Secure Coding mailing list archives
RE: Strategies for teaching secure coding practices
From: "David Crocker" <dcrocker () eschertech com>
Date: Sat, 13 Dec 2003 16:18:57 +0000
Crispin Cowan wrote:
The overall philosophy of secure coding is to write all code as if any
code not on the page is out to get you, or at least will do things
improperly. Check *everything*! Do not assume that the parameters to a
function will be properly formatted or within bounds. The business with
string overflows and pointer handling are just instances of this philosophy.
...
The secure coding philosophy is independent of OO methodologies, but can
be applied there. Here's some ideas:
...
* Object methods should *not* assume that objects have been properly
initialized.
* Objects are abstract data types, and therefore strong bounds can
often be placed on valid data values. Insert checks all over the
place that more tightly restrict data to those valid values.
<<
That's one approach, but it means that you will be doing a very large number of
parameter checks and adding some sort of error handling when the checks fail.
The problem with this is that the error handling code grows like Topsy. Also, if
you are doing this seriously, you should test every part of the code, including
all the error checks; which means a great deal of unit testing. In practice,
developers are very lazy about testing error handling code.
An alternative way is to *prove* that all inputs are within bounds, all objects
are properly initialised by their constructors, and the invariants on abstract
data types are maintained. Then you can avoid most of the error checks. Where
your system accepts external input, you must ensure that it is robust for all
possible inputs (which will probably mean including checks on the parameters for
those functions that are called from outside). You do not need checks on the
parameters of functions that are only called *internally* (you can still add
them if you are paranoid, but if they fail then it is reasonable to abort the
entire program because the only possible cause should be a hardware failure).
This approach is more or less impossible to apply if you are coding in C or C++.
It may be feasible if you are using Java (using tools such as ESC/Java), but it
is easiest if you are using a language and toolset specifically designed for the
purpose. This is what I do for a living.
David Crocker
Escher Technologies Ltd.
www.eschertech.com
Current thread:
- Strategies for teaching secure coding practices Carl G. Alphonce (Dec 12)
- Re: Strategies for teaching secure coding practices Jose Nazario (Dec 12)
- Re: Strategies for teaching secure coding practices Keith Watson (Dec 12)
- Re: Strategies for teaching secure coding practices Steve Litt (Dec 12)
- Re: Strategies for teaching secure coding practices Andrew Gray (Dec 12)
- Re: Strategies for teaching secure coding practices David Evans (Dec 12)
- Re: Strategies for teaching secure coding practices Dana Epp (Dec 12)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 12)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 13)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 13)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 14)
- Re: Strategies for teaching secure coding practices Brian Chess (Dec 14)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 14)
- RE: Strategies for teaching secure coding practices David Crocker (Dec 13)
- Re: Strategies for teaching secure coding practices Jeff Williams @ Aspect (Dec 13)
- <Possible follow-ups>
- RE: Strategies for teaching secure coding practices Peter Amey (Dec 15)