Vulnerability Development mailing list archives
Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh)
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Thu, 28 Sep 2000 01:11:30 +0200
Yes, this is a problem. Perhaps I'm part of a newer coding generation which includes the implementation part into the design fase. This ought to be standard practice today.
What you *still* haven't explained HOW you do that. We both mentioned the usage of company/project guidelines on how to write (secure) code. Is this what you mean? Or do simply mean to have routinely revisions of design and having the code evaluated for quality assurance? (this is what is known as iterative development in fancy books [has more names btw], and is standard in most development companies) I mean, having the entire code "designed", and not just how modules and functions interact... Wouldn't this actually mean you have NO design, you kind of implement it directly? To me, you speak of some ideal where everything is planned perfectly, the entire implementation "designed", but you don't actually explain much of what you actually do.
My point is that compilers never change the code to a degree that it might do something that you wouldn't want it to do. (unless you use an untrusted/homemade compiler). Example: int function(char *name) { char variable[5]; strncpy(variable, name,5); variable[sizeof(variable)] = NULL; printf("Hello %s",variable); return 0; } function("Jonathan James"); This above code will never be compiled in a manner that will let it be exploitable unless someone has fiddled around with our libraries.
As in the discussion of weather C is too hard or not for experience programmers, isn't your code broken? :)
char variable[5]; variable[sizeof(variable)] = NULL;
so, you write to variable[5], which you don't know what it is, as you only have variable[0..4]. No, this is example isn't exploitable. Perhaps this actually demonstrate something about experience C programmers and their trust in their debugging skills. (btw, why are you not using '\0'?) My message was rather clear about the only real world compiler bug I know of was with multithreading code. (possibly that one could be abused in a DoS, if the programmers wasn't aware of the 'feature' in that compiler) Yes, using a interpreter introduces a dependency in your code. You consider it widely worse than the dependencies compiled binaries suffer from, I'm not so sure. Same as with libraries, if they are broken they can be updated. So can the interpreter. All affected code fixed instantly in both cases. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team http://www.eff.org/cafe
Current thread:
- Re: CGI scripts in sh, (continued)
- Re: CGI scripts in sh Gordon Messmer (Sep 21)
- Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
- Re: CGI scripts in sh Crispin Cowan (Sep 23)
- Re: CGI scripts in sh -jf- (Sep 22)
- C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 28)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Reid Nichol (Sep 29)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Adam Clarke (Sep 28)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Ben Galehouse (Sep 30)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Ben Galehouse (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 27)
- Re: C versus other languages,round 538 or so (Re: CGI scripts in sh) Crispin Cowan (Sep 28)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Ryan Masters (Sep 24)
- Re: IP Spoofing with DHCP ? Matthew S. Hallacy (Sep 19)