Re: Code Complexity vs. Security

[Adam Shostack <adam () homeport org>]

Hi Mark,

   I don't know of any emperical study that measures McCabe or
Halstead (etc) numbers vs security issues.  It's all anecdotal.   I'll
toss in a quote from "The ShellCoders's Handbook:"

"Loops are a very common place to find buffer overflow
vulnerabilities, possibly because their behavior is a little more
complicated...A good example of a comple loop gone wrong is the
vulnerability found in the crackaddr function within Sendmail, by Mark
Dowd.   The loop in this function...is up there on the list of complex
loops found in open source software."  (pg 392)

Of course this makes sense.  Complex code is buggier, and bugs in a
security code get taken advantage of.  But it would be fascinating to
see if the curve is smooth.

Adam


On Sun, Jul 25, 2004 at 09:00:39AM -0400, Mark Curphey wrote:
| Dave,
| 
| Thanks. I just read that. 
| 
| Java bytecode and MS IL make KLOCs (thousand lines of code) a somewhat
| interesting metric when used alone IMHO. I was thinking I could write a
| class with a switch statement that could skew the bugs per KLOC compared to
| if I wrote it using a different technique. It was actually this that lead me
| to thinking about complexity in the wider sense of the term rather than just
| size. I guess you could say that size = complexity and I agree but in this
| case I was thinking about this type of definition
| http://www.sei.cmu.edu/str/indexes/glossary/complexity.html
| 
| I was trying to see if any studies had been done correlating software
| security quality with complexity and security by looking at things like;
| 
| the number of methods per class 
| number of attributes and operations on a class
| 
| CMU has a maintainability index and cyclomatic complexity
| http://www.sei.cmu.edu/str/descriptions/cyclomatic_body.html that looks like
| the sort of comparator I was looking for. 
| 
| Interesting study I think ;-)
| 
| -----Original Message-----
| From: David King [mailto:davewking () gmail com] 
| Sent: Sunday, July 25, 2004 1:59 AM
| To: webappsec () securityfocus com
| Subject: Re: Code Complexity vs. Security
| 
| I remember there was a section on this near the beginning of the book
| "Exploiting Software: How to Break Code" (Greg Hoglund and Gary McGraw).  If
| I remember right they site a couple of studies and they seem to believe the
| number of lines of code is the one of the best indicators of the number of
| bugs the software will have.
| 
| Dave King
| www.thesecure.net
| 
| On Sat, 24 Jul 2004 20:36:07 -0600, David King <davewking () gmail com> wrote:
| > I remember in the book "Exploiting Software: How to Break Code" (Greg 
| > Hoglund and Gary McGraw) there was a section on this near the 
| > beginning of the book.  If I remember right they site a couple of 
| > studies and they seem to believe the number of lines of code is the 
| > one of the best indicators of the number of bugs the software will 
| > have.
| > 
| > Dave King
| > www.thesecure.net
| > 
| > 
| > 
| > On Fri, 23 Jul 2004 21:25:20 +0000, Gunnar Peterson 
| > <gunnar () arctecgroup net> wrote:
| > > Dan Geer's Blackhat Windows keynote talk last January charted lines 
| > > of code against vulnerabilities over time. LOC is not complexity per 
| > > se, but it is an indicator.
| > >
| > >
| > >
| > > Quoting Mark Curphey <mark () curphey com>:
| > >
| > > > Has anyone seen any good studies that analytically compare the 
| > > > security quality of code to code complexity ?
| > >
| >
|