Secure Coding mailing list archives
Origins of Security Problems
From: "Mark Rockman" <mrockman () acm org>
Date: Wed, 16 Jun 2004 00:30:57 +0100
Before widespread use of the Internet, computers were isolated from malicious attacks. Many of them were not networked. CPUs were slow. Memory was small. It was common practice to "trust the user" to minimize the size of programs to speed up processing and to make programs fit in memory. Non-typesafe languages permitted playing with the stack. It occurred to me repeatedly during that period that it would have been extremely helpful if the compiler/runtime would have detected buffer overflows. Implementers always shot back that their prime concern was minimizing path lengths (i.e. execution time) and that it was the programmer's responsibility to guarantee buffer overflows would not occur. With blunt instruments such as strcpy() and strcat() available to almost guarantee occasional buffer overflows, and stacks arranged so that transfer of control to malicious code could conveniently occur, it evidently doesn't take a rocket scientist to figure out how to make a program misbehave by providing invalid input that passes whatever passes for input validation. Once code became mobile and access to vulnerable buffers became possible over a wire, an epidemic of security breaches occurred. Moreover, Internet protocols were designed individually to provide a specific service. Little consideration went into how the protocols could be abused. Computers are now widespread and many of them today reside on the Internet with vulnerable ports wide open. The average computer owner doesn't know what a port is or that it represents a potential avenue for abuse. Software vendors remain unmotivated to instruct owners as to what vulnerabilities exist and how to minimize them because that would work against marketing and convenience. A small network desires file and printer sharing among the member computers. Does this mean everybody on the Internet should have access to those files and printers? Of course not. A standalone computer has the sharing port wide open to the Internet because someday it might become a member of a network. Things have gotten better with additional features (e.g. Internet Connection Firewall), default configurations set to restrict not for convenience, and anti-virus software. The origin of security problems lies in widespread Internet usage and habitual lack of effort to ensure that programs don't do things that owners don't want them to do.
Current thread:
- Origins of Security Problems Mark Rockman (Jun 15)
- RE: Origins of Security Problems Michael S Hines (Jun 16)
- RE: Origins of Security Problems ljknews (Jun 17)
- Message not available
- Re: Origins of Security Problems ljknews (Jun 18)
- RE: Origins of Security Problems Alun Jones (Jun 20)
- RE: Origins of Security Problems ljknews (Jun 20)
- RE: Origins of Security Problems Alun Jones (Jun 21)
- RE: Origins of Security Problems ljknews (Jun 17)
- RE: Origins of Security Problems Michael S Hines (Jun 16)
- <Possible follow-ups>
- Origins of Security Problems Mark Rockman (Jun 17)
- Re: Origins of Security Problems Crispin Cowan (Jun 18)