Re: Interesting article on the adoption of Software Security

[Dana Epp <dana () vulscan com>]

Ok, lets turn the tables a bit here. We talked about this a bit back 
last December when I said that you need to use the right tool for the 
right job, and to quit beating on C.


For those of us who write kernel mode / ring0 code, what language are 
you suggesting we write in? Name a good typesafe language that you have 
PRACTICALLY seen to write kernel mode code in. Especially on Windows and 
the Linux platform. I am not trying to fuel the argument over which 
language is better, it comes down to the right tool for the right job. I 
know back in December ljknews suggested PL/I and Ada, but who has 
actually seen production code in either Windows or Linux using it?


Lets face it. You aren't going to normally see Java or C# in kernel code 
(yes I am aware of JavaOS and some guys at Microsoft wanting to write 
everything in their kernel via managed code) but its just not going to 
happen in practice. C and ASM is the right tool in this area of code.


I said this back in December and think its worth repeating. What is the 
C language downfall is also its best strength. It is a double edged 
sword that really SHOULD be mastered by those who need it, but by many 
is treated like a child's $5 plastic toy... wielded by the inexperienced 
who don't know any better. The reality is instead of avoiding it, we 
should include the proper teachings to use it safely, and correctly. I 
think that if we try to sidestep the issue, we will end up using the 
wrong tool at the wrong time. We shouldn't fear using languages like C 
and C++, we just need to know its place, know its fallibilities and deal 
with it.


Cripin is right; new code SHOULD be written in a type safe language 
unless there is a very strong reason to do otherwise. The reality is 
that many developers don't know when that right time is. And resulting 
is poor choice in tools, languages and structure. I'd love for someone 
to show me... no... convince me, of a typesafe language that can be used 
in such a place. I have yet to see it for production code, used on a 
regular basis.


Now whats interesting is that some people are starting to get this. If 
you look at some of the latest DDK builds coming out of Microsoft you 
now see advancements in tools to handle this. Tools like prefast can do 
a lot to analyze code, and the new Static Driver Verifier goes to the 
next level when tracing code execution paths and checking for faults in 
drivers traditionally written in C. They further extend that with safer 
string functions (<ntstrsafe.h>) and deeper inspection in code as well 
as lots of training to bring people up to skill in secure programming 
through some of their MSDN webcasts. Now, I am NOT saying Microsoft is 
the company I would look to for a model in this area, but I am seeing 
the effort there. The trick is actually educating the developers to use 
the tools, and use them properly. (RATS and StackGuard were some good 
ones Crispin pointed out).


Its the right tool for the right job. And although you can pound a 
square peg through a round hole if you beat it hard enough... it doesn't 
mean its the right thing to do. Nor is right to assume you can use 
typesafe languages as the panacea for secure coding.


--
Regards,
Dana Epp
[Blog: http://silverstr.ufies.org/blog/]