Secure Coding mailing list archives

Re: Strategies for teaching secure coding practices

From: Crispin Cowan <crispin () immunix com>
Date: Sun, 14 Dec 2003 02:31:46 +0000


David Crocker wrote:


Crispin Cowan wrote:
The secure coding philosophy is independent of OO methodologies, but can
be applied there. Here's some ideas:

...
   * Object methods should *not* assume that objects have been properly
     initialized.
   * Objects are abstract data types, and therefore strong bounds can
     often be placed on valid data values. Insert checks all over the
     place that more tightly restrict data to those valid values.
<<

That's one approach, but it means that you will be doing a very large number of
parameter checks and adding some sort of error handling when the checks fail.
The problem with this is that the error handling code grows like Topsy.

I over-simplified when I said it is independent of OO methods. OO 
languages do allow you to simplify the error checking and handling using 
exception methods, which make it much less of a burden for code to 
consider error cases than in classical procedural languages.



An alternative way is to *prove* that all inputs are within bounds, all objects
are properly initialised by their constructors, and the invariants on abstract
data types are maintained. Then you can avoid most of the error checks. Where
your system accepts external input, you must ensure that it is robust for all
possible inputs (which will probably mean including checks on the parameters for
those functions that are called from outside). You do not need checks on the
parameters of functions that are only called *internally* (you can still add
them if you are paranoid, but if they fail then it is reasonable to abort the
entire program because the only possible cause should be a hardware failure).

Agreed, you can do that too. The limitation of the "proof" method is 
that it leads to brittle code: if a developer changes something over 
here, it may invalidate a lemma that some code over there was counting 
on. As David says, the cost of the "check everything" method is, well, 
the cost :)


You can use a hybrid method, where you use proof for parameters that are 
"internal" to a "module" and error checking for "inter-module" 
parameters. By scaling up or down what you consider to be a "module" you 
can trade trade cost against safety to your taste.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/

Current thread:

Strategies for teaching secure coding practices Carl G. Alphonce (Dec 12)
- Re: Strategies for teaching secure coding practices Jose Nazario (Dec 12)
- Re: Strategies for teaching secure coding practices Keith Watson (Dec 12)
- Re: Strategies for teaching secure coding practices Steve Litt (Dec 12)
  - Re: Strategies for teaching secure coding practices Andrew Gray (Dec 12)
- Re: Strategies for teaching secure coding practices David Evans (Dec 12)
- Re: Strategies for teaching secure coding practices Dana Epp (Dec 12)
- Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 12)
  - RE: Strategies for teaching secure coding practices David Crocker (Dec 13)
    - Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 13)
    - RE: Strategies for teaching secure coding practices David Crocker (Dec 14)
    - Re: Strategies for teaching secure coding practices Brian Chess (Dec 14)
    - Re: Strategies for teaching secure coding practices Crispin Cowan (Dec 14)
- Re: Strategies for teaching secure coding practices Jared W. Robinson (Dec 12)
  - Re: Strategies for teaching secure coding practices Jeff Williams @ Aspect (Dec 13)
- <Possible follow-ups>
- RE: Strategies for teaching secure coding practices Peter Amey (Dec 15)