Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [SC-L]

From: "Lewis, Todd" <todd.lewis () gs com>
Date: Tue, 16 Dec 2003 01:34:56 +0000
Although I agree about ML, I have to say that the number of null-pointer
exceptions I've seen in Java apps leaves me suspicious that it might not be
as safe as it's cracked up to be.  Plus, no amount of type-safe code can
save you from a well-placed photon or two:

http://www.cs.princeton.edu/~sudhakar/papers/memerr.pdf

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Crispin Cowan
Sent: Friday, December 12, 2003 9:09 PM
To: Jeffrey W. Baker
Cc: [EMAIL PROTECTED]
Subject: Re: [SC-L]


Jeffrey W. Baker wrote:


In my recent experience, certain institutions are turning out graduates
in computer science whose understanding of the actual computer is quite
limited.  These people know how to program in high-level languages, Java
or Pascal for example, and they can use an operating system, but they
wouldn't know what to do with an 8-bit shift register.

In the present world, I don't think you can write a secure program
unless you recognize the term "smashing the stack" and you know how to
do it.


As someone who knows a fair bit about stack smashing :) I specifically
disagree with that. I believe that it is possible for a developer who
*sticks to* type safe languages such as Java or ML, and who follows the
security principles of my previous post (not trusting other components
or input data to be well-behaved) to develop very secure applications.

Of course this is full of dangerous caveats:

    * It applies *only* to type safe languages, notably *not* including
      C, C++, PERL, PHP, or Python.
    * The developer still has to understand other kinds of security
      issues, including validating inputs, and race conditions.
    * It only works at the application layer; network and operating
      system development require the developer to get their hands dirty.



You'll never write a secure program if you can't understand what
might happen if your cushy JVM security protections break down.


Your cushy JVM security protection (type safety) should not be breaking
down, and when it does, it is not the Java programmer's fault. Even if
the Java programmer knew all about stack smashing, sie is still entirely
at the tender mercies of the JVM if someone finds a way to violate type
safety.


 It's
not possible to avoid shell code injection when you don't know what
shell code is or why that might be bad.


I'm sorry, but that's wrong. It is entirely possible to avoid shell code
injection in type safe languages.

Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/
Previous By Date Next
Previous By Thread Next

Current thread: