Re: [Lit.] Buffer overruns

From: infobahn (infobahn_at_btinternet.com)
Date: 01/14/05 

Date: Fri, 14 Jan 2005 15:55:03 +0000 (UTC)

Bryan Olson wrote:
>
> infobahn wrote:
> > Bryan Olson wrote:
> >
> >>infobahn wrote:
> >>
> >>>And FWIW, I agree entirely. Get the spec right, get the program
> >>>right, and wave bye-bye to buffer attacks.
> >>
> >>How do you know when to give the wave?
> >
> > At about the same time that you gain *complete* assurance that
> > automatic bounds-checking (ABC hereafter) doesn't leave you open
> > to buffer attacks.
> >
> > ABC adds overhead, so it had better be able to pay its way. So
> > we'd better be SURE that it works. But how can we be? Even if you
> > validate your ABC compiler's source code, you have to use a
> > compiler to compile it.
>
> Where have you been for the last few decades?

Programming. Well, for some of the last few decades, anyway.

> In the ocean of
> exploits, there've been plenty of naive errors, and plenty of
> subtle errors. Compiler and run-time-system bugs comprise
> barely a drop,

...as far as we know; but, without spending a fortune finding out,
we can't know for sure.

> with the exception of systems intended to safely
> run code that may be written by adversaries. We know how to
> make automated methods vastly more reliable than manual
> checking.

Presumably you make them more reliable by checking them - manually!

>
> A while ago you advocated code re-use. Sophisticated compilers
> and run-time systems *are* code re-use.

Sure. But if you haven't got the source, you can't be sure. And
even if you /have/ got the source, you /still/ can't be sure.

> [...]
> > Absolute security is impossible if you also want to get anything
> > done. That doesn't mean we shouldn't try for security, of course.
> > But it's a fair indication that we should do the best job we can
> > with the best tools available, and what "best" means depends on
> > circumstances.
>
> Wake up. Check the circumstances. Sure there are still cases
> to use C or assembly. For most implementation, we now have
> better tools. Unfortunately we also have antique programmers
> who think choice of tools hardly even matters to security.

I, on the other hand, am still very young. Hardly even vintage,
let alone antique. And I think the choice of tools is extremely
important. But I'm not prepared to put down my chisel just because
some damn fool once cut off his own thumb.

Relevant Pages

  • Re: [Lit.] Buffer overruns
    ... > ABC adds overhead, so it had better be able to pay its way. ... Compiler and run-time-system bugs comprise ... A while ago you advocated code re-use. ... That doesn't mean we shouldn't try for security, ...
    (sci.crypt)
  • Re: [Lit.] Buffer overruns
    ... But let's take the example where, by a strange chance, the ONLY bug is ... in the ABC implementation. ... increase security but *de*crease it. ... > sources are restricted to certain smaller regions (compiler etc.) ...
    (sci.crypt)
  • RE: Anyone looked at the canary stack protection in Win2k3?
    ... I wrote up a simple analysis of Microsoft's /GS compiler option for Visual C++ ... Compiler Security Optimizations ... In Chapter 1 you saw the simplest possible buffer overflow, ... checks to see that it is still alive when a vulnerable stack frame returns. ...
    (Vuln-Dev)
  • Re: Compilation of Code in Microsoft Visual Studio .NET and a couple of other Microsoft .NET questio
    ... I've just recently installed the Visual Studio .net Professional ... part of visual studio, not the compiler. ... then does that mean that I have found a security flaw in .NET or is it just ... Visual Studio .NET will that executable require the .NET framework to be ...
    (microsoft.public.dotnet.general)
  • Re: Create restricted user account, 2003 server AD domain
    ... I originally created the security group 'def' as a domain local group. ... Note that user 'abc' is NOT listed as a member of the domain local group ... I verified this on both the domain server and the XP hosts ...
    (microsoft.public.windows.server.security)