Re: Microsoft Cries Wolf ( again )

[Brett Hutley <brett () hutley net>]

> > Along these lines, if the C programming language had a proper 
> > string data type from day one, buffer overflows would be much 
> > less common today.  

Ha! Yeah right - and how would your operating system perform doing
boundary checks on every string operation???

Thus trumpeted Mike Fratto on Tue, Jul 01, 2003 at 12:55:51PM -0400
> Not to get into a religious argument over this, but if programmers did
> proper data scrubbing and bounds checking regardless of the language, there
> wouldn't be much of a problem either. Granted, I am not uber programmer (I
> have hacked together proggies of a couple of thousand lines for my own use
> and I am sure there were lots of problems in them) but even being self
> taught, I learned to do data scrubbing and bounds checking just for
> reliability. I have to think it is taught in programming 101.

Yeah, well I AM a professional programmer - have been for over 15 years.
I always get a bit riled when I see people who have only coded up "Hello
World" applications say this kind of thing (and there seem to be a lot of
them involved in security). Real world programs are big complex beasties,
potentially involving threads, sockets, complex GUI elements and the
like. Try looking through 100k lines of code in a complex multi-threaded
app that you know segfaults randomly when running on multi-processor
machines to find the unprotected counter (an atomic operation on one
processor, but not on two). The program I am working on at the moment
is fully distributed because it needs to process years of data, the
correlation matrices are encoded in eigenvectors because it's the only
way we can fit them in memory, we have large gigabyte-sized files that
are chunked into memory on demand and the processing is distributed among
8 different types of servers to try and max out processors, hard drive
and network throughput. I KNOW that there are security problems in there,
although most of the programmers on the project are extremely experienced,
and we bounds check the code religously. To take one example; the socket
connections pass the objects as an unprotected binary data stream. If
we encrypted the stream we wouldn't be able to get the throughput. To
take another example; we don't use the C++ std::string class - even
though it's "a proper string data type" - why? because the overhead of
the heap allocations on string construction make the program too slow.
As a result we have to deal with a far greater likelyhood of a buffer
overflow. But this is the real world! And the nature of coding real
world applications is that we have to make compromises.

Understanding the techniques that security folks use to compromise
programs is important. But given that 60-80% of large programming projects
are going to fail BEFORE the question of poor security even comes up,
I'll take a programmer with a proven track record of getting a program
written even if they haven't had any security training (and I can't get
enough of those programmers so if you know any, let me know and I'll
hire them).

Cheers, Brett
-- 
Brett Hutley [MAppFin,CISSP,SANS GCIH]
mailto:brett () hutley net
http://hutley.net/brett

I'll get a bunch of monkeys, dress 'em up, and make 'em reenact the Civil
War!  Heh, heh, heh!

                -- Homer Simpson
                   Homer the Great
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html