Secure Coding mailing list archives

BSIMM: Confessions of a Software SecurityAlchemist(informIT)

From: coley at linus.mitre.org (Steven M. Christey)
Date: Sun, 22 Mar 2009 14:30:31 -0400 (EDT)


On Sat, 21 Mar 2009, ljknews wrote:

The root problem (and I do not care about the terminology)
is that the C programming language promotes the use of
uncounted strings.


I'd rephrase that because buffer overflows apply to many other data types
besides strings.  Anything using an array of pointer arithmetic is
potentially subject to overflows.  I have little doubt that when you
launch 200 simultaneous connections against a bunch of applications, some
of them will crash because the programmer only allocated enough memory to
store 100 connections at once.  A lot of the IOCTL overflows going on
right now are more about malformed data structures than strings, as are
many of the file format vulns.

- Steve

Current thread:

Supply Chain Resiliency Project Assistance, (continued)
- - - Supply Chain Resiliency Project Assistance Gary McGraw (Mar 22)
    - Supply Chain Resiliency Project Assistance Gadi Evron (Mar 22)
    - Supply Chain Resiliency Project Assistance Wisseman, Stan [USA] (Mar 22)
    - Supply Chain Resiliency Project Assistance Sammy Migues (Mar 22)
    - Supply Chain Resiliency Project Assistance Dave Wichers (Mar 23)
    - Supply Chain Resiliency Project Assistance Mason Brown (Mar 23)
    - Supply Chain Resiliency Project Assistance Rohit Lists (Mar 23)
    - BSIMM: Confessions of a Software SecurityAlchemist(informIT) Florian Weimer (Mar 21)
    - BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 20)
    - BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 21)
    - BSIMM: Confessions of a Software SecurityAlchemist(informIT) Steven M. Christey (Mar 22)
    - BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 23)
    - The Importance of Type Safety Brad Andrews (Mar 23)
    - The Importance of Type Safety Carl Alphonce (Mar 23)
    - The Importance of Type Safety AF (Mar 23)
    - The Importance of Type Safety Brad Andrews (Mar 23)
    - The Importance of Type Safety Jeremy Epstein (Mar 23)
    - The Importance of Type Safety AF (Mar 26)
    - BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 24)
    - BSIMM: Confessions of a Software SecurityAlchemist(informIT) Gary McGraw (Mar 25)
    - BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 25)

(Thread continues...)