Re: [Lit.] Buffer overruns

From: Trevor L. Jackson, III (tlj3_at_comcast.net)
Date: 01/29/05 

Date: Sat, 29 Jan 2005 16:49:24 -0500

David Wagner wrote:

> Trevor L. Jackson, III wrote:
>
>>David Wagner wrote:
>>
>>> #define PRIME ...
>>> int hash(char *s) {
>>> int h = 0;
>>> while (*s)
>>> h = ((h<<8) + *s++) % PRIME;
>>> return h;
>>> }
>>> struct tblentry hashtable[PRIME];
>>> foo() {
>>> char *str = read_string_from_network();
>>> int i = hash(str);
>>> hashtable[i] = ...;
>>> }
>>
>>Good example, but it applies to the design process rather than the
>>implementation (coding) process. This hole would be created in any
>>language -- insufficient consideration of the range of hash(). And it
>>would be caught by simple, mindless bounds checking.
>
>
> Nope, not in any language: it wouldn't be exploitable (except
> perhaps to cause DoS) if this were written in Java, or indeed
> in any memory-safe language.
>
> Yes, it would be caught by truly mindless bounds checking.
> But human programmers tend not to be truly mindless; they tend
> to omit unnecessary checks (or, checks they believe to be unnecessary).
> So human programmers might not reliably catch this bug. On the
> other hand, automatic bounds checking *would* reliably catch this
> bug -- compilers tend not to make those kinds of mistakes.
>
> By the way, another interesting thing about this bug is that
> it is platform-dependent. On some platforms (those with 'char'
> = 'unsigned char'), this code is safe. Even if you test the code
> very thoroughly, if you are testing on those platforms the bug will
> not manifest itself; then if you later port this code to another
> platform with 'char' = 'signed char' (and don't bother testing it
> as extensively on the new platform), you might then become vulnerable.

Hmmm. I think the code above is much worse than you do. The
quantization of the shifts at 8 can be interpreted to mean that the only
the sign bit of the characters matters. But that assumption is false.
On a machine with 6-, 7-, 9-, 10-, 16-, or 32-bit characters, all of
which still exist and are in operation, any bit could end up in the sign
bit of h. I suspect that's why Gwyn expressed his dislike for
left-shifting an int. Never do that.

And I think you are wrong about the language independence issue. The
_defect_ could occur in any language. The consequences of that defect
would be less damaging in a memory-safe language than they would be in C.

Some of your reaction may be based on the process by which C is
introduced to new programmers. A developer with a a few years of
experience but none in C could have trouble years after switching to C
because he (they? is that thread dead yet? any National Socialists
mentioned?) did not take the trouble to really learn the language.

For example, the above error would not happen to a C programmer who has
tangled with <ctype.h>. The signed/unsigned issue come into stark
relief the first time you have to consider portable use of char. Once
that trauma fades one is left with the fundamental understanding of how
dangerous sign bits can be, and once the danger is understood the
recurrence rate is quite low.

OTOH a programmer who starts at the level of assembly language already
has an awareness of those kinds of considerations becase he has to
manage the link/carry bit in addition to the sign bit. So the above
code would be unnatural for a person coming from an A.L. background.

Moral: it's the people not the language.

/tj3

Relevant Pages

  • Re: CollabRx seeks brilliant engineers for an excellent e-science adventure
    ... belief that lisp programmers are smarter/better. ... Java or PHP programmers. ... a type of language that attracts a personality that meets my perceptions ...
    (comp.lang.lisp)
  • Re: Question concerning object-oriented programming
    ... programming language, not his. ... there has usually been a toString. ... I know it's "unrealistic" to expect actual programmers to do this, ... tell me what a dog is. ...
    (comp.programming)
  • Re: Language X, not Forth ?
    ... As you become more familiar with a language, it's readability is a function of how much care the programmer took to make it more readable. ... The use of non-readable graphics characters doesn't help FORTH to ... All programmers I know use one sort or another to indent or highlight control flow. ... Therefore, I just don't do this kind of crazy things like juggling around with many stack elements. ...
    (comp.lang.forth)
  • Re: Does Python really follow its philosophy of "Readability counts"?
    ... with enforcing that "shouldn't" in the language itself? ... In Python, direct access to pointers is a MUST NOT. ... where you are allowed to mess with the implementation. ... human assembly language programmers? ...
    (comp.lang.python)
  • Re: FORTH levels
    ... Most working on a collaborative project do not choose the programming language they are using: it is thrust upon them by the needs of the collaboration. ... When Iverson and Hui came up with J-- in part to remove APL's special character set and make it more "user friendly" not much of a community formed around it. ... And people who are by not by any reasonable stretch of the term "programmers" seem to take to Perl. ... But RPN does not require a visible stack, any more than any language requires a visible stack to rebuild its semantic trees from its flat expression. ...
    (comp.lang.forth)