Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: C versus other languages, round 538 or so (Re: CGI scripts in sh)

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Thu, 28 Sep 2000 00:39:19 +0200
If the person is so experienced to make a "so good and essencial
daemon/appz which I *must* run" I think they have experience enough to take
away all the overflows of the source code and at least take a quick look
and debug a little the source.


Personly, I believe there is an over-confidence among programmers how well
they code. I mean, what we see here is you claiming that a "quick look"
identifies all overflows, and someone else claiming that all overflows are
due to the design, not at the implementation.

I wish to point out that overflows etc have been found in very many
daemons and other application coded by very experience programmers. And
well known and very good bugtraqers such as the L0pht crew also has fallen
into these pits. There is a difference between being far above the avarage
programmers in computer science classes, it is not good enough to base
assumptions on the experience of a programmer to remove implementation
bugs; it must be specificly checked against in QA teams & security audits.


From what I gather, the most successfull development team (messured in

security) is the openbsd team. The key factors in their development has
been slow development (security over fast developed features, which
actually has proven to be good in maintains issues as well from what I
gather at the securityfocus interview), strict security audits, and most
likely very experienced designers and programmers.

Another thing which is quite interesting is the general acceptance of
usage of insecure functions; SSH got some publishity over an none-existent
bug which IBM located. OK, the SSH team knew the bad code wasn't a problem
because checks were in place at other locations. But I understand IBM very
much, the code LOOKED exploitable. Why on earth anyone would make
dangerous assuptions such as "this code will never be called with
incorrect indata" is beyond me.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

             http://www.eff.org/cafe
Previous By Date Next
Previous By Thread Next

Current thread: