71400.qmail@cgisecurity.net> I have released a new document 'Challenges faced by automated web application security assessment tools' that a few of you may find interesting. URL: http://www.cgisecurity.com/articles/scannerchallenges.shtml Comments welcome. - Robert http://www.cgisecurity.com/ Website Security news, and more! http://www.cgisecurity.com/index.rss [RSS Feed] From michaelslists at gmail.com Mon Nov 13 15:30:48 2006 From: michaelslists at gmail.com (mikeiscool) Date: Tue, 14 Nov 2006 07:30:48 +1100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1163085507.5136.36.camel@localhost> <4553B047.403@novell.com> <4557718E.8080309@novell.com> <4557DE68.9030408@gce.com> <5e01c29a0611130331n56f00542me53ab14e62424f69@mail.gmail.com> Message-ID: <5e01c29a0611131230j3dbe35fqa55267e81b9bd695@mail.gmail.com> On 11/14/06, ljknews wrote: > At 10:31 PM +1100 11/13/06, mikeiscool wrote: > > On 11/13/06, Glenn and Mary Everhart wrote: > > >> If there is some construct that NEEDS to be interpreted to gain something, it > >> can be justified on that basis. Using interpretive runtimes just to link > >> languages, or just to achieve portability when source code portability runs > >> pretty well thanks, seems wasteful to me. > > > > You think source code portability is good enough such that runtime > > portability isn't really needed? > > Anything beyond source code portability tempts the customer into use on > a platform where the developer has not tested. But it has been tested, because if it runs on that jvm it has been tested for that JVM. a JVM version x on linux is the same as a JVM version x on windows. That's the point. Now maybe they try running it with a version x - 5 JVM, well fine, it may not work, but the response would be: "duh". > -- > Larry Kilgallen -- mic From leichter_jerrold at emc.com Mon Nov 13 17:36:25 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Mon, 13 Nov 2006 17:36:25 -0500 (EST) Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <5e01c29a0611131230j3dbe35fqa55267e81b9bd695@mail.gmail.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <1163085507.5136.36.camel@localhost> <4553B047.403@novell.com> <4557718E.8080309@novell.com> <4557DE68.9030408@gce.com> <5e01c29a0611130331n56f00542me53ab14e62424f69@mail.gmail.com> <5e01c29a0611131230j3dbe35fqa55267e81b9bd695@mail.gmail.com> Message-ID: | > >> If there is some construct that NEEDS to be interpreted to gain | > >> something, it can be justified on that basis. Using interpretive | > >> runtimes just to link languages, or just to achieve portability | > >> when source code portability runs pretty well thanks, seems | > >> wasteful to me. | > > | > > You think source code portability is good enough such that runtime | > > portability isn't really needed? | > | > Anything beyond source code portability tempts the customer into use | > on a platform where the developer has not tested. | | But it has been tested, because if it runs on that jvm it has been | tested for that JVM. a JVM version x on linux is the same as a JVM | version x on windows. That's the point. Now maybe they try running it | with a version x - 5 JVM, well fine, it may not work, but the response | would be: "duh". That would be nice, wouldn't it? Unfortunately, painful experience says it's not so. At least not for applications with non-trivial graphics components, in particular. The joke we used to make was: The promise of Java was "Write once, run everywhere". What we found was "Write once, debug everywhere". Then came the Swing patches, which would cause old bugs to re-appear, or suddenly make old workaround cause problems. So the real message of Java is "Write once, debug everywhere - forever". Now, I'm exagerating for effect. There are Java programs even quite substantial Java programs, that run on multiple platforms with no problems and no special porting efforts. (Hell, there are C programs with the same property!) But there are also Java programs that cause no end of porting grief. It's certainly much more common to see porting problems with C than with Java, but don't kid yourself: Writing in Java doesn't guarantee you that there will be no platform issues. -- Jerry From michaelslists at gmail.com Mon Nov 13 18:18:28 2006 From: michaelslists at gmail.com (mikeiscool) Date: Tue, 14 Nov 2006 10:18:28 +1100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <4553B047.403@novell.com> <4557718E.8080309@novell.com> <4557DE68.9030408@gce.com> <5e01c29a0611130331n56f00542me53ab14e62424f69@mail.gmail.com> <5e01c29a0611131230j3dbe35fqa55267e81b9bd695@mail.gmail.com> Message-ID: <5e01c29a0611131518k2d10204dj8be5bdfbe9663e44@mail.gmail.com> On 11/14/06, Leichter, Jerry wrote: > | > >> If there is some construct that NEEDS to be interpreted to gain > | > >> something, it can be justified on that basis. Using interpretive > | > >> runtimes just to link languages, or just to achieve portability > | > >> when source code portability runs pretty well thanks, seems > | > >> wasteful to me. > | > > > | > > You think source code portability is good enough such that runtime > | > > portability isn't really needed? > | > > | > Anything beyond source code portability tempts the customer into use > | > on a platform where the developer has not tested. > | > | But it has been tested, because if it runs on that jvm it has been > | tested for that JVM. a JVM version x on linux is the same as a JVM > | version x on windows. That's the point. Now maybe they try running it > | with a version x - 5 JVM, well fine, it may not work, but the response > | would be: "duh". > That would be nice, wouldn't it? > > Unfortunately, painful experience says it's not so. At least not for > applications with non-trivial graphics components, in particular. > > The joke we used to make was: The promise of Java was "Write once, > run everywhere". What we found was "Write once, debug everywhere". > Then came the Swing patches, which would cause old bugs to re-appear, > or suddenly make old workaround cause problems. So the real message > of Java is "Write once, debug everywhere - forever". > > Now, I'm exagerating for effect. There are Java programs even quite > substantial Java programs, that run on multiple platforms with no > problems and no special porting efforts. (Hell, there are C programs > with the same property!) But there are also Java programs that > cause no end of porting grief. It's certainly much more common to > see porting problems with C than with Java, but don't kid yourself: > Writing in Java doesn't guarantee you that there will be no platform > issues. True, but that doesn't mean runtime portability isn't a good thing to aim for. -- mic From crispin at novell.com Mon Nov 13 18:18:16 2006 From: crispin at novell.com (Crispin Cowan) Date: Mon, 13 Nov 2006 15:18:16 -0800 Subject: [SC-L] p-code was created for PLATFORM PORTABILITY In-Reply-To: <45589543.6060905@ida.org> References: <45589543.6060905@ida.org> Message-ID: <4558FD38.60702@novell.com> David A. Wheeler wrote: > On 11/9/06, Crispin Cowan wrote: > >>> Prior to Java, resorting to compiling to byte code (e.g. P-code back in >>> the Pascal days) was considered a lame kludge because the language >>> developers couldn't be bothered to write a real compiler. >>> > I believe that is completely and totally false. > If you want to claim p-code itself was lame, fine. > But let's keep the history accurate. > > The UCSD p-system was created in the late 1970's SPECIFICALLY for > PORTABILITY of executable code: You could ship p-code to any > machine, and it would run. That is not inconsistent with my claim. The "P-code is a kludge to get around writing a real compiler" is multiplied by the diversity of architectures. Writing a native code generator is a cost you pay for every supported architecture. So in more detail, P-code is a performance-compromising kludge to avoid having to write a *lot* of real code generators. One major change between then and now is consolidation of CPUs. Then, there really was a very broad diversity of CPU architectures (IBM mainframe, IBM AS/400, DEC VAX, PDP, DEC10, DEC20, Data General, Apollo, HP, Xerox Sigma, x86, 68000, NS32K, etc. etc.) and they all more or less mattered. It is *very* different today: the list of CPU architectures that matter is much shorter (x86, x86-64, SPARC, POWER, Itanium): only 4 instead of a baker's dozen, and of those 4, a single one (x86) is a huge majority of the market. Pascal was a student language, not often used for commercial development, so money for Pascal development was scarce. In contrast, real languages for commercial purposes (PL/1, COBOL, FORTRAN, C) all used native code generators. P-code was precisely a performance-compromising kludge to allow Pascal to be portable with less development effort. Of course, there was one big exception: Turbo Pascal. Arguably the most popular Pascal implementation ever. And it used a native code generator. The need for portability, and the cost of portability (how many platforms you really have to port to) has dropped dramatically. Bytecode should be going away, the the architectural mistake of Java and C#/.Net are going to preserve it for some time to come :( Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From crispin at novell.com Mon Nov 13 19:28:24 2006 From: crispin at novell.com (Crispin Cowan) Date: Mon, 13 Nov 2006 16:28:24 -0800 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <5e01c29a0611131518k2d10204dj8be5bdfbe9663e44@mail.gmail.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <4553B047.403@novell.com> <4557718E.8080309@novell.com> <4557DE68.9030408@gce.com> <5e01c29a0611130331n56f00542me53ab14e62424f69@mail.gmail.com> <5e01c29a0611131230j3dbe35fqa55267e81b9bd695@mail.gmail.com> <5e01c29a0611131518k2d10204dj8be5bdfbe9663e44@mail.gmail.com> Message-ID: <45590DA8.90606@novell.com> mikeiscool wrote: > On 11/14/06, Leichter, Jerry wrote: > >> The joke we used to make was: The promise of Java was "Write once, >> run everywhere". What we found was "Write once, debug everywhere". >> Then came the Swing patches, which would cause old bugs to re-appear, >> or suddenly make old workaround cause problems. So the real message >> of Java is "Write once, debug everywhere - forever". >> >> Now, I'm exagerating for effect. There are Java programs even quite >> substantial Java programs, that run on multiple platforms with no >> problems and no special porting efforts. (Hell, there are C programs >> with the same property!) But there are also Java programs that >> cause no end of porting grief. It's certainly much more common to >> see porting problems with C than with Java, but don't kid yourself: >> Writing in Java doesn't guarantee you that there will be no platform >> issues. >> > True, but that doesn't mean runtime portability isn't a good thing to aim for. > It means that compromising performance to obtain runtime portability that does not actually exist is a poor bargain. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From michaelslists at gmail.com Mon Nov 13 19:34:18 2006 From: michaelslists at gmail.com (mikeiscool) Date: Tue, 14 Nov 2006 11:34:18 +1100 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <45590DA8.90606@novell.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <4557718E.8080309@novell.com> <4557DE68.9030408@gce.com> <5e01c29a0611130331n56f00542me53ab14e62424f69@mail.gmail.com> <5e01c29a0611131230j3dbe35fqa55267e81b9bd695@mail.gmail.com> <5e01c29a0611131518k2d10204dj8be5bdfbe9663e44@mail.gmail.com> <45590DA8.90606@novell.com> Message-ID: <5e01c29a0611131634i4d0dd625ibbfb731dedf5dbdb@mail.gmail.com> On 11/14/06, Crispin Cowan wrote: > mikeiscool wrote: > > On 11/14/06, Leichter, Jerry wrote: > > > >> The joke we used to make was: The promise of Java was "Write once, > >> run everywhere". What we found was "Write once, debug everywhere". > >> Then came the Swing patches, which would cause old bugs to re-appear, > >> or suddenly make old workaround cause problems. So the real message > >> of Java is "Write once, debug everywhere - forever". > >> > >> Now, I'm exagerating for effect. There are Java programs even quite > >> substantial Java programs, that run on multiple platforms with no > >> problems and no special porting efforts. (Hell, there are C programs > >> with the same property!) But there are also Java programs that > >> cause no end of porting grief. It's certainly much more common to > >> see porting problems with C than with Java, but don't kid yourself: > >> Writing in Java doesn't guarantee you that there will be no platform > >> issues. > >> > > True, but that doesn't mean runtime portability isn't a good thing to aim for. > > > It means that compromising performance to obtain runtime portability > that does not actually exist is a poor bargain. Runtime portability _does_ exist and the perfomance argument is old and outdated now, there's the hotspot compiler that can beat the lazy programmer (and aren't we all lazy?) and, although it's not java, you may note Raymond Chens' optimisation challenge[1] with C# and C++ and the results and discussion resulting. And of course there are other reasons aside from just the runtime portability to use Java; it's rich API, and so on. -- mic [1] http://blogs.msdn.com/ricom/archive/2005/05/10/416151.aspx From robin at kallisti.net.nz Mon Nov 13 20:01:29 2006 From: robin at kallisti.net.nz (Robin Sheat) Date: Tue, 14 Nov 2006 14:01:29 +1300 Subject: [SC-L] =?iso-8859-1?q?Could_I_use_Java_or_c=23=3F_=5Bwas=3A_Re=3A?= =?iso-8859-1?q?_re-writing_college=09books=5D?= In-Reply-To: <45590DA8.90606@novell.com> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <5e01c29a0611131518k2d10204dj8be5bdfbe9663e44@mail.gmail.com> <45590DA8.90606@novell.com> Message-ID: <200611141401.29898.robin@kallisti.net.nz> On Tuesday 14 November 2006 13:28, Crispin Cowan wrote: > It means that compromising performance It's not necessarily a given that runtime performance is compromised. There are situations where Java is faster than C (I've tested this on trivial things). I'm sure there are situations where the reverse is true, too. But as new releases of the JVM come out, all Java programs get faster. Personally, I find the programmer time to be much better used in Java too. That is less of a factor of the VM side of things (although you can do some really quite nice debugging things by communicating with the JVM which helps), but it does tend to be a feature of things that predominantly run inside some non-native environment. I don't know if there's a causation effect going on there or not however. > to obtain runtime portability > that does not actually exist is a poor bargain. The runtime portability is not perfect. The problems mostly exist where it interfaces to the underlying system, and where that's done imperfectly. Not so long ago, I ported a commercial desktop Java-based application from Windows to Linux. It took me a day or two to go through all the references to File, and make sure they were constructed properly (i.e. replace instances of '\\' with a properly constructed File) and do some testing, and that was all. It then looked and behaved just the same as it did on Windows, and objects could happily be de/reserialised across the different platforms (and on different architectures if necessary). However, you never have to deal with different word sizes, different endians, and so on. It removes as many of the gotchas as is feasible. Back on the security topic for a moment, you also gain things like sandboxing that works in a way that isn't reliant on the capabilities of the hardware. Robin. From gem at cigital.com Mon Nov 13 20:35:53 2006 From: gem at cigital.com (Gary McGraw) Date: Mon, 13 Nov 2006 20:35:53 -0500 Subject: [SC-L] p-code was created for PLATFORM PORTABILITY Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E7C7C@va-mail.cigital.com> I am all for the "mistake" of type safety and reference monitors. All we need to do is build a real machine that runs byte code and/or clr instead of interpreting it. I agree that jit'ing os a kludge... I await the scheme-os which bill joy and I figure may emerge from africa sometime in the next decade. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: Crispin Cowan [mailto:crispin at novell.com] Sent: Mon Nov 13 18:32:53 2006 To: David A. Wheeler Cc: sc-l at securecoding.org Subject: Re: [SC-L] p-code was created for PLATFORM PORTABILITY David A. Wheeler wrote: > On 11/9/06, Crispin Cowan wrote: > >>> Prior to Java, resorting to compiling to byte code (e.g. P-code back in >>> the Pascal days) was considered a lame kludge because the language >>> developers couldn't be bothered to write a real compiler. >>> > I believe that is completely and totally false. > If you want to claim p-code itself was lame, fine. > But let's keep the history accurate. > > The UCSD p-system was created in the late 1970's SPECIFICALLY for > PORTABILITY of executable code: You could ship p-code to any > machine, and it would run. That is not inconsistent with my claim. The "P-code is a kludge to get around writing a real compiler" is multiplied by the diversity of architectures. Writing a native code generator is a cost you pay for every supported architecture. So in more detail, P-code is a performance-compromising kludge to avoid having to write a *lot* of real code generators. One major change between then and now is consolidation of CPUs. Then, there really was a very broad diversity of CPU architectures (IBM mainframe, IBM AS/400, DEC VAX, PDP, DEC10, DEC20, Data General, Apollo, HP, Xerox Sigma, x86, 68000, NS32K, etc. etc.) and they all more or less mattered. It is *very* different today: the list of CPU architectures that matter is much shorter (x86, x86-64, SPARC, POWER, Itanium): only 4 instead of a baker's dozen, and of those 4, a single one (x86) is a huge majority of the market. Pascal was a student language, not often used for commercial development, so money for Pascal development was scarce. In contrast, real languages for commercial purposes (PL/1, COBOL, FORTRAN, C) all used native code generators. P-code was precisely a performance-compromising kludge to allow Pascal to be portable with less development effort. Of course, there was one big exception: Turbo Pascal. Arguably the most popular Pascal implementation ever. And it used a native code generator. The need for portability, and the cost of portability (how many platforms you really have to port to) has dropped dramatically. Bytecode should be going away, the the architectural mistake of Java and C#/.Net are going to preserve it for some time to come :( Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From crispin at novell.com Tue Nov 14 06:48:24 2006 From: crispin at novell.com (Crispin Cowan) Date: Tue, 14 Nov 2006 03:48:24 -0800 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writing college books] In-Reply-To: <200611141401.29898.robin@kallisti.net.nz> References: <00f001c700d4$67dcf870$cb00000a@escheradmin> <5e01c29a0611131518k2d10204dj8be5bdfbe9663e44@mail.gmail.com> <45590DA8.90606@novell.com> <200611141401.29898.robin@kallisti.net.nz> Message-ID: <4559AD08.2070600@novell.com> Robin Sheat wrote: > On Tuesday 14 November 2006 13:28, Crispin Cowan wrote: > >> It means that compromising performance >> > It's not necessarily a given that runtime performance is compromised. There > are situations where Java is faster than C (I've tested this on trivial > things). Here it is "bytecode vs. native code generator", not "Java vs. C." Remember, I advocated Java over C++ in the first place :) Even in the bytecode vs. native code generator contest, there are cases where each will win: * bytecode interpreters always lose; they really are just a kludge * JIT can win if it uses dynamic profiling effectively and the application is amenable to optimization for decisions that need to be evaluated at runtime * JIT can be a lose because of the latency required to JIT the code instead of compiling ahead of time So: * JIT will win if your application is long-lived, and has a lot of dynamic decision making to do, e.g. making a lot of deep object member function calls that are virtual, or just a lot of conditional branches. * Native code will win if your applications are just short-lived, because they are dispatched as children from a dispatcher process o You pat the JIT cost each time it starts o The short lifespan doesn't give dynamic profiling time to do its thing > Personally, I find the programmer time to be much better used in Java too. > No argument from me. I advocate Java, I just want a native code generator instead of bytecode. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes From Kevin.Wall at qwest.com Tue Nov 14 21:18:34 2006 From: Kevin.Wall at qwest.com (Wall, Kevin) Date: Tue, 14 Nov 2006 20:18:34 -0600 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books] In-Reply-To: <45590DA8.90606@novell.com> Message-ID: Crispin Cowan wrote... > mikeiscool wrote: ... > > True, but that doesn't mean runtime portability isn't a > good thing to aim for. > > > It means that compromising performance to obtain runtime portability > that does not actually exist is a poor bargain. To me, the bigger loss than performance is all the functionality that you give up to gain the portability. E.g., because several system calls (in a functional/feature way, not the _specific_ sys calls) aren't portable across all OSes that Sun wanted to support with Java, they dumbed down the list to the lowest common demoninator. That makes a Java inappropriate for a lot of system-level programming tasks. Simple example: There's no way in pure Java that I can lock a process in memory. Wrt this list, that has a lot of security ramifications especially on shared processors. Sure makes hiding secrets a lot harder. Plea to moderator: Ken: While I find this debate interesting, I think it has little to do with secure coding. I'm trying to bring it back on track a bit, but I fear that it is too far gone. My vote is to kill this topic unless someone has a major objection or we can make it relevant to security. Thanks. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From ljknews at mac.com Wed Nov 15 08:54:39 2006 From: ljknews at mac.com (ljknews) Date: Wed, 15 Nov 2006 08:54:39 -0500 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books] In-Reply-To: References: Message-ID: At 8:18 PM -0600 11/14/06, Wall, Kevin wrote: > That makes a Java > inappropriate > for a lot of system-level programming tasks. Simple example: There's no > way > in pure Java that I can lock a process in memory. Wrt this list, that > has > a lot of security ramifications especially on shared processors. Sure > makes > hiding secrets a lot harder. Please explain that issue. Is there some multiuser operating system that does not clear memory before retasking it for another process ? -- Larry Kilgallen From petesh at indigo.ie Wed Nov 15 10:44:30 2006 From: petesh at indigo.ie (Pete Shanahan) Date: Wed, 15 Nov 2006 15:44:30 +0000 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books] In-Reply-To: References: Message-ID: <455B35DE.90105@indigo.ie> ljknews wrote: > At 8:18 PM -0600 11/14/06, Wall, Kevin wrote: > >> That makes a Java >> inappropriate >> for a lot of system-level programming tasks. Simple example: There's no >> way >> in pure Java that I can lock a process in memory. Wrt this list, that >> has >> a lot of security ramifications especially on shared processors. Sure >> makes >> hiding secrets a lot harder. It's an operating system feature where you can lock a chunk of the memory of a process such that it is not swapped out at any time. see the specs for mlock, madvise. win32, I believe has an even more feature ridden facility for secure memory. on the receipt of abnormal termination signals this memory can be cleared, thus keeping the secret safe, so you could produce a process crash dump that is sanitized for sending to a support group. -- Pete +353 (87) 412 9576 [M] I'm gliding over a NUCLEAR WASTE DUMP near ATLANTA, Georgia!! From mouse at Rodents.Montreal.QC.CA Wed Nov 15 11:32:00 2006 From: mouse at Rodents.Montreal.QC.CA (der Mouse) Date: Wed, 15 Nov 2006 11:32:00 -0500 (EST) Subject: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books] In-Reply-To: References: Message-ID: <200611151634.LAA26281@Sparkle.Rodents.Montreal.QC.CA> >> Simple example: There's no way in pure Java that I can lock a >> process in memory. Wrt this list, that has a lot of security >> ramifications especially on shared processors. Sure makes hiding >> secrets a lot harder. > Please explain that issue. It makes it impossible to keep things like crypto keys out of swap space. (Looking through swap space is a relatively well-known forensic technique for finding things like crypto keys or passwords.) /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From Kevin.Wall at qwest.com Wed Nov 15 11:55:42 2006 From: Kevin.Wall at qwest.com (Wall, Kevin) Date: Wed, 15 Nov 2006 10:55:42 -0600 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writingcollegebooks] In-Reply-To: Message-ID: Larry Kilgallen wrote: > At 8:18 PM -0600 11/14/06, Wall, Kevin wrote: > > > That makes a Java inappropriate for a lot of > > system-level programming tasks. Simple example: There's no > > way in pure Java that I can lock a process in memory. Wrt this > > list, that has a lot of security ramifications especially on > > shared processors. Sure makes hiding secrets a lot harder. > > Please explain that issue. > > Is there some multiuser operating system that does not clear > memory before retasking it for another process ? By shared processors, I didn't mean multi-CPU systems, but simple computers used by multiple users. Sorry for the possible confusion. I wasn't referring to the OS not clearing memory between use by different processes. Instead consider a case where there's a secret such as an encryption key, password, etc. in a chunk of memory that has been paged out to a swap device (*nix) or pagefile.sys (Windows). The process them terminates abnormally because of a signal, abrupt power outage, etc. From a security POV, this is a bad thing since now your secret is somewhere on the hard drive. If your computer is physically secure and the OS is probably secured, this is a relatively low risk, but it still may not be acceptable. In the first case, where your Java process might abnormally terminated via a signal, you may even end up with a process [core] dump. In C/C++, I'd use something like mlock(2) or perhaps memcntl(2) and lock the secret in physical memory. But there's no way to do this using _pure_ Java. Another example, perhaps easier to grasp and still security related. Say you have a regular "console" application (i.e., doesn't bring up it's own window; e.g., consider Windows console programs). Your application wants to _prompt_ the user for a password. You would like to disable echoing of the password to the console window. In Java, you can do this if you use something like Swing or AWT, etc., but there's no portable way that I've found using pure Java. (Note: kludges such as continously overwriting each character as it's input isn't secure. Consider case where user is running 'script' or has xterm logging enabled, etc. Also, IMHO, calling an external program, such as stty, from a Java program in order to disable and re-enable character echo is also a kludge.) In C/C++ or other language where I can call system calls directly, this is easy to do (though not necessarily portable across different OSes) via appropriate ioctl(2) call or various other means. (E.g., see termio(7) for *nix systems.) Overall, I find these types limitations with Java or C# more frustrating than I do with the performance issues. If the performance issue is that bad, it's usually my algorithm or data structures that need the tuning. If all you need is to run machine code to get bettere performance, then compile your Java with gjc or TowerJ or something similar. (Not sure what options exist for C#.) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From ljknews at mac.com Wed Nov 15 12:23:47 2006 From: ljknews at mac.com (ljknews) Date: Wed, 15 Nov 2006 12:23:47 -0500 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books] In-Reply-To: <455B35DE.90105@indigo.ie> References: <455B35DE.90105@indigo.ie> Message-ID: At 3:44 PM +0000 11/15/06, Pete Shanahan wrote: > ljknews wrote: >> At 8:18 PM -0600 11/14/06, Wall, Kevin wrote: >> >>> That makes a Java >>> inappropriate >>> for a lot of system-level programming tasks. Simple example: There's no >>> way >>> in pure Java that I can lock a process in memory. Wrt this list, that >>> has >>> a lot of security ramifications especially on shared processors. Sure >>> makes >>> hiding secrets a lot harder. I did not write any of that. > It's an operating system feature where you can lock a chunk of the memory of a > process such that it is not swapped out at any time. > > see the specs for mlock, madvise. Those words mean nothing to me, but I presume you are talking about either locking a page into memory: http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_081.html#jun_369 or locking a page into the working set: http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_082.html#jun_373 or preventing an entire process from being swapped out: http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_105.html#jun_526 None of those resolve the responsibility of the operating system to remove residue from memory before transferring it to another user. That is true regardless of whether the process is running compiled code or a bytecode engine (which is the real issue, not the implementation language). > win32, I believe has an even more feature ridden facility for secure memory. > > on the receipt of abnormal termination signals this memory can be cleared, thus > keeping the secret safe, so you could produce a process crash dump that is > sanitized for sending to a support group. Yes, that is present in my environment as well. Is the problem that the bytecode engine used with languages like Java do not have a function to exclude certain parts of memory from process crash dumps ? That was not clear from the prior statement. -- Larry Kilgallen From ljknews at mac.com Wed Nov 15 12:33:50 2006 From: ljknews at mac.com (ljknews) Date: Wed, 15 Nov 2006 12:33:50 -0500 Subject: [SC-L] Could I use Java or c#? [was: Re: re-writingcollegebooks] In-Reply-To: References: Message-ID: At 10:55 AM -0600 11/15/06, Wall, Kevin wrote: > Larry Kilgallen wrote: >> At 8:18 PM -0600 11/14/06, Wall, Kevin wrote: >> >> > That makes a Java inappropriate for a lot of >> > system-level programming tasks. Simple example: There's no >> > way in pure Java that I can lock a process in memory. Wrt this >> > list, that has a lot of security ramifications especially on >> > shared processors. Sure makes hiding secrets a lot harder. >> >> Please explain that issue. >> >> Is there some multiuser operating system that does not clear >> memory before retasking it for another process ? > I wasn't referring to the OS not clearing memory between use by > different processes. Instead consider a case where there's a secret > such as an encryption key, password, etc. in a chunk of memory that > has been paged out to a swap device (*nix) or pagefile.sys (Windows). > The process them terminates abnormally because of a signal, abrupt > power outage, etc. From a security POV, this is a bad thing since > now your secret is somewhere on the hard drive. But a cryptographic secret should not be in user-readable memory in the first place, due to the risk of a trojan horse. That belongs in OS memory dedicated to the user but protected from them (i.e., inner mode) and at that point the operating system can mark such memory as not being subject to dumping. The user might enter a password to _unlock_ that secret key, and some trojan horse (or wiretap) might intercept that password and use it in a malicious fashion, but the trojan horse cannot export the secret key to another machine. (By secret key, I mean the secret half of a public key pair.) > Overall, I find these types limitations with Java or C# more frustrating > than I do with the performance issues. A native compiler should have no problem calling any system service. It would seem your objection is really to the bytecode engine version of Java rather than to the language itself. -- Larry Kilgallen From mark.dowd at gmail.com Thu Nov 16 18:00:04 2006 From: mark.dowd at gmail.com (Mark Dowd) Date: Fri, 17 Nov 2006 10:00:04 +1100 Subject: [SC-L] The Art of Software Security Assessment (book release) Message-ID: <816ef1ca0611161500t7d8ca675nbe49f7a84e13ceea@mail.gmail.com> Hi, Justin Schuh, John McDonald and I recently finished a book on software security assessment. The three of us have put quite a bit of time and effort into this project; essentially, it's a 1200 page book about how to audit code to find vulnerabilities, based on our own experience. We present high-level strategies for performing design and implementation reviews, but the bulk of the content is dedicated to the technical details of vulnerabilities and how they appear in real-world applications. We've attempted to structure this book so it will prove useful for a variety of audiences: developers assessing their own work (or the work of their peers), consultants performing professional application security reviews, or researchers looking to find the showstoppers that will appear in next month's Patch Tuesday. Here are some links: http://www.amazon.com/gp/product/0321444426/ http://www.awprofessional.com/bookstore/product.asp?isbn=0321444426&rl=1 There's a sample chapter on the AW site that will give you a feel for what the rest of the book is like. It's our chapter on C language issues, and it has lots of examples of integer overflows and type conversion flaws, as well as some fun C puzzles. The book will be hitting stores within the next few days. Any thoughts/comments would be appreciated. Enjoy! Mark Dowd -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061117/9590bcac/attachment.html From ljknews at mac.com Thu Nov 16 22:38:12 2006 From: ljknews at mac.com (ljknews) Date: Thu, 16 Nov 2006 22:38:12 -0500 Subject: [SC-L] The Art of Software Security Assessment (book release) In-Reply-To: <816ef1ca0611161500t7d8ca675nbe49f7a84e13ceea@mail.gmail.com> References: <816ef1ca0611161500t7d8ca675nbe49f7a84e13ceea@mail.gmail.com> Message-ID: At 10:00 AM +1100 11/17/06, Mark Dowd wrote: > There's a sample chapter on the AW site that will give you a feel for >what the rest of the book is like. It's our chapter on C language issues, >and it has lots of examples of integer overflows and type conversion >flaws, as well as some fun C puzzles. The book will be hitting stores >within the next few days. Any thoughts/comments would be appreciated. What other languages have chapters ? My particular interests are PL/I, Pascal and Ada. -- Larry Kilgallen From gem at cigital.com Fri Nov 17 14:57:06 2006 From: gem at cigital.com (Gary McGraw) Date: Fri, 17 Nov 2006 14:57:06 -0500 Subject: [SC-L] Silverbullet: Brian Chess Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FB938@va-mail.cigital.com> Hi all, Episode 8 of the silver bullet security podcast with yours truly is an interview with Brian Chess, chief scientist of Fortify Software. Brian has been doing static analysis for years (his PhD work was in that area, building a system called Eau Claire). We spent most of this episode discussing software security. My bet is you'll find it relevant: http://www.cigital.com/silverbullet/ As always, feedback on the podcast website is welcome. Please tell others about this free podcast if you think they'll like it. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ravid.work at gmail.com Mon Nov 20 07:41:40 2006 From: ravid.work at gmail.com (Ravid L) Date: Mon, 20 Nov 2006 14:41:40 +0200 Subject: [SC-L] Need some numbers about application security Message-ID: Hi everyone! I am looking for some numbers about application security for a presentation. I need data about how many organization experienced application based attack recently? What is the frequency of application based attacks? How many application in the real Internet environment will need this kind of protection? What is the financial damage in real numbers for companies that has been a target to such attacks? (damage in numbers and damage to stock for example). If anyone has any data (from reliable sources) about this questions i will be so grateful... Thanks, Ravid. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061120/e2848b6b/attachment.html From gunnar at arctecgroup.net Mon Nov 20 09:02:39 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Mon, 20 Nov 2006 08:02:39 -0600 Subject: [SC-L] Need some numbers about application security In-Reply-To: Message-ID: Hi Ravid, You may want to review the MetriCon digest an related presentations http://www.securitymetrics.org/content/attach/Welcome_blogentry_010806_1/met ricon.notes.PDF It has a lot of information about security and risk metrics, and there was also a software security metrics track. -gp On 11/20/06 6:41 AM, "Ravid L" wrote: > Hi everyone! > > I am looking for some numbers about application security for a presentation. > I need data about how many organization experienced application based attack > recently? > What is the frequency of application based attacks? > How many application in the real Internet environment will need this kind of > protection? > What is the financial damage in real numbers for companies that has been a > target to such attacks? (damage in numbers and damage to stock for example). > > If anyone has any data (from reliable sources) about this questions i will be > so grateful... > > Thanks, > Ravid. > > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061120/41119315/attachment.html From ljknews at mac.com Mon Nov 20 09:21:59 2006 From: ljknews at mac.com (ljknews) Date: Mon, 20 Nov 2006 09:21:59 -0500 Subject: [SC-L] Need some numbers about application security In-Reply-To: References: Message-ID: At 2:41 PM +0200 11/20/06, Ravid L wrote: > Hi everyone! > > I am looking for some numbers about application security for a presentation. > I need data about how many organization experienced application based >attack recently? > What is the frequency of application based attacks? > How many application in the real Internet environment will need this kind >of protection? Does this mean you want to ignore attacks unrelated to the Internet ? > What is the financial damage in real numbers for companies that has been >a target to such attacks? (damage in numbers and damage to stock for >example). > > If anyone has any data (from reliable sources) about this questions i >will be so grateful... -- Larry Kilgallen From ref66 at yahoo.com Mon Nov 20 12:39:03 2006 From: ref66 at yahoo.com (Roman H.) Date: Mon, 20 Nov 2006 09:39:03 -0800 (PST) Subject: [SC-L] Need some numbers about application security Message-ID: <20061120173903.59399.qmail@web32414.mail.mud.yahoo.com> Ravid, We would all love to get the data you are asking for. However, most organizations aren't willing to publicize their security problems, so this kind of data is hard to obtain. That said, there are nuggets of information here and there if you are willing to do some work. A couple of things that come to mind: Compilations of public vulnerabilities that probably represent only the tiniest fraction of the tip of the iceberg: http://www.webappsec.org/projects/whid/ http://www.us-cert.gov/cas/bulletins/SB2005.html For actual dollar amounts, the Chipotle Prospectus discusses security breaches and regulatory compliance starting on page 27. If you are looking for purely risk-based numbers rather then compliance issues, this won't help you. Plus this is only a single source: http://www.chipotleexchange.com/Prospectus.pdf Look around for more things like these and you can start compiling numbers. Keep in mind that when you are done, you will have a collection of anecdotes rather than meaningful data. For example, calculating the "frequency of application based attacks" would require that all application based attacks are actually reported to some central authority, which they are not. With the recent "security breach notification" laws that are being passed in the United States, perhaps some useful data will begin to surface. Even that will be limited to incidents in which personal data was lost or stolen, and will also include non-application-based attacks like laptop theft. You might also skim the first chapter of any of the recent books on application and software security, which generally address the questions you have. Hope this helps, Roman ----- Original Message ---- From: Ravid L To: SC-L at securecoding.org Sent: Monday, November 20, 2006 4:41:40 AM Subject: [SC-L] Need some numbers about application security Hi everyone! I am looking for some numbers about application security for a presentation. I need data about how many organization experienced application based attack recently? What is the frequency of application based attacks? How many application in the real Internet environment will need this kind of protection? What is the financial damage in real numbers for companies that has been a target to such attacks? (damage in numbers and damage to stock for example). If anyone has any data (from reliable sources) about this questions i will be so grateful... Thanks, Ravid. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061120/06c03df0/attachment.html From mcgegick at ncsu.edu Tue Nov 21 12:44:50 2006 From: mcgegick at ncsu.edu (Michael Gegick) Date: Tue, 21 Nov 2006 12:44:50 -0500 Subject: [SC-L] Need some numbers about application security In-Reply-To: Message-ID: <200611211744.kALHioFe001345@server-autogenerated.uni02mr.unity.ncsu.edu> Try this: http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml (you'll need to fill out the form) michael -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of sc-l-request at securecoding.org Sent: Tuesday, November 21, 2006 12:00 PM To: sc-l at securecoding.org Subject: SC-L Digest, Vol 2, Issue 202 Send SC-L mailing list submissions to sc-l at securecoding.org To subscribe or unsubscribe via the World Wide Web, visit http://krvw.com/mailman/listinfo/sc-l or, via email, send a message with subject or body 'help' to sc-l-request at securecoding.org You can reach the person managing the list at sc-l-owner at securecoding.org When replying, please edit your Subject line so it is more specific than "Re: Contents of SC-L digest..." Today's Topics: 1. Re: Need some numbers about application security (Roman H.) ---------------------------------------------------------------------- Message: 1 Date: Mon, 20 Nov 2006 09:39:03 -0800 (PST) From: "Roman H." Subject: Re: [SC-L] Need some numbers about application security To: Ravid L , SC-L at securecoding.org Message-ID: <20061120173903.59399.qmail at web32414.mail.mud.yahoo.com> Content-Type: text/plain; charset="us-ascii" Ravid, We would all love to get the data you are asking for. However, most organizations aren't willing to publicize their security problems, so this kind of data is hard to obtain. That said, there are nuggets of information here and there if you are willing to do some work. A couple of things that come to mind: Compilations of public vulnerabilities that probably represent only the tiniest fraction of the tip of the iceberg: http://www.webappsec.org/projects/whid/ http://www.us-cert.gov/cas/bulletins/SB2005.html For actual dollar amounts, the Chipotle Prospectus discusses security breaches and regulatory compliance starting on page 27. If you are looking for purely risk-based numbers rather then compliance issues, this won't help you. Plus this is only a single source: http://www.chipotleexchange.com/Prospectus.pdf Look around for more things like these and you can start compiling numbers. Keep in mind that when you are done, you will have a collection of anecdotes rather than meaningful data. For example, calculating the "frequency of application based attacks" would require that all application based attacks are actually reported to some central authority, which they are not. With the recent "security breach notification" laws that are being passed in the United States, perhaps some useful data will begin to surface. Even that will be limited to incidents in which personal data was lost or stolen, and will also include non-application-based attacks like laptop theft. You might also skim the first chapter of any of the recent books on application and software security, which generally address the questions you have. Hope this helps, Roman ----- Original Message ---- From: Ravid L To: SC-L at securecoding.org Sent: Monday, November 20, 2006 4:41:40 AM Subject: [SC-L] Need some numbers about application security Hi everyone! I am looking for some numbers about application security for a presentation. I need data about how many organization experienced application based attack recently? What is the frequency of application based attacks? How many application in the real Internet environment will need this kind of protection? What is the financial damage in real numbers for companies that has been a target to such attacks? (damage in numbers and damage to stock for example). If anyone has any data (from reliable sources) about this questions i will be so grateful... Thanks, Ravid. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061120/06c03df0/attachment-0001 .html ------------------------------ _______________________________________________ SC-L mailing list SC-L at securecoding.org http://krvw.com/mailman/listinfo/sc-l End of SC-L Digest, Vol 2, Issue 202 ************************************ From jjchryan at gwu.edu Tue Nov 21 13:28:12 2006 From: jjchryan at gwu.edu (Julie Ryan) Date: Tue, 21 Nov 2006 13:28:12 -0500 Subject: [SC-L] Need some numbers about application security In-Reply-To: <200611211744.kALHioFe001345@server-autogenerated.uni02mr.unity.ncsu.edu> References: <200611211744.kALHioFe001345@server-autogenerated.uni02mr.unity.ncsu.edu> Message-ID: If you want to rely on the CSI/FBI survey for numbers, you should definitely read the attrition.org page on statistics first. http://attrition.org/errata/statistics/introduction.html On Nov 21, 2006, at 12:44 PM, Michael Gegick wrote: > Try this: > http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml (you'll need to > fill out > the form) > > michael > > -----Original Message----- > From: sc-l-bounces at securecoding.org > [mailto:sc-l-bounces at securecoding.org] > On Behalf Of sc-l-request at securecoding.org > Sent: Tuesday, November 21, 2006 12:00 PM > To: sc-l at securecoding.org > Subject: SC-L Digest, Vol 2, Issue 202 > > Send SC-L mailing list submissions to > sc-l at securecoding.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://krvw.com/mailman/listinfo/sc-l > or, via email, send a message with subject or body 'help' to > sc-l-request at securecoding.org > > You can reach the person managing the list at > sc-l-owner at securecoding.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of SC-L digest..." > > > Today's Topics: > > 1. Re: Need some numbers about application security (Roman H.) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 20 Nov 2006 09:39:03 -0800 (PST) > From: "Roman H." > Subject: Re: [SC-L] Need some numbers about application security > To: Ravid L , SC-L at securecoding.org > Message-ID: <20061120173903.59399.qmail at web32414.mail.mud.yahoo.com> > Content-Type: text/plain; charset="us-ascii" > > Ravid, > > We would all love to get the data you are asking for. However, most > organizations aren't willing to publicize their security problems, so > this > kind of data is hard to obtain. That said, there are nuggets of > information > here and there if you are willing to do some work. A couple of things > that > come to mind: > > Compilations of public vulnerabilities that probably represent only the > tiniest fraction of the tip of the iceberg: > http://www.webappsec.org/projects/whid/ > http://www.us-cert.gov/cas/bulletins/SB2005.html > > For actual dollar amounts, the Chipotle Prospectus discusses security > breaches and regulatory compliance starting on page 27. If you are > looking > for purely risk-based numbers rather then compliance issues, this > won't help > you. Plus this is only a single source: > http://www.chipotleexchange.com/Prospectus.pdf > > Look around for more things like these and you can start compiling > numbers. > Keep in mind that when you are done, you will have a collection of > anecdotes > rather than meaningful data. For example, calculating the "frequency > of > application based attacks" would require that all application based > attacks > are actually reported to some central authority, which they are not. > With > the recent "security breach notification" laws that are being passed > in the > United States, perhaps some useful data will begin to surface. Even > that > will be limited to incidents in which personal data was lost or > stolen, and > will also include non-application-based attacks like laptop theft. > > You might also skim the first chapter of any of the recent books on > application and software security, which generally address the > questions you > have. > > Hope this helps, > Roman > > ----- Original Message ---- > From: Ravid L > To: SC-L at securecoding.org > Sent: Monday, November 20, 2006 4:41:40 AM > Subject: [SC-L] Need some numbers about application security > > Hi everyone! > > I am looking for some numbers about application security for a > presentation. > I need data about how many organization experienced application based > attack recently? > What is the frequency of application based attacks? > How many application in the real Internet environment will need this > kind > of protection? > What is the financial damage in real numbers for companies that has > been a > target to such attacks? (damage in numbers and damage to stock for > example). > > If anyone has any data (from reliable sources) about this questions i > will > be so grateful... > > Thanks, > Ravid. > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://krvw.com/pipermail/sc-l/attachments/20061120/06c03df0/ > attachment-0001 > .html > > ------------------------------ > > _______________________________________________ > SC-L mailing list > SC-L at securecoding.org > http://krvw.com/mailman/listinfo/sc-l > > > End of SC-L Digest, Vol 2, Issue 202 > ************************************ > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > Julie J.C.H. Ryan, D.Sc. Assistant Professor Engineering Management and System Engineering George Washington University An NSA certified Center of Academic Excellence in Information Assurance Education http://www.seas.gwu.edu/~jjchryan/ http://www.seas.gwu.edu/~infosec/ From gunnar at arctecgroup.net Thu Nov 30 17:47:54 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Thu, 30 Nov 2006 16:47:54 -0600 Subject: [SC-L] Ross Anderson reviews Building Security In Message-ID: Found on the web -- local boy makes good: Review by Ross Anderson to appear in Jan/Feb 2007 IEEE S&P Magazine Gary McGraw, "Software Security - Building Security In" Addison-Wesley, 2006 `We must first agree that software security is not security software', writes Gary McGraw in the first chapter of his new book. Spot on! Things break because software is just about everywhere, and we rely on it for just about everything; we had software before the Internet, but we couldn't have the Internet until there was software. Software has bugs, and some of them cause vulnerabilities. Trying to compensate for bugs by adding a layer of special security software can only get you so far - often not far enough. But how can you train programmers to stop writing vulnerabilities? The explosion of the software industry over the past fifty years has created far more programming jobs than there are CS graduates to fill them. Most of my teenage contemporaries who studied science subjects - any science, from physics to geology to physiology - ended up writing code of one kind or another. Having run out of trainable people in the USA and Europe, we now have hundreds of thousands of folks in the developing world writing code. And as processors and communications spread from office equipment to domestic appliances and eventually to most inedible things costing more than a few dollars, the software quality gap can only get worse. So people who understand security and know how to write have an opportunity - one might even say a duty - to try to close this gap. ... http://www.swsec.com/press/ra-ieeesp.php -gp From gem at cigital.com Mon Dec 11 14:02:24 2006 From: gem at cigital.com (Gary McGraw) Date: Mon, 11 Dec 2006 14:02:24 -0500 Subject: [SC-L] Software security != security software Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FBC00@va-mail.cigital.com> Hi all, The furvor over Microsoft's entry into the security software business is confusing some people about their software security designs. Or maybe people who know better are trying to confuse the market??! Note word order. I wrote about this in my latest darkreading column that you can find here: http://www.darkreading.com/document.asp?doc_id=112402 gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From brian at fortifysoftware.com Tue Dec 12 01:09:59 2006 From: brian at fortifysoftware.com (Brian Chess) Date: Mon, 11 Dec 2006 22:09:59 -0800 Subject: [SC-L] Java Open Review Project Message-ID: Hello all, I'm pleased to announce that we've just launched the Java Open Review Project (http://opensource.fortifysoftware.com). We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to do the heavy lifting: FindBugs and Fortify SCA. We can use plenty of human eyes to help sort through the results. We're also soliciting ideas for which projects we should be reviewing next. Please help! Brian From Greenarrow1 at msn.com Tue Dec 12 01:18:05 2006 From: Greenarrow1 at msn.com (Greenarrow 1) Date: Mon, 11 Dec 2006 22:18:05 -0800 Subject: [SC-L] Software security != security software References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FBC00@va-mail.cigital.com> Message-ID: Hi Gem, Microsoft still suffers from the lack of properly correcting flaws within their operating systems in a mannerly fashion. Myself, I feel until Microsoft proves to me that they can safe guard the system I would never allow them to secure my computer(s). I have tested Vista, Window Defender and other security programs MS has created, and while Vista I applaud the lock down of the kernel I have found Defender to be lacking in security. Creating a program like this must protect against all malware and not what Microsoft decides is malware, ie, some third party partner programs which garner information which would be considered spy ware are not blocked by Defender. This is one illustration of guarding the henhouse. I could name a few more but that still would not deter the inevitable. Regards, George Greenarrow1 InNetInvestigations-Forensic ----- Original Message ----- From: "Gary McGraw" To: Sent: Monday, December 11, 2006 11:02 AM Subject: [SC-L] Software security != security software > Hi all, > > The furvor over Microsoft's entry into the security software business is > confusing some people about their software security designs. Or maybe > people who know better are trying to confuse the market??! Note word > order. > > I wrote about this in my latest darkreading column that you can find > here: > http://www.darkreading.com/document.asp?doc_id=112402 > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > book www.swsec.com > > > > ---------------------------------------------------------------------------- > This electronic message transmission contains information that may be > confidential or privileged. The information contained herein is intended > solely for the recipient and use by any other party is not authorized. If > you are not the intended recipient (or otherwise authorized to receive > this > message by the intended recipient), any disclosure, copying, distribution > or > use of the contents of the information is prohibited. If you have > received > this electronic message transmission in error, please contact the sender > by > reply email and delete all copies of this message. Cigital, Inc. accepts > no > responsibility for any loss or damage resulting directly or indirectly > from > the use of this email or its contents. > Thank You. > ---------------------------------------------------------------------------- > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > From sbradcpa at pacbell.net Mon Dec 11 22:40:03 2006 From: sbradcpa at pacbell.net (Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]) Date: Mon, 11 Dec 2006 19:40:03 -0800 Subject: [SC-L] Software security != security software In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FBC00@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FBC00@va-mail.cigital.com> Message-ID: <457E2493.3070002@pacbell.net> "The problem is that security software vendors including Symantec and McAfee have used the very same techniques for years in the name of good. Antivirus software and personal firewall software pulls all sorts of fancy kernel-interpositioning kung fu." ..... and for every good..... there is also a bad: http://www.securiteam.com/windowsntfocus/6Z0032AH5U.html "The reason we need security software like antivirus tools and personal firewalls is that OSes have traditionally suffered from all kinds of security problems (both bugs and flaws)." Hmmm let's see lately we've had these bugs http://secunia.com/vendor/6/ and these http://secunia.com/vendor/70/ and these http://secunia.com/vendor/56/ and these ones http://secunia.com/vendor/54/ and these http://secunia.com/vendor/51/ and..... well you get the idea that it's not just OS's that have security flaws.. sometimes it's the very things we buy to make us secure that have their own issues "Microsoft may be too responsible to manipulate its security defect density intentionally in order to create demand for its security software, but the fact that this is even possible is a great worry. This is like allowing the fox to design and build the henhouse, not just guard it." Microsoft "rogue" developer says in development meeting of Forefront products: "Say... I think I'm going to manipulate security defects just 'cause I want to drive more sales of Forefront products...yeah that's the ticket... " Okay so with tinfoil in place... that's going to need a "Security defect Density Product Manager" (Microsoft doesn't do anything without a PM or two you know), at least an entire WagEd (Waggoner Edstrom [however you spell that] marketing division to do a 'spin' and marketing blitz on how Forefront needs to be the software of choice... numerous conference calls and committee meetings, not to mention a User Interface testing ... etc etc... You know this reminds me of when my Dad would respond to the folks that said that the Government did "fill in the blank" such as kill Kennedy, pretend to go to the moon but really did not, and other assorted odds and ends. 1. From the outside it appears that they are not that well organized to pull something like this off (it took them 5 years to get Vista out the door... do you honestly think that Microsoft can selectively code a "security defect density" without causing some other issue? That the Forefront team gets together with the Vista team and the watercooler and swaps and coordinates places to put defects in? 2. Do you honestly think there wouldn't be some honest whistle blower somewhere that wouldn't be on the Fox News Channel or Oprah in a heartbeat? Is this possible? When our own government put forth evidence of "weapons of mass destruction" and later it comes out there wasn't any...that showcases that people talk and the truth gets out. Maybe I just grew up too much in the era of Watergate and believe too strongly in the power of free speech... but it's a little hard for me to think that someone like MiniMicrosoft wouldn't be screaming their head off if someone in Microsoft even thought of such a thing. Someone would blog. Trust me on that one. Quite frankly, I've been burned a few times with those antivirus companies that have guarded my henhouse and have flagged things as viruses they shouldn't, and have brought my network to it's knees. So even when they were protecting me, I've lost confidence in them too. Right now my biggest concern is that we still aren't caring enough about software security at all. Susan... who's convinced that the bad guys have gotten over these petty turf wars a long time ago and are way more cooperating/coordinating that the good guys are. Gary McGraw wrote: > Hi all, > > The furvor over Microsoft's entry into the security software business is > confusing some people about their software security designs. Or maybe > people who know better are trying to confuse the market??! Note word > order. > > I wrote about this in my latest darkreading column that you can find > here: > http://www.darkreading.com/document.asp?doc_id=112402 > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > book www.swsec.com > > > > ---------------------------------------------------------------------------- > This electronic message transmission contains information that may be > confidential or privileged. The information contained herein is intended > solely for the recipient and use by any other party is not authorized. If > you are not the intended recipient (or otherwise authorized to receive this > message by the intended recipient), any disclosure, copying, distribution or > use of the contents of the information is prohibited. If you have received > this electronic message transmission in error, please contact the sender by > reply email and delete all copies of this message. Cigital, Inc. accepts no > responsibility for any loss or damage resulting directly or indirectly from > the use of this email or its contents. > Thank You. > ---------------------------------------------------------------------------- > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs From gem at cigital.com Thu Dec 14 11:39:23 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 14 Dec 2006 11:39:23 -0500 Subject: [SC-L] Silverbullet: Bruce Schneier Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7FBC3A@va-mail.cigital.com> Hi all, The 9th silver bullet podcast eposide went up last night. This time my victim, er I mean my guest, is Bruce Schneier. I think you'll all agree that Bruce is our most visible spokesmodel when it comes to security, and thankfully he understands the importance of software security. We spend a little time talking directly about software security during the interview. Download the episode here: http://www.cigital.com/silverbullet/ (and subscribe via RSS, itunes, etc). It's hard to believe that this is the 9th podcast in the Silver Bullet Security Podcast series! Please help me spread the word by passing the link on to your friends. Thanks. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From Ken at krvw.com Thu Dec 14 14:00:25 2006 From: Ken at krvw.com (Kenneth Van Wyk) Date: Thu, 14 Dec 2006 14:00:25 -0500 Subject: [SC-L] heise Security - News - Security specialist leaves PHP security team Message-ID: I guess this falls in to the "you can lead a horse to water, but you can't make him drink" category: http://www.heise-security.co.uk/news/82500 A member of the PHP security team has left in apparent disgust over the team's security practices. I doubt that anyone here on SC-L is surprised by the article, but PHP remains quite popular, and it seems sad to see it losing some vital and much-needed security support. Well, there's always AJAX, I suppose. ;-\ Cheers, Ken P.S. Hey, SC-L is 3 years old this month! ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061214/efc4f0b9/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20061214/efc4f0b9/attachment.bin From dinis at ddplus.net Thu Dec 14 19:27:56 2006 From: dinis at ddplus.net (Dinis Cruz) Date: Fri, 15 Dec 2006 00:27:56 +0000 Subject: [SC-L] heise Security - News - Security specialist leaves PHP security team In-Reply-To: References: Message-ID: <701fd6b60612141627s17fe9d16padd367d56a78b087@mail.gmail.com> This is a very good example of the security problems that Open Source projects have. Open Source projects need to have strong Secure Development Lifecicles for their software. And here they could do worse than learn from Microsoft's efforts. One of the projects that I really want to do at the OWASP is an SDL project which should be used on OWASP projects (39 at last count ( http://www.owasp.org/index.php/Category:OWASP_Project)) in order to ensure that OWASP tools are as secure as they can be. We need to make our software more secure and trustworthy and a solid SDL is a good (first) step. Eventually we will need to move to the Sandboxing model, but I won't start the thread again :) Dinis Cruz Chief OWASP Evangelist http://www.owasp.org On 12/14/06, Kenneth Van Wyk wrote: > > I guess this falls in to the "you can lead a horse to water, but you can't > make him drink" category: > > http://www.heise-security.co.uk/news/82500 > A member of the PHP security team has left in apparent disgust over the > team's security practices. > I doubt that anyone here on SC-L is surprised by the article, but PHP > remains quite popular, and it seems sad to see it losing some vital and > much-needed security support. > > Well, there's always AJAX, I suppose. ;-\ > > Cheers, > > Ken > > P.S. Hey, SC-L is 3 years old this month! > ----- > Kenneth R. van Wyk > SC-L Moderator > KRvW Associates, LLC > http://www.KRvW.com > > > > > > _______________________________________________ > Secure Coding mailing list (SC-L) > SC-L at securecoding.org > > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > > List charter available at - http://www.securecoding.org/list/charter.php > > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > > > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061215/2f8a9e9d/attachment.html From ken at krvw.com Tue Dec 19 10:33:28 2006 From: ken at krvw.com (Kenneth Van Wyk) Date: Tue, 19 Dec 2006 10:33:28 -0500 Subject: [SC-L] PHP security under scrutiny Message-ID: Interesting article about PHP security: http://www.securityfocus.com/news/11430 Among other things, NIST's vul database shows, "Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006, up from 29 percent in 2005." Happy reading... Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061219/1e9487d1/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://krvw.com/pipermail/sc-l/attachments/20061219/1e9487d1/attachment.bin From jms at bughunter.ca Tue Dec 19 10:50:40 2006 From: jms at bughunter.ca (J. M. Seitz) Date: Tue, 19 Dec 2006 07:50:40 -0800 Subject: [SC-L] PHP security under scrutiny In-Reply-To: Message-ID: <004601c72385$71595190$8119fea9@jseitz> Yeah I can personally attest to that, after spending a few months on the OSVDB as a mangler and developer, I quickly realized that the bevy of vulnerabilities we worked on everyday were primarily PHP based. Now granted setting "register_globals off" (which essentially prevents a user from overwriting variables in a page) will mitigate most of these vulnerabilities it was still alarming to see. Not to mention the fact that most people are spending their time looking for XSS or SQL injections, whereas the upward trend looked more like remote file inclusion vulnerabilities which are more dangerous to the host machine, rather than an unsuspecting end-user. Maybe someone can remind me of who said "Once the bad guy is running code on your machine, it's no longer your machine." :) JS _____ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Tuesday, December 19, 2006 7:33 AM To: Secure Coding Subject: [SC-L] PHP security under scrutiny Interesting article about PHP security: http://www.securityfocus.com/news/11430 Among other things, NIST's vul database shows, "Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006, up from 29 percent in 2005." Happy reading... Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061219/87513b9a/attachment.html From James.McGovern at thehartford.com Thu Dec 21 10:30:50 2006 From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT)) Date: Thu, 21 Dec 2006 10:30:50 -0500 Subject: [SC-L] Compilers In-Reply-To: Message-ID: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> I have been noodling the problem space of secure coding after attending a wonderful class taught by Ken Van Wyk. I have been casually checking out Fortify, Ounce Labs, etc and have a thought that this stuff should really be part of the compiler and not a standalone product. Understanding that folks do start companies to make up deficiencies in what large vendors ignore, how far off base in my thinking am I? ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061221/8d808bd3/attachment.html From gunnar at arctecgroup.net Thu Dec 21 10:55:12 2006 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Thu, 21 Dec 2006 09:55:12 -0600 Subject: [SC-L] Compilers In-Reply-To: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> Message-ID: Sure it should be built into the language, and I assume it will be eventually. Heck it only took 30 or 40 years for people to force developers to use Try...Catch blocks. -gp On 12/21/06 9:30 AM, "McGovern, James F (HTSC, IT)" wrote: > I have been noodling the problem space of secure coding after attending a > wonderful class taught by Ken Van Wyk. I have been casually checking out > Fortify, Ounce Labs, etc and have a thought that this stuff should really be > part of the compiler and not a standalone product. Understanding that folks do > start companies to make up deficiencies in what large vendors ignore, how far > off base in my thinking am I? > > > ************************************************************************* > This communication, including attachments, is > for the exclusive use of addressee and may contain proprietary, > confidential and/or privileged information. If you are not the intended > recipient, any use, copying, disclosure, dissemination or distribution is > strictly prohibited. If you are not the intended recipient, please notify > the sender immediately by return e-mail, delete this communication and > destroy all copies. > ************************************************************************* > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L at securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061221/a756b883/attachment.html From gem at cigital.com Thu Dec 21 10:56:20 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 21 Dec 2006 10:56:20 -0500 Subject: [SC-L] Compilers Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E81B0@va-mail.cigital.com> Integration of some of the static techniques found in tools like fortify into compilers does make sense. However, not all of the kinds of things should be put in the compiler (how many coders do you know that use the -Wall??!). So one use case for some of the knowledge would be compiler enforcement. Note that compilers are notorious for computing and then throwing out many things statically. They are designed to get their transformation business done, not to do real analysis. Still other things should be worked directly into the languages. C and C++ suck for security. And most importantly, rules tailored directly to the enterprise situation at hand require a platform like fortify. At cigital we have developed sets of custom rules for customers with great results. This cuts down false positives and makes it possible to enforce guidelines and standards that make sense for the business (think J2EE here). Bottom line...we need it all, and we need it now. gem P.S. Ken's course was co-designed by me and is based on my book. You might pick up a copy. company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -----Original Message----- From: McGovern, James F (HTSC, IT) [mailto:James.McGovern at thehartford.com] Sent: Thu Dec 21 10:47:50 2006 To: Secure Coding Subject: [SC-L] Compilers I have been noodling the problem space of secure coding after attending a wonderful class taught by Ken Van Wyk. I have been casually checking out Fortify, Ounce Labs, etc and have a thought that this stuff should really be part of the compiler and not a standalone product. Understanding that folks do start companies to make up deficiencies in what large vendors ignore, how far off base in my thinking am I? ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From ljknews at mac.com Thu Dec 21 11:19:14 2006 From: ljknews at mac.com (ljknews) Date: Thu, 21 Dec 2006 11:19:14 -0500 Subject: [SC-L] Compilers In-Reply-To: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> References: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> Message-ID: At 10:30 AM -0500 12/21/06, McGovern, James F (HTSC, IT) wrote: > Content-class: urn:content-classes:message > Content-Type: multipart/alternative; > boundary="----_=_NextPart_001_01C72514.FE7A042C" > > I have been noodling the problem space of secure coding after attending a >wonderful class taught by Ken Van Wyk. I have been casually checking out >Fortify, Ounce Labs, etc and have a thought that this stuff should really >be part of the compiler and not a standalone product. Understanding that >folks do start companies to make up deficiencies in what large vendors >ignore, how far off base in my thinking am I? Isn't the whole basis of Spark a matter of adding proof statements in the comments ? I don't think the general compiler marketplace would go for that built-in to compilers. After all: 1. The Praxis implementation can be used with multiple compilers 2. The compiler market is so immature that some people are still using C, C++ and Java. But for the high-integrity market, Spark seems to fit the bill. -- Larry Kilgallen From James.McGovern at thehartford.com Thu Dec 21 11:38:28 2006 From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT)) Date: Thu, 21 Dec 2006 11:38:28 -0500 Subject: [SC-L] Compilers In-Reply-To: Message-ID: <773F863A6009244B87E6E866AFC7DB46019CA18A@AD1HFDEXC309.ad1.prod> Gunnar, I think the problem space of secure coding will never be pervasively solved if it relies on the licensing of tools for every developer on the planet. Folks have been conditioned to not pay for developer level tools and now use Eclipse, etc. Putting it only in the hands of a few folks may be useful or it may be futile, only time will tell. In terms of your analogy of using try/catch blocks, I would say the following: First, languages within the last ten years require you to use them and they are not optional for the developer to skip in many situations. Second, compilers actually check try/catch blocks which says that compilers can and do play an important role which the community should leverage vs avoid. This does beg another question of should the community be helping the folks who design languages to build in security-oriented constructs that we can leverage instead of waiting for after-the-fact find-it utilities? -----Original Message----- From: Gunnar Peterson [mailto:gunnar at arctecgroup.net] Sent: Thursday, December 21, 2006 10:55 AM To: McGovern, James F (HTSC, IT); Secure Mailing List Subject: Re: [SC-L] Compilers Sure it should be built into the language, and I assume it will be eventually. Heck it only took 30 or 40 years for people to force developers to use Try...Catch blocks. -gp On 12/21/06 9:30 AM, "McGovern, James F (HTSC, IT)" wrote: I have been noodling the problem space of secure coding after attending a wonderful class taught by Ken Van Wyk. I have been casually checking out Fortify, Ounce Labs, etc and have a thought that this stuff should really be part of the compiler and not a standalone product. Understanding that folks do start companies to make up deficiencies in what large vendors ignore, how far off base in my thinking am I? ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _____ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC ( http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061221/8df67565/attachment.html From jms at bughunter.ca Thu Dec 21 12:27:21 2006 From: jms at bughunter.ca (J. M. Seitz) Date: Thu, 21 Dec 2006 09:27:21 -0800 Subject: [SC-L] Compilers In-Reply-To: <773F863A6009244B87E6E866AFC7DB46019CA18A@AD1HFDEXC309.ad1.prod> Message-ID: <00a401c72525$46c03dd0$8119fea9@jseitz> Once again though, using security-oriented constructs requires that the developers use them and use them correctly. Static code analysis tools (like Fortify) aren't after-the-fact, they should be inline during the process of development. If you can create a development process and environment of security you have won 90% of the war and the Klingons shall subside when the mighty static analysis ship sails into port. Now relying solely on a black box testing suite or a fuzzer, is just validating the code your attackers already know is weak. Don't get me wrong, I incorporate some fuzzing in our testing process, but this is only because its repeatable, automated, and it enables me to spend some time answering emails to interesting mailing lists. :) JS _____ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of McGovern, James F (HTSC, IT) Sent: Thursday, December 21, 2006 8:38 AM To: Gunnar Peterson Cc: Secure Mailing List Subject: Re: [SC-L] Compilers Gunnar, I think the problem space of secure coding will never be pervasively solved if it relies on the licensing of tools for every developer on the planet. Folks have been conditioned to not pay for developer level tools and now use Eclipse, etc. Putting it only in the hands of a few folks may be useful or it may be futile, only time will tell. In terms of your analogy of using try/catch blocks, I would say the following: First, languages within the last ten years require you to use them and they are not optional for the developer to skip in many situations. Second, compilers actually check try/catch blocks which says that compilers can and do play an important role which the community should leverage vs avoid. This does beg another question of should the community be helping the folks who design languages to build in security-oriented constructs that we can leverage instead of waiting for after-the-fact find-it utilities? -----Original Message----- From: Gunnar Peterson [mailto:gunnar at arctecgroup.net] Sent: Thursday, December 21, 2006 10:55 AM To: McGovern, James F (HTSC, IT); Secure Mailing List Subject: Re: [SC-L] Compilers Sure it should be built into the language, and I assume it will be eventually. Heck it only took 30 or 40 years for people to force developers to use Try...Catch blocks. -gp On 12/21/06 9:30 AM, "McGovern, James F (HTSC, IT)" wrote: I have been noodling the problem space of secure coding after attending a wonderful class taught by Ken Van Wyk. I have been casually checking out Fortify, Ounce Labs, etc and have a thought that this stuff should really be part of the compiler and not a standalone product. Understanding that folks do start companies to make up deficiencies in what large vendors ignore, how far off base in my thinking am I? ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _____ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061221/140a9adc/attachment.html From stephen at corsaire.com Thu Dec 21 12:30:02 2006 From: stephen at corsaire.com (Stephen de Vries) Date: Fri, 22 Dec 2006 00:30:02 +0700 Subject: [SC-L] Compilers In-Reply-To: References: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> Message-ID: <200612211730.kBLHUvgN051275@ratsass.krvw.com> On 21 Dec 2006, at 23:19, ljknews wrote: > > Isn't the whole basis of Spark a matter of adding proof statements in > the comments ? You can achieve very similar goals by using unit tests. Although the tests are not integrated into the code as tightly as something like Spark (or enforcing rules in the compiler), they are considered part of the source. IMO unit and integration testing are vastly underutilised for performing security tests which is a shame because all the infrastructure, tools and skills are there - developers (and security testers) just need to start implementing security tests in addition to the functional tests. [shameless plug] I wrote a paper about this for OWASP a few months back: http://www.corsaire.com/white-papers/060531-security-testing-web- applications-through-automated-software-tests.pdf -- Stephen de Vries Corsaire Ltd E-mail: stephen at corsaire.com Tel: +44 1483 226014 Fax: +44 1483 226068 Web: http://www.corsaire.com ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:info at corsaire.com From ljknews at mac.com Thu Dec 21 13:24:37 2006 From: ljknews at mac.com (ljknews) Date: Thu, 21 Dec 2006 13:24:37 -0500 Subject: [SC-L] Compilers In-Reply-To: <773F863A6009244B87E6E866AFC7DB46019CA18A@AD1HFDEXC309.ad1.prod> References: <773F863A6009244B87E6E866AFC7DB46019CA18A@AD1HFDEXC309.ad1.prod> Message-ID: At 11:38 AM -0500 12/21/06, McGovern, James F (HTSC, IT) wrote: > This does beg another question of should the community be helping the > folks who design languages to build in security-oriented constructs that > we can leverage instead of waiting for after-the-fact find-it utilities? Language designers do what suits their purpose. Some language designers have security as their purpose. If your goal is to convince the other language designers they should take a different attitude, the best path is to patronize those languages that have taken security seriously. Today, very few language users are willing to do that. -- Larry Kilgallen From atemin at mitre.org Thu Dec 21 13:38:28 2006 From: atemin at mitre.org (Temin, Aaron L.) Date: Thu, 21 Dec 2006 13:38:28 -0500 Subject: [SC-L] Compilers In-Reply-To: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> Message-ID: It would be worth knowing more about the basis you use for drawing the conclusion, but if it's just the overlap between compilers and static analyzers represented by the abstract syntax tree, I don't think that's enough to warrant building one into the other (it might argue for having a shared parser, but I don't think parsers are hard enough to build to make that worthwhile). I would also suggest that looking for security weaknesses fits more into the unit testing part of development rather than the compiling part. As for "standalone," I think Jtest is built as an Eclipse plug-in; I don't know if you'd consider that standalone or not, but at least the developer doens't have to start up another shell to run it. Also, depending on the customer's organization, it might not be the developer who is running the security static analysis. I was talking with an organization that was thinking of having the security group run the static analysis, as part of the acceptance phase of an iteration. - Aaron ________________________________ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of McGovern, James F (HTSC, IT) Sent: Thursday, December 21, 2006 10:31 AM To: Secure Coding Subject: [SC-L] Compilers I have been noodling the problem space of secure coding after attending a wonderful class taught by Ken Van Wyk. I have been casually checking out Fortify, Ounce Labs, etc and have a thought that this stuff should really be part of the compiler and not a standalone product. Understanding that folks do start companies to make up deficiencies in what large vendors ignore, how far off base in my thinking am I? *********************************************************************** ** This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. *********************************************************************** ** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061221/6cf1a382/attachment.html From rcs at cert.org Thu Dec 21 13:57:28 2006 From: rcs at cert.org (Robert C. Seacord) Date: Thu, 21 Dec 2006 13:57:28 -0500 Subject: [SC-L] Compilers In-Reply-To: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> References: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> Message-ID: <458AD918.8040101@cert.org> James, Response below. > I have been noodling the problem space of secure coding after > attending a wonderful class taught by Ken Van Wyk. I have been > casually checking out Fortify, Ounce Labs, etc and have a thought that > this stuff should really be part of the compiler and not a standalone > product. Understanding that folks do start companies to make up > deficiencies in what large vendors ignore, how far off base in my > thinking am I? Tom Plum (from Plum Hall, Inc.) is developing a solution called Safe/Secure C/C++ (SSCC) that might interest you (http://www.plumhall.com/sscc.html). SSCC incorporates static-analysis methods into the compiler as well adding as run-time protections schemes to eliminate buffer overflows as well as mitigate against other types of vulnerabilities. (I know that the claim seems exaggerated, but the approach seems quite sound and I have yet to identify a case that SSCC can not eliminate). Anyway, there is more information on his web site and I have cc'd Tom on this message in case you would like to contact him directly. rCs From info at secappdev.org Thu Dec 21 14:59:40 2006 From: info at secappdev.org (Johan Peeters) Date: Thu, 21 Dec 2006 20:59:40 +0100 Subject: [SC-L] secure application development course Message-ID: <458AE7AC.8090109@secappdev.org> Katholieke Universiteit Leuven organizes an intensive course on secure application development for experienced software practitioners, in partnership with Solvay Business School and L-Sec (Leuven Security Excellence Consortium), from February 26th to March 2nd 2007. The course is aimed at software architects, designers, developers, testers and technical project managers and is limited to 25 places for optimal interaction. The world class instructors have wide-ranging experience in academia and industry and are experts in application security. They include prof. Bart Preneel who heads COSIC, the renowned crypto lab, prof. Frank Piessens of K.U.L. who pioneered teaching application security at university level, Ken van Wyk, co-founder of the CERT Coordination Center, prof. Dan Wallach of Rice University who is well-known for his seminal work on the Java sandbox and Danny De Cock, a COSIC researcher, whose web site is the foremost repository of technical information on the Belgian eID card. The course focuses on secure software engineering principles and techniques for countering threats and vulnerabilities in today's target environments. It provides participants with a thorough grounding in application security. The course takes place in the Groot Begijnhof in Leuven, Belgium, a UNESCO World Heritage site. Registration is on a first-come, first-served basis. For more information visit the web site: http://secappdev.org. -- Johan Peeters program director http://www.secappdev.org +32 16 649000 From dwheeler at ida.org Thu Dec 21 17:05:03 2006 From: dwheeler at ida.org (David A. Wheeler) Date: Thu, 21 Dec 2006 17:05:03 -0500 Subject: [SC-L] Compilers In-Reply-To: References: Message-ID: <458B050F.4070309@ida.org> "McGovern, James F $HTSC, IT$" > I have been noodling the problem space of secure coding after attending > a wonderful class taught by Ken Van Wyk. I have been casually checking > out Fortify, Ounce Labs, etc and have a thought that this stuff should > really be part of the compiler and not a standalone product. > Understanding that folks do start companies to make up deficiencies > in what large vendors ignore, how far off base in my thinking am I? You're on-track. Indeed, you can see little pieces of it happening. I'll use gcc as an example, because it's one of the most widely used C/C++ compilers in the world. In the last few years much has been added to gcc, including the ability to detect format string errors and many mechanisms to help counter buffer overflows (randomization, StackGuard & later IBM's ProPolice sort-of-reimplementation, etc.). I expect more detection and prevention mechanisms to go into gcc C/C++ compilers in the future. But I think you're not going far enough back. Compilers or interpreters are very much limited by the language (notation) they're trying to support. It's hideously hard to retrofit many kinds of detection into C/C++, because programs written in those notations just don't have enough information to easily determine if things are okay. Buffer overflows are an obvious example; they can't even OCCUR in most languages, but are rife in C/C++ because information about buffer size is not necessarily available to a buffer user (yes, I know about C++'s STL, but you don't HAVE to use it). Which is why separate tools are used -- the analysis work can be hideously hard. It's better to have a language (including its library) where the problem can't occur (e.g., because it's trivial to detect it) or is at least unlikely/hard (e.g., make the "easy" way the secure way). Java (and its clone C#) avoid many problems by DESIGN instead of happenstance, e.g., you can't (normally) have buffer overflows (in normal protected code they can't happen). Even stupid stuff like = vs. == mixing goes away (mostly). If a language is designed to make it EASY to do the right thing, the right thing is more likely to occur. PHP, especially old versions, is an obvious case in point. Old versions (where global_registers was true by default) are almost impossible to write secure software for. I will say that at least the PHP folks were willing to change their language when it was realized that their language's design made it nearly impossible to be secure. I wish they'd take more steps, but on the other hand, other language communities are unwilling to take even small steps to eliminate sharp edges from their languages. --- David A. Wheeler From gem at cigital.com Thu Dec 21 21:27:01 2006 From: gem at cigital.com (Gary McGraw) Date: Thu, 21 Dec 2006 21:27:01 -0500 Subject: [SC-L] Compilers Message-ID: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E81E0@va-mail.cigital.com> I have a better idead. Stop using C++. Jeeze. gem -----Original Message----- From: Robert C. Seacord [mailto:rcs at cert.org] Sent: Thu Dec 21 20:40:35 2006 To: McGovern, James F (HTSC, IT) Cc: Thomas Plum; Secure Coding Subject: Re: [SC-L] Compilers James, Response below. > I have been noodling the problem space of secure coding after > attending a wonderful class taught by Ken Van Wyk. I have been > casually checking out Fortify, Ounce Labs, etc and have a thought that > this stuff should really be part of the compiler and not a standalone > product. Understanding that folks do start companies to make up > deficiencies in what large vendors ignore, how far off base in my > thinking am I? Tom Plum (from Plum Hall, Inc.) is developing a solution called Safe/Secure C/C++ (SSCC) that might interest you (http://www.plumhall.com/sscc.html). SSCC incorporates static-analysis methods into the compiler as well adding as run-time protections schemes to eliminate buffer overflows as well as mitigate against other types of vulnerabilities. (I know that the claim seems exaggerated, but the approach seems quite sound and I have yet to identify a case that SSCC can not eliminate). Anyway, there is more information on his web site and I have cc'd Tom on this message in case you would like to contact him directly. rCs _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- From michaelslists at gmail.com Fri Dec 22 08:14:08 2006 From: michaelslists at gmail.com (mikeiscool) Date: Sat, 23 Dec 2006 00:14:08 +1100 Subject: [SC-L] Compilers In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E81E0@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E81E0@va-mail.cigital.com> Message-ID: <5e01c29a0612220514g5936e98cqd6c4975ee34a7f3@mail.gmail.com> On 12/22/06, Gary McGraw wrote: > I have a better idead. Stop using C++. Jeeze. Even better then that; stop programming insecurely. > gem *rolleyes* -- mic From james.walden at gmail.com Fri Dec 22 14:20:48 2006 From: james.walden at gmail.com (James Walden) Date: Fri, 22 Dec 2006 14:20:48 -0500 Subject: [SC-L] Compilers In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E81E0@va-mail.cigital.com> References: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E81E0@va-mail.cigital.com> Message-ID: <21c655860612221120q6532e82ag5ecda5be6f2735ca@mail.gmail.com> On 12/21/06, Gary McGraw wrote: > > I have a better idead. Stop using C++. Jeeze. I'll second that recommendation. Given the abundance of better languages, there are few good reasons to use dangerous languages like C++ on new projects. It's easier and less time consuming to learn a new safe language than to use C++ securely. James Walden -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061222/bca61141/attachment.html From james.walden at gmail.com Fri Dec 22 14:30:02 2006 From: james.walden at gmail.com (James Walden) Date: Fri, 22 Dec 2006 14:30:02 -0500 Subject: [SC-L] Compilers In-Reply-To: <200612211730.kBLHUvgN051275@ratsass.krvw.com> References: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> <200612211730.kBLHUvgN051275@ratsass.krvw.com> Message-ID: <21c655860612221130s439e245fl69d2aa12d2adee59@mail.gmail.com> On 12/21/06, Stephen de Vries wrote: > You can achieve very similar goals by using unit tests. Although the > tests are not integrated into the code as tightly as something like > Spark (or enforcing rules in the compiler), they are considered part > of the source. IMO unit and integration testing are vastly > underutilised for performing security tests which is a shame because > all the infrastructure, tools and skills are there - developers (and > security testers) just need to start implementing security tests in > addition to the functional tests. I agree that it's important to test the security of your software and I like test-driven development, but unit tests are not a replacement for static analysis assisted code reviews. Likewise, static analysis and code reviews aren't a substitute for security testing. Security tests attempt to find bad input and verify that the program handles it correctly, but you can't guarantee that you've found every possible type of bad input. Unit tests have the additional problem that input which may be safe for the current unit may become dangerous when interpreted differently in a different unit of the program (e.g., ' OR 1-1--' is just text to your web application, but your database may interpret it as code.) Code reviews find different bugs than tests do, and they typically find them faster, so good testing practices are not an excuse to ignore static analysis and code reviews. Tests also find different bugs than code reviews do. If your static analysis tool doesn't have a rule to detect a particular class of security bug, it obviously won't find it, but your testers might have the experience to test for it. James Walden -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061222/92e2ceac/attachment.html From crispin at novell.com Mon Dec 25 18:39:59 2006 From: crispin at novell.com (Crispin Cowan) Date: Mon, 25 Dec 2006 15:39:59 -0800 Subject: [SC-L] Compilers In-Reply-To: References: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> Message-ID: <4590614F.5040108@novell.com> ljknews wrote: > 2. The compiler market is so immature that some people are still > using C, C++ and Java. > I'm with you on the C and C++ argument, but what is immature about Java? I thought Java was a huge step forward, because for the first time, a statically typesafe language was widely popular. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hacking is exploiting the gap between "intent" and "implementation" From tholleb at teknowledge.com Wed Dec 27 13:50:55 2006 From: tholleb at teknowledge.com (Tim Hollebeek) Date: Wed, 27 Dec 2006 10:50:55 -0800 Subject: [SC-L] Compilers In-Reply-To: <3F5AB9CDDAD2CC4A80D0FCDCF2755DFB7E81B0@va-mail.cigital.com> Message-ID: <200612271854.kBRIsWc2035342@ratsass.krvw.com> > However, not > all of the kinds of things should be put in the compiler (how > many coders do you know that use the -Wall??!). All the decent ones??? I remember people talking about "Warning free with -Wall" as a minimal requirement, and personally using that standard, over 15 years ago. And that was just for code quality reasons. Granted, many monkeys with keyboards were pulled into the industry during the 90s IT boom, but are shops that insist on warning free compiles really that rare? I'm not sure "How can we create secure software in an environment where people don't even conform to minimalist software engineering principles?" is a helpful topic for discussion as a way forward, no matter how useful it may be as a source for tool and consulting revenue. Tim Hollebeek Research Scientist Teknowledge Corp. From secureCoding2dave at davearonson.com Wed Dec 27 14:59:59 2006 From: secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson) Date: Wed, 27 Dec 2006 19:59:59 +0000 Subject: [SC-L] Compilers Message-ID: Tim Hollebeek [mailto:tholleb at teknowledge.com] wonders: > are shops that insist on warning free compiles really that rare? Yes. I've worked for or with many companies over the years, totalling probably somewhere in the mid-teens or so. In all that, there was, to the best of my recollection, only ONE that insisted on it, other than my own "one man show". Add to that, numerous open source apps I've compiled; I haven't kept track of how many were warning-free, but it's rare enough that I consider it a pleasant surprise. In several projects, I fixed some nasty bugs (inherited from other people) by turning warnings on (they were often totally suppressed!), and fixing the things that the warnings were trying to warn me about. This is of course obvious to you and me, and probably to most of this list, but apparently not to the vast majority of programmers (even so-called software engineers), let alone people in any position of authority to set such policies. :-( -Dave -- Dave Aronson "Specialization is for insects." -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ From leichter_jerrold at emc.com Wed Dec 27 17:30:21 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Wed, 27 Dec 2006 17:30:21 -0500 (EST) Subject: [SC-L] Compilers In-Reply-To: References: Message-ID: | > are shops that insist on warning free compiles really that rare? | | Yes. I've worked for or with many companies over the years, totalling | probably somewhere in the mid-teens or so. In all that, there was, to the | best of my recollection, only ONE that insisted on it, other than my own | "one man show". Add to that, numerous open source apps I've compiled; I | haven't kept track of how many were warning-free, but it's rare enough that | I consider it a pleasant surprise. | | In several projects, I fixed some nasty bugs (inherited from other people) | by turning warnings on (they were often totally suppressed!), and fixing the | things that the warnings were trying to warn me about. This is of course | obvious to you and me, and probably to most of this list, but apparently not | to the vast majority of programmers (even so-called software engineers), let | alone people in any position of authority to set such policies. :-( I have no idea how common it actually is, but based on my own experience - where I required it from my guys and we enforced it on software written by others - it's not very common. Unless you push for it, very few programmers will even think about it. (In fact, unless you're in a position to control the compiler options - I was - most programmers will set them to just shut the damn compiler up.) A couple of issues are relevant here, however: - The level of warnings available in compilers varies, and some of the warnings are ... dumb. We built on maybe 5 different compilers, and you could easily find examples where only one compiler would warn on something. On the other hand, you ran into things like Microsoft compilers that warned about "u == 1" when u was unsigned, or compilers that got confused about control flow and warned about unreachable code that wasn't, or alternatively about loops with no exits (which had them). These are allo annoyances one can work around with sufficient will, but you have to *want* to. - If you're not *really* careful in teaching people about how to fix warnings, they will hide them. In C and C++, all too many warnings get hidden by a cast here and there. (I always quote Henry Spencer's classic comment: If you lie to the compiler it will get its revenge.) A more subtle problem I've seen is "fixing" a warning tht some variable isn't initialized along some path by simply setting it to some arbitrary value - almost always 0, actually - in its declaration. This one is particularly bad because many style guides recommend that you always initialize every value on declaration. (Note that in C++, everything but the basic types inherited from C is always initialized - even if to a value that may be meaningless in context. As a result, you lose a valuable potential warning. The advice that you never declare a variable until you know what to initialize it to fails in the common code sequence: T v; if (condition) v = f1(); else v = f2(); where both f1() and f2() are expensive, so you can't make either the default. This isn't a C++ issue, BTW - safe languages generally require that a variable *always* receive some valid value. (Java does do a lot of work to recover the notion of a variable being "undefined" before its use. Bravo.) -- Jerry From dwheeler at ida.org Thu Dec 28 13:56:57 2006 From: dwheeler at ida.org (David A. Wheeler) Date: Thu, 28 Dec 2006 13:56:57 -0500 Subject: [SC-L] Compilers In-Reply-To: References: Message-ID: <45941379.6000103@ida.org> I _strongly_ encourage development with "maximal" warnings turned on. However, this does have some side-effects because many compilers give excessive spurious warnings. It's especially difficult to do with pre-existing code (the effort can be herculean). An interesting discussion about warning problems in the Linux kernel can be found here: http://lwn.net/Articles/207030/ Ideally compiler writers should treat spurious warnings as serious bugs, or people will quickly learn to ignore all warnings. The challenge is that it can be difficult to determine what is "spurious" without also making the warning not report what it SHOULD report. It's a classic false positive vs. false negative problem for all static tools, made especially hard in languages where there isn't a lot of information to work with. --- David A. Wheeler From leichter_jerrold at emc.com Fri Dec 29 09:46:16 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Fri, 29 Dec 2006 09:46:16 -0500 (EST) Subject: [SC-L] Compilers In-Reply-To: <45941379.6000103@ida.org> References: <45941379.6000103@ida.org> Message-ID: | I _strongly_ encourage development with "maximal" warnings turned on. | However, this does have some side-effects because many compilers | give excessive spurious warnings. It's especially difficult to | do with pre-existing code (the effort can be herculean). Agreed. Writing for maximum freedom from warnings is a learned skill, and a discipline. Mainly it involves avoiding certain kinds of constructs that, when all is said and done, are usually as confusing to human readers as they are to compilers. There is a great deal of overlap among "writing for no warnings", "writing for maximum portability", "writing for clarity", and "writing for provability". What they all come down to is: The code sticks to the meaning of the language definition and avoids all ambiguity; it has only one possible interpretation, and coming to that interpretation requires minimum work. That said, there will always be cases where maximum speed, minimum size, or some other external constraint drive you to do things that don't meet these constraints. Some of these are reasonable. Bubble sort is "obviously correct"; no O(N log N) sort is. There are places where you have to use comments to refer to a proof and the kind of checking required becomes very different. And there are places where every nanosecond and every byte really matters. The conceit of all too many programmers is that *their* code is *obviously* one of those cases. It almost certainly isn't. | An interesting discussion about warning problems in the Linux kernel | can be found here: | http://lwn.net/Articles/207030/ There's example given there of: bool flag = false; some_type* pointer; if (some_condition_is_true()) { flag = true; pointer = expensive_allocation_function(); } do_something_else(); if (flag) { use_the_fine(pointer); } The compiler will warn that the call to use_the_fine() might be called with an uninitialized pointer. Noticing the tie between flag being true and pointer being initialized is beyond gcc, and probably beyond any compiler other than some research tools. Then again, it's not so easy for a human either beyond a trivial example like this! There's an obvious way to change this code that is simultaneously warning-free, clearer - it says exactly what it means - and smaller and equally fast on all modern architectures: Get rid of flag, initialize pointer to NULL, then change the test of flag to test whether pointer is non-NULL. (Granted, this is reading into the semantics of "expensive_allocation_function()".) Someone mentions this in one response, but none of the other respondents pick up on the idea and the discussion instead goes off into very different directions. There's also no discussion of the actual cost in the generated code of, say, initializing pointer to NULL. After all, it's certainly going to be in a register; clearing a register will be cheap. And the compiler might not even be smart enough to avoid a pointless load from uninitialized memory of pointer is *not* given an initial value. (There is one nice idea in the discussion: Having the compiler tell you that some variable *could* have been declared const, but wasn't.) I find this kind of sideways discussion all too common when you start talking about eliminating warnings. | Ideally compiler writers should treat spurious warnings as serious bugs, | or people will quickly learn to ignore all warnings. | The challenge is that it can be difficult to determine what is | "spurious" without also making the warning not report what it SHOULD | report. It's a classic false positive vs. false negative problem | for all static tools, made especially hard in languages where | there isn't a lot of information to work with. Having assertions actually part of the language is a big help here. This is all too rare. -- Jerry | --- David A. Wheeler From rcs at cert.org Fri Dec 29 13:41:38 2006 From: rcs at cert.org (Robert C. Seacord) Date: Fri, 29 Dec 2006 13:41:38 -0500 Subject: [SC-L] temporary directories In-Reply-To: References: <45941379.6000103@ida.org> Message-ID: <45956162.1060405@cert.org> I've seen advice here and there to use the mkdtemp() function to create temporary directories, for example: - Kris Kennaway email at http://lwn.net/2000/1221/a/sec-tmp.php3 recommends them - David Wheeler's Secure Programming for Linux and Unix HOWTO at http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO.html mentions it may not be a good idea if tmp cleaners are in use (but this sort of suggests maybe it is ok if they are not.) - HP 03 Tru64 UNIX Protecting Your System Against File Name Spoofing Attacks. January 2003. http://h30097.www3.hp.com/docs/wpapers/spoof_wp/symlink_external.pdf - etc. The mkdtemp() function generates a uniquely-named temporary directory from template. This function appears to work exactly like mktemp() works for files, except of course mktemp() has been widely discredited because of possible TOCTOU conditions and problems generating unique, unpredictable names. So my question is, why is mkdtemp() considered safe? Isn't it also susceptible to race conditions? Is there a reason why these race conditions are not at issue in this case? Or is it only considered safe because there is no alternative? Thanks, rCs From ljknews at mac.com Fri Dec 29 15:28:13 2006 From: ljknews at mac.com (ljknews) Date: Fri, 29 Dec 2006 15:28:13 -0500 Subject: [SC-L] temporary directories In-Reply-To: <45956162.1060405@cert.org> References: <45941379.6000103@ida.org> <45956162.1060405@cert.org> Message-ID: At 1:41 PM -0500 12/29/06, Robert C. Seacord wrote: > I've seen advice here and there to use the mkdtemp() function to create > temporary directories, for example: > > - Kris Kennaway email at http://lwn.net/2000/1221/a/sec-tmp.php3 > recommends them > > - David Wheeler's Secure Programming for Linux and Unix HOWTO at > http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO.html > mentions it may not be a good idea if tmp cleaners are in use (but this > sort of suggests maybe it is ok if they are not.) > > - HP 03 Tru64 UNIX Protecting Your System Against File Name Spoofing > Attacks. January 2003. > http://h30097.www3.hp.com/docs/wpapers/spoof_wp/symlink_external.pdf > > - etc. > > The mkdtemp() function generates a uniquely-named temporary directory > from template. This function appears to work exactly like mktemp() > works for files, except of course mktemp() has been widely discredited > because of possible TOCTOU conditions and problems generating unique, > unpredictable names. > > So my question is, why is mkdtemp() considered safe? Isn't it also > susceptible to race conditions? Is there a reason why these race > conditions are not at issue in this case? Or is it only considered safe > because there is no alternative? Not on Unix, but I tend to use temporary names based on the Process ID that is executing. And of course file protection prevents malevolent access. But for a temporary file, I will specify a file that is not in any directory. I presume there is such a capbility in Unix. -- Larry Kilgallen From fw at deneb.enyo.de Fri Dec 29 17:53:25 2006 From: fw at deneb.enyo.de (Florian Weimer) Date: Fri, 29 Dec 2006 23:53:25 +0100 Subject: [SC-L] Compilers In-Reply-To: <4590614F.5040108@novell.com> (Crispin Cowan's message of "Mon, 25 Dec 2006 15:39:59 -0800") References: <773F863A6009244B87E6E866AFC7DB46019CA177@AD1HFDEXC309.ad1.prod> <4590614F.5040108@novell.com> Message-ID: <87hcvemhzu.fsf@mid.deneb.enyo.de> * Crispin Cowan: > ljknews wrote: >> 2. The compiler market is so immature that some people are still >> using C, C++ and Java. > I'm with you on the C and C++ argument, but what is immature about Java? > I thought Java was a huge step forward, because for the first time, a > statically typesafe language was widely popular. Java is not statically typesafe, see the beloved ArrayStoreException (and other cases, depending what you mean by "statically typesafe"). And if you allow for more dynamic typing, Visual Basic gained more widespread usage even earlier. 8-P From leichter_jerrold at emc.com Fri Dec 29 18:56:53 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Fri, 29 Dec 2006 18:56:53 -0500 (EST) Subject: [SC-L] temporary directories In-Reply-To: References: <45941379.6000103@ida.org> <45956162.1060405@cert.org> Message-ID: | Not on Unix, but I tend to use temporary names based on the Process ID | that is executing. And of course file protection prevents malevolent | access. | | But for a temporary file, I will specify a file that is not in any | directory. I presume there is such a capbility in Unix. You presume incorrectly. You're talking about VMS, where you can open a file by file id. The Unix analogue of a file id is an inode number, but no user-land call exists to access a file that way. You can only get to a file by following a path through the directory structure. In fact, all kinds of Unix code would become insecure if such a call were to be added: It's a common - and reasonable - assumption that accessing a file requires access to the (well, a) directory in which that file appears (not that it isn't prudent to also control access to the file itself). One can argue this both ways, but on the specific matter of safe access to temporary files, VMS code that uses FID access is much easier to get right than Unix code that inherently has to walk through directory trees. On the other hand, access by file id isn't - or wasn't; it's been years since I used VMS - supported directly by higher-level languages (though I vaguely recall that C had a mechanism for doing it). A mechanism that requires specialized, highly system-specific low-level code to do something so straightforward is certainly much better than no mechanism at all, but it's not something that will ever be used by more than a small couterie of advanced programmers. -- Jerry From ljknews at mac.com Fri Dec 29 20:49:01 2006 From: ljknews at mac.com (ljknews) Date: Fri, 29 Dec 2006 20:49:01 -0500 Subject: [SC-L] temporary directories In-Reply-To: References: <45941379.6000103@ida.org> <45956162.1060405@cert.org> Message-ID: At 6:56 PM -0500 12/29/06, Leichter, Jerry wrote: > | Not on Unix, but I tend to use temporary names based on the Process ID > | that is executing. And of course file protection prevents malevolent > | access. > | > | But for a temporary file, I will specify a file that is not in any > | directory. I presume there is such a capability in Unix. > You presume incorrectly. You're talking about VMS, where you can > open a file by file id. Actually, I was talking about using the FAB$V_TMD bit when creating the file. > One can argue this both ways, but on the specific matter of safe > access to temporary files, VMS code that uses FID access is much > easier to get right than Unix code that inherently has to walk > through directory trees. On the other hand, access by file id > isn't - or wasn't; it's been years since I used VMS - supported > directly by higher-level languages (though I vaguely recall that > C had a mechanism for doing it). In Ada invoking .CREATE with a null name will do the trick, although if your VMS experience ended before 1983 you would not have run into that. But how to program easily against VMS V4.1 when the latest version is VMS V8.3 is not a typical problem. I gather you are saying that the innards of Unix will force creation of an unwanted directory entry on the Ada implementation of the required null name support for .CREATE . The Ada implementation could rely on exclusive access to the file (surely Unix has that, right?) coupled with whatever Unix has that passes for the FAB$V_DLT bit to delete the file on Close (such as at ). But these are problems that have been solved by those who provided the Ada implementation (ACT and Aonix come to mind for Unix), and thus are not an issue for the high level language programmer. -- Larry Kilgallen From mouse at Rodents.Montreal.QC.CA Sat Dec 30 00:58:08 2006 From: mouse at Rodents.Montreal.QC.CA (der Mouse) Date: Sat, 30 Dec 2006 00:58:08 -0500 (EST) Subject: [SC-L] temporary directories In-Reply-To: References: <45941379.6000103@ida.org> <45956162.1060405@cert.org> Message-ID: <200612300604.BAA08439@Sparkle.Rodents.Montreal.QC.CA> >> But for a temporary file, I will specify a file that is not in any >> directory. I presume there is such a capbility in Unix. > You presume incorrectly. Yes and no. Unix does have files that do not have names in any directory. What it does not have is creation of such files without the existence (even transiently) of any name for them. To the extent that "Unix" is a single thing, that is. It wouldn't surprise me if some Unix variants had a way to do this. (If you're willing to accept a name in a directory which does not have a name anywhere except for its own ".", many of them do.) > You're talking about VMS, where you can open a file by file id. The > Unix analogue of a file id is an inode number, but no user-land call > exists to access a file that way. On many Unix variants, such a call does exist. See NetBSD's (and probably others') fhopen, for example. It's restricted to root, but it exists. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse at rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From mrockman at acm.org Sat Dec 30 05:03:51 2006 From: mrockman at acm.org (Mark Rockman) Date: Sat, 30 Dec 2006 05:03:51 -0500 Subject: [SC-L] temporary directories References: <45941379.6000103@ida.org> <45956162.1060405@cert.org> Message-ID: <001201c72bf9$cf662f20$ce00000a@mdrsesco.com> The old Sperry operating system from Unisys for successors to the 1108 computer has temporary files that are accessible only to the process that creates them. Such files can be treated as "directories," even though the file system on such machines is not tree-structured. Space allocated to temporary files is reclaimed when the file is no longer needed (as when the process terminates) and when the system unexpectedly reboots with processes running. This is interesting as there is no record of such files in the file naming system except, perhaps, for a few orphaned "granule" tables that map file relative addresses to device relative addresses. The security of temporary files on such systems is absolute as they cannot be accessed through the file naming system. Yet they are named exactly as are files that are accessible through the file naming system. The beauty of such temporary files is that they take care of themselves when abandoned: they don't hang around as entries in a catalogue waiting for some process to dispose of them. ----- Original Message ----- From: Leichter, Jerry To: ljknews Cc: sc-l at securecoding.org Sent: Friday, December 29, 2006 18:56 Subject: Re: [SC-L] temporary directories | Not on Unix, but I tend to use temporary names based on the Process ID | that is executing. And of course file protection prevents malevolent | access. | | But for a temporary file, I will specify a file that is not in any | directory. I presume there is such a capbility in Unix. You presume incorrectly. You're talking about VMS, where you can open a file by file id. The Unix analogue of a file id is an inode number, but no user-land call exists to access a file that way. You can only get to a file by following a path through the directory structure. In fact, all kinds of Unix code would become insecure if such a call were to be added: It's a common - and reasonable - assumption that accessing a file requires access to the (well, a) directory in which that file appears (not that it isn't prudent to also control access to the file itself). One can argue this both ways, but on the specific matter of safe access to temporary files, VMS code that uses FID access is much easier to get right than Unix code that inherently has to walk through directory trees. On the other hand, access by file id isn't - or wasn't; it's been years since I used VMS - supported directly by higher-level languages (though I vaguely recall that C had a mechanism for doing it). A mechanism that requires specialized, highly system-specific low-level code to do something so straightforward is certainly much better than no mechanism at all, but it's not something that will ever be used by more than a small couterie of advanced programmers. -- Jerry _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20061230/183fcad1/attachment-0001.html From leichter_jerrold at emc.com Sat Dec 30 08:45:56 2006 From: leichter_jerrold at emc.com (Leichter, Jerry) Date: Sat, 30 Dec 2006 08:45:56 -0500 (EST) Subject: [SC-L] temporary directories In-Reply-To: References: <45941379.6000103@ida.org> <45956162.1060405@cert.org> Message-ID: [MJoderator: This is likely beyond the point of general interest to sc-l] On Fri, 29 Dec 2006, ljknews wrote: | Date: Fri, 29 Dec 2006 20:49:01 -0500 | From: ljknews | To: sc-l at securecoding.org | Subject: Re: [SC-L] temporary directories | | At 6:56 PM -0500 12/29/06, Leichter, Jerry wrote: | | > | Not on Unix, but I tend to use temporary names based on the Process ID | > | that is executing. And of course file protection prevents malevolent | > | access. | > | | > | But for a temporary file, I will specify a file that is not in any | > | directory. I presume there is such a capability in Unix. | | > You presume incorrectly. You're talking about VMS, where you can | > open a file by file id. | | Actually, I was talking about using the FAB$V_TMD bit when creating | the file. The way one would get the effect of TMD on Unix is to create the file normally and, while keeping a descriptor open on it, delete it. The file will then "live" and be completely usable to this process or to any other process that either (a) already has it open (legitimately or because they snuck in on the race condition); (b) receives the open dexriptor by inheritance after a fork(); (c) receives the open descriptor by an explicit pass through a Unix-mode socket (a relatively little used facility). However, no one would be able to find the file through any file system entry, and no user-land code could get to it through its inode number even if it got its hands on that number. | > One can argue this both ways, but on the specific matter of safe | > access to temporary files, VMS code that uses FID access is much | > easier to get right than Unix code that inherently has to walk | > through directory trees. On the other hand, access by file id | > isn't - or wasn't; it's been years since I used VMS - supported | > directly by higher-level languages (though I vaguely recall that | > C had a mechanism for doing it). | | In Ada invoking .CREATE with a null name will do the | trick, although if your VMS experience ended before 1983 you would | not have run into that. But how to program easily against VMS V4.1 | when the latest version is VMS V8.3 is not a typical problem. I think the last VMS version I actively used was 5.4 or so. | I gather you are saying that the innards of Unix will force creation | of an unwanted directory entry on the Ada implementation of the required | null name support for .CREATE . The Ada implementation | could rely on exclusive access to the file (surely Unix has that, right?) Not typically, no. (There are extensions, but standard Unix has only advisory locking - i.e., locking enforced between processes that choose to make locking calls.) | coupled with whatever Unix has that passes for the FAB$V_DLT bit to | delete the file on Close (such as at ). There's no direct analogue. Unix inode's are reference-counted - a directory entry is a reference. There's no explicit way to delete a file - all you can do is get rid of all the references you can. If that gets the ref count down to 0, the file will disappear "eventually". (There's a separate count of open file descriptors to implement that "sticks around while open" semantics.) | But these are problems that have been solved by those who provided the | Ada implementation (ACT and Aonix come to mind for Unix), and thus are | not an issue for the high level language programmer. Presumably they do the create-the-file-and-immediately-delete-it trick. Since the file must, however briefly, have an entry in some directory. General purpose code can't make assuptions about what directories are available for writing, so pretty much has to put the entry in a known, public place - almost always /tmp or /var/tmp. Unless one does this very carefully, it's open to various attacks. (For one trivial example, there is no way to tell the open() call to *always* create a new file - you can only tell it "if the file already exists, don't open it, return an error instead". The code had better check for that error and do something appropriate or it can be fooled into using a file an attacker created and already has access to.) The techniques for doing this are complex enough - and the attacks if you don't do it *exactly* right obscure enough - that after all these years, attacks based on "insecure temporary file creation" are still reported regularly. (Frankly, even though I know that these problems exist, if you were to ask me to write a secure temporary file creator right now, I wouldn't try - I'd look for some existing code, because I doubt I'd get it right.) -- Jerry | -- | Larry Kilgallen | _______________________________________________ | Secure Coding mailing list (SC-L) SC-L at securecoding.org | List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l | List charter available at - http://www.securecoding.org/list/charter.php | SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) | as a free, non-commercial service to the software security community. | _______________________________________________ | | From fw at deneb.enyo.de Sat Dec 30 11:11:06 2006 From: fw at deneb.enyo.de (Florian Weimer) Date: Sat, 30 Dec 2006 17:11:06 +0100 Subject: [SC-L] temporary directories In-Reply-To: (ljknews@mac.com's message of "Fri, 29 Dec 2006 20:49:01 -0500") References: <45941379.6000103@ida.org> <45956162.1060405@cert.org> Message-ID: <87tzzd749x.fsf@mid.deneb.enyo.de> > I gather you are saying that the innards of Unix will force creation > of an unwanted directory entry on the Ada implementation of the required > null name support for .CREATE . The Ada implementation > could rely on exclusive access to the file (surely Unix has that, right?) You can create files in a way that fails if the file already exists, using the O_EXCL flag. (Rumors have it that this won't work reliably over NFS, though, but I don't see why.) > coupled with whatever Unix has that passes for the FAB$V_DLT bit to > delete the file on Close (such as at ). You can delete open files on Unix, so you could in theory unlink it after creation. But the whole discussion is moot because existing Ada code seems to require that temporary files have names. 8-/ > But these are problems that have been solved by those who provided the > Ada implementation (ACT and Aonix come to mind for Unix), and thus are > not an issue for the high level language programmer. AdaCore's implementation used mktemp and featured the usual race condition. From ljknews at mac.com Sat Dec 30 13:25:58 2006 From: ljknews at mac.com (ljknews) Date: Sat, 30 Dec 2006 13:25:58 -0500 Subject: [SC-L] temporary directories In-Reply-To: References: <45941379.6000103@ida.org> <45956162.1060405@cert.org> Message-ID: At 8:45 AM -0500 12/30/06, Leichter, Jerry wrote: > [MJoderator: This is likely beyond the point of general interest to sc-l] Actually, I disagree, in that it seems to expose a set of vulnerabilities not known even to language implementors. > On Fri, 29 Dec 2006, ljknews wrote: > | But these are problems that have been solved by those who provided the > | Ada implementation (ACT and Aonix come to mind for Unix), and thus are > | not an issue for the high level language programmer. > Presumably they do the create-the-file-and-immediately-delete-it trick. > Since the file must, however briefly, have an entry in some directory. > General purpose code can't make assuptions about what directories > are available for writing, so pretty much has to put the entry in > a known, public place - almost always /tmp or /var/tmp. Unless one > does this very carefully, it's open to various attacks. (For one > trivial example, there is no way to tell the open() call to *always* > create a new file - you can only tell it "if the file already exists, > don't open it, return an error instead". The code had better check > for that error and do something appropriate or it can be fooled into > using a file an attacker created and already has access to.) Certainly code that does not check for errors is inadequate. > The techniques for doing this are complex enough - and the attacks > if you don't do it *exactly* right obscure enough - that after all > these years, attacks based on "insecure temporary file creation" > are still reported regularly. (Frankly, even though I know that > these problems exist, if you were to ask me to write a secure > temporary file creator right now, I wouldn't try - I'd look for > some existing code, because I doubt I'd get it right.) Which is what one does when using the existing language implementation (except for the defect reported by Florian Weimer in this thread. -- Larry Kilgallen From ljknews at mac.com Sat Dec 30 13:28:13 2006 From: ljknews at mac.com (ljknews) Date: Sat, 30 Dec 2006 13:28:13 -0500 Subject: [SC-L] temporary directories In-Reply-To: <87tzzd749x.fsf@mid.deneb.enyo.de> References: <45941379.6000103@ida.org> <45956162.1060405@cert.org> <87tzzd749x.fsf@mid.deneb.enyo.de> Message-ID: At 5:11 PM +0100 12/30/06, Florian Weimer wrote: >> I gather you are saying that the innards of Unix will force creation >> of an unwanted directory entry on the Ada implementation of the required >> null name support for .CREATE . The Ada implementation >> could rely on exclusive access to the file (surely Unix has that, right?) > > You can create files in a way that fails if the file already exists, > using the O_EXCL flag. (Rumors have it that this won't work reliably > over NFS, though, but I don't see why.) > >> coupled with whatever Unix has that passes for the FAB$V_DLT bit to >> delete the file on Close (such as at ). > > You can delete open files on Unix, so you could in theory unlink it > after creation. > > But the whole discussion is moot because existing Ada code seems to > require that temporary files have names. 8-/ The Ada language does not have such a requirement, and in fact has a requirement that names are _not_ required for temporary files. >> But these are problems that have been solved by those who provided the >> Ada implementation (ACT and Aonix come to mind for Unix), and thus are >> not an issue for the high level language programmer. > > AdaCore's implementation used mktemp and featured the usual race > condition. Yucko !!! -- Larry Kilgallen From ge at linuxbox.org Sun Dec 31 21:51:07 2006 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 31 Dec 2006 20:51:07 -0600 (CST) Subject: [SC-L] Luis Miras on automated exploit detection in binaries at CCC Message-ID: CCC was amazing, and here is the video for one of the lectures. http://video.google.com/videoplay?docid=-5897236579900914407&q=23c3