[SC-L]

["Jeffrey W. Baker" <jwbaker () acm org>]

On Fri, 2003-12-12 at 07:05, Carl G. Alphonce wrote:
> The editor of the list has expressed a desire that the discussion move
> away from "away from a discussion of the merits and !merits of a
> particular operating system", so here's a contribution in a different
> vein.
>
> I am a recent subscriber to this list and also an educator.  I teach
> primarily undergraduate courses, often the first and second semester
> courses, and I am very interested to hear from the list what you all
> consider to be important "secure coding" topics to cover in these
> first-year classes.  Also, what topics to you feel should be covered
> in an undergraduate curriculum but later than the first year?
 
I am not an educator (or even educated), but I interview a lot of recent
graduates so perhaps I have something to say here.
 
In my recent experience, certain institutions are turning out graduates
in computer science whose understanding of the actual computer is quite
limited.  These people know how to program in high-level languages, Java
or Pascal for example, and they can use an operating system, but they
wouldn't know what to do with an 8-bit shift register.
 
In the present world, I don't think you can write a secure program
unless you recognize the term "smashing the stack" and you know how to
do it.  You'll never write a secure program if you can't understand what
might happen if your cushy JVM security protections break down.  It's
not possible to avoid shell code injection when you don't know what
shell code is or why that might be bad.
 
If you want to write secure code, you will start with the very basics.
You must understand how your program is executed by the operating
system, how the CPU and the kernel treat memory, what protection is
enforced by the hardware, by the kernel, and by policy, and which is
more or less likely to fail.  After you understand all that, you must
learn to take input from untrusted sources and do something useful with
it, safely.
 
> To give you some context, our first-year sequence currently takes an
> OO approach, incorporating design patterns and discussions of the
> merits of alternative designs.  We also introduce some team-based work
> in the second semester, and I am will begin to incorporate test-first
> practices (using JUnit) this coming spring semester.
 
This seems very unlikely to teach secure practices.  Your students will
know how to interact with object services, virtual machines, containers,
factories, enumerators, Grady, Booch, and Gilligan.  But if their
adversary is trying to interact with the computer, they are outmatched.
 
-jwb